wafrift-oracle 0.2.4

Payload validity oracles for SQL, SSRF, path traversal, command injection, and template injection.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

//! SQL AST Oracle.
//!
//! Provides mathematically rigorous syntactic validation of SQL injections
//! against actual database parsers. Instead of guessing if a mutated
//! payload works based on regex, we compile it locally to an AST.
//! If it compiles, the backend Database will accept it.

use sqlparser::dialect::{GenericDialect, MySqlDialect, PostgreSqlDialect};
use sqlparser::parser::Parser;

/// The target SQL database dialect for AST validation.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DatabaseDialect {
    /// Generic ANSI SQL
    Generic,
    /// MySQL/MariaDB
    MySql,
    /// `PostgreSQL`
    PostgreSql,
}

/// Evaluates if a given SQL fragment is syntactically valid when injected into an expression context.
///
/// Wraps the fragment into a mock query to provide context for the AST parser.
#[must_use]
pub fn is_valid_expression_injection(fragment: &str, dialect: DatabaseDialect) -> bool {
    let query = format!("SELECT * FROM mock_table WHERE id = {fragment}");
    let result = match dialect {
        DatabaseDialect::Generic => Parser::parse_sql(&GenericDialect {}, &query),
        DatabaseDialect::MySql => Parser::parse_sql(&MySqlDialect {}, &query),
        DatabaseDialect::PostgreSql => Parser::parse_sql(&PostgreSqlDialect {}, &query),
    };

    // If the parser successfully builds an AST, the injection is structurally pristine.
    result.is_ok()
}

/// Evaluates if a given SQL fragment is syntactically valid as a raw query.
#[must_use]
pub fn is_valid_query(query: &str, dialect: DatabaseDialect) -> bool {
    let result = match dialect {
        DatabaseDialect::Generic => Parser::parse_sql(&GenericDialect {}, query),
        DatabaseDialect::MySql => Parser::parse_sql(&MySqlDialect {}, query),
        DatabaseDialect::PostgreSql => Parser::parse_sql(&PostgreSqlDialect {}, query),
    };

    result.is_ok()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn valid_sql_fragment_parses() {
        // Classic bypass evaluates to true
        assert!(is_valid_expression_injection(
            "1 OR 1=1 --",
            DatabaseDialect::Generic
        ));

        // Multi-line comment obfuscation
        assert!(is_valid_expression_injection(
            "1/**/OR/**/1=1",
            DatabaseDialect::MySql
        ));
    }

    #[test]
    fn invalid_sql_fragment_fails() {
        // MCTS might accidentally generate incomplete syntax
        assert!(!is_valid_expression_injection(
            "1 OR 1=/**/",
            DatabaseDialect::Generic
        ));
        assert!(!is_valid_expression_injection(
            "1 O R 1=1",
            DatabaseDialect::Generic
        ));
    }
}