ronin-code-sql 2.0.0.beta1 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc5de90b2961287f9110ba16c922ad1b8e787563d7fb93a075834cb6935b2da9
-  data.tar.gz: 61e12da2b15fa8306677b1f0bcaa1c1b973512bb5339e162af7eca6f15fdfb19
+  metadata.gz: 8ef7433a57468588fad1becd6d4bc48e5e9a63ec137ff6f6e4ae8be967654267
+  data.tar.gz: 218ff08b369ef3287e22f59f0274b23e27685ae4812db11aff064485be14c3e6
 SHA512:
-  metadata.gz: 43387545e4de6ca18387df0ac5a8af970b0b99ce6fc0300094e61bc2898351dbeae176bd66ab0e097cf0028e164cf8c19c8841787839b71a8e964627b53be9c3
-  data.tar.gz: 3b057ebcd0be473896562afb5d4159ab9930c1a0008f789f3c8473991b452eee485b0dfa8351b02401945b0b9c2777d21257e325ed5bd823ab1685a10e617109
+  metadata.gz: 6b8b697faf3a989d20c174975cee3a2a1d674f6e0154583e7906987b048a6fd000a4d8c1491fac55297a7fbe72e46fc9eb04b6d71fe4fec0f4a036dbfa122db3
+  data.tar.gz: f474ebf13c229500a6117fce4f23b06d7072de914c257b76aeded05d2c801a0ecf4b92e397ba674b6ec68e82d48888f9639f709bcd8444dd88449bc532868b84

data/.github/workflows/ruby.yml

@@ -21,7 +21,22 @@ jobs:
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
       - name: Install dependencies
         run: bundle install --jobs 4 --retry 3
       - name: Run tests
         run: bundle exec rake test
+
+  # rubocop linting
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run rubocop
+        run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -0,0 +1,13 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 3.1
+
+inherit_gem:
+  rubocop-ronin: rubocop.yml
+
+#
+# ronin-code-sql specific exceptions
+#
+Lint/BinaryOperatorWithIdenticalOperands: { Exclude: ['spec/**/*_spec.rb'] }
+Naming/MethodParameterName: { Exclude: ['lib/ronin/code/sql/functions.rb'] }

data/.yardopts

@@ -1 +1 @@
---markup markdown --title 'Ronin SQL Documentation' --protected
+--markup markdown --title 'Ronin::Code::SQL Documentation' --protected

data/ChangeLog.md

@@ -1,4 +1,13 @@
-### 2.0.0 / 2023-XX-XX
+### 2.1.0 / 2023-06-26
+
+* Added {Ronin::Code::SQL::Mixin}.
+* Added {Ronin::Code::SQLI} as an alias for {Ronin::Code::SQL::Injection}.
+* Added support for the `syntax:` and `comment:` keyword arguments to
+  {Ronin::Code::SQL::Statement#to_sql} and {Ronin::Code::SQL::Injection#to_sql}.
+* Added {Ronin::Code::SQL::Clauses#order_by}.
+* Added {Ronin::Code::SQL::Emitter#emit_comment}.
+
+### 2.0.0 / 2023-02-01
 
 * Require `ruby` >= 3.0.0.
 * Added [ronin-support] ~> 0.1 as a dependency.

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec
@@ -25,4 +27,6 @@ group :development do
   gem 'dead_end',        require: false
   gem 'sord',            require: false, platform: :mri
   gem 'stackprof',       require: false, platform: :mri
+  gem 'rubocop',         require: false, platform: :mri
+  gem 'rubocop-ronin',   require: false, platform: :mri
 end

data/README.md

@@ -2,6 +2,7 @@
 
 [![CI](https://github.com/ronin-rb/ronin-code-sql/actions/workflows/ruby.yml/badge.svg)](https://github.com/ronin-rb/ronin-code-sql/actions/workflows/ruby.yml)
 [![Code Climate](https://codeclimate.com/github/ronin-rb/ronin-code-sql.svg)](https://codeclimate.com/github/ronin-rb/ronin-code-sql)
+[![Gem Version](https://badge.fury.io/rb/ronin-code-sql.svg)](https://badge.fury.io/rb/ronin-code-sql)
 
 * [Source](https://github.com/ronin-rb/ronin-code-sql)
 * [Issues](https://github.com/ronin-rb/ronin-code-sql/issues)
@@ -60,7 +61,7 @@ string.sql_decode
 Injecting a `1=1` test into a Integer comparison:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.or { 1 == 1 }
 puts sqli
 # 1 OR 1=1
@@ -69,7 +70,7 @@ puts sqli
 Injecting a `1=1` test into a String comparison:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
+sqli = Ronin::Code::SQLI.new(escape: :string)
 sqli.or { string(1) == string(1) }
 puts sqli
 # 1' OR '1'='1
@@ -78,7 +79,7 @@ puts sqli
 Columns:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { admin == 1 }
 puts sqli
 # 1 AND admin=1
@@ -87,7 +88,7 @@ puts sqli
 Clauses:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.or { 1 == 1 }.limit(0)
 puts sqli
 # 1 OR 1=1 LIMIT 0
@@ -96,7 +97,7 @@ puts sqli
 Statements:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { 1 == 0 }
 sqli.insert.into(:users).values('hacker','passw0rd','t')
 puts sqli
@@ -106,7 +107,7 @@ puts sqli
 Sub-Statements:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union { select(1,2,3,4,id).from(users) }
 puts sqli
 # 1 UNION SELECT (1,2,3,4,id) FROM users
@@ -115,25 +116,25 @@ puts sqli
 Test if a table exists:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { select(count).from(:users) == 1 }
 puts sqli
 # 1 AND (SELECT COUNT(*) FROM users)=1
 ```
 
-Create errors by using non-existant tables:
+Create errors by using non-existent tables:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
-sqli.and { non_existant_table == '1' }
+sqli = Ronin::Code::SQLI.new(escape: :string)
+sqli.and { non_existent_table == '1' }
 puts sqli
-# 1' AND non_existant_table='1
+# 1' AND non_existent_table='1
 ```
 
 Dumping all values of a column:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
+sqli = Ronin::Code::SQLI.new(escape: :string)
 sqli.or { username.is_not(null) }.or { username == '' }
 puts sqli
 # 1' OR username IS NOT NULL OR username='
@@ -142,7 +143,7 @@ puts sqli
 Enumerate through database table names:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and {
   ascii(
     lower(
@@ -159,7 +160,7 @@ puts sqli
 Find user supplied tables via the `sysObjects` table:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union_all {
   select(1,2,3,4,5,6,name).from(sysObjects).where { xtype == 'U' }
 }
@@ -170,12 +171,21 @@ puts sqli.to_sql(terminate: true)
 Bypass filters using `/**/` instead of spaces:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union { select(1,2,3,4,id).from(users) }
 puts sqli.to_sql(space: '/**/')
 # 1/**/UNION/**/SELECT/**/(1,2,3,4,id)/**/FROM/**/users
 ```
 
+Bypass filters using MySQL `#` comments:
+
+```ruby
+sqli = Ronin::Code::SQLI.new
+sqli.or { 1 == 1 }
+puts sqli.to_sql(terminate: true, comment: '#')
+# 1 OR 1=1 OR 1=1;#
+```
+
 ## Requirements
 
 * [Ruby] >= 3.0.0
@@ -191,7 +201,7 @@ $ gem install ronin-code-sql
 
 ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 
-Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 ronin-code-sql is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published

data/Rakefile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rubygems'
 
 begin

data/gemspec.yml

@@ -10,16 +10,16 @@ homepage: https://github.com/ronin-rb/ronin-code-sql#readme
 has_yard: true
 
 metadata:
-  documentation_uri: https://rubydoc.info/gems/ronin-code-sql
+  documentation_uri: https://ronin-rb.dev/docs/ronin-code-sql
   source_code_uri:   https://github.com/ronin-rb/ronin-code-sql
   bug_tracker_uri:   https://github.com/ronin-rb/ronin-code-sql/issues
-  changelog_uri:     https://github.com/ronin-rb/ronin-code-sql/blob/master/ChangeLog.md
+  changelog_uri:     https://github.com/ronin-rb/ronin-code-sql/blob/main/ChangeLog.md
   rubygems_mfa_required: 'true'
 
 required_ruby_version: ">= 3.0.0"
 
 dependencies:
-  ronin-support: ~> 1.0.0.beta1
+  ronin-support: ~> 1.0
 
 development_dependencies:
   bundler: ~> 2.0

data/lib/ronin/code/sql/binary_expr.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -29,11 +29,44 @@ module Ronin
       #
       # @api semipublic
       #
-      class BinaryExpr < Struct.new(:left,:operator,:right)
+      class BinaryExpr
 
         include Operators
         include Emittable
 
+        # The left-hand side of the binary expression.
+        #
+        # @return [Statement, Function, BinaryExpr, Field, Literal]
+        attr_reader :left
+
+        # The binary expression's operator.
+        #
+        # @return [Symbol]
+        attr_reader :operator
+
+        # The right-hand side of the binary expression.
+        #
+        # @return [Object]
+        attr_reader :right
+
+        #
+        # Initializes the binary expression.
+        #
+        # @param [Statement, Function, BinaryExpr, Field, Literal] left
+        #   The left-hand side of the binary expression.
+        #
+        # @param [Symbol] operator
+        #   The binary expression's operator.
+        #
+        # @param [Object] right
+        #   The right-hand side of the binary expression.
+        #
+        def initialize(left,operator,right)
+          @left     = left
+          @operator = operator
+          @right    = right
+        end
+
         #
         # Converts the binary expression to SQL.
         #

data/lib/ronin/code/sql/clause.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -33,7 +33,7 @@ module Ronin
       #
       # @api semipublic
       #
-      class Clause < Struct.new(:keyword,:argument)
+      class Clause
 
         include Literals
         include Fields
@@ -41,13 +41,23 @@ module Ronin
         include Statements
         include Emittable
 
+        # The name of the clause.
+        #
+        # @return [Symbol]
+        attr_reader :keyword
+
+        # The clause's argument.
+        #
+        # @return [Object, nil]
+        attr_reader :argument
+
         #
         # Initializes the SQL clause.
         #
         # @param [Symbol] keyword
         #   The name of the clause.
         #
-        # @param [Object] argument
+        # @param [Object, nil] argument
         #   Additional argument for the clause.
         #
         # @yield [(clause)]
@@ -58,13 +68,14 @@ module Ronin
         #   Otherwise the block will be evaluated within the clause.
         #
         def initialize(keyword,argument=nil,&block)
-          super(keyword,argument)
+          @keyword  = keyword
+          @argument = argument
 
           if block
-            self.argument = case block.arity
-                            when 0 then instance_eval(&block)
-                            else        block.call(self)
-                            end
+            @argument = case block.arity
+                        when 0 then instance_eval(&block)
+                        else        block.call(self)
+                        end
           end
         end
 

data/lib/ronin/code/sql/clauses.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -75,7 +75,7 @@ module Ronin
         #
         # Appends an `INTO` clause.
         #
-        # @param [Field, Symbol] table
+        # @param [Field, Symbol, nil] table
         #   The table to insert into.
         #
         # @return [self]
@@ -194,6 +194,20 @@ module Ronin
           clause([:GROUP, :BY],columns,&block)
         end
 
+        #
+        # Appends a `ORDER BY` clause.
+        #
+        # @param [Array<Field, Symbol>] columns
+        #   The columns for `ORDER BY`.
+        #
+        # @return [self]
+        #
+        # @since 2.1.0
+        #
+        def order_by(*columns,&block)
+          clause([:ORDER, :BY],columns,&block)
+        end
+
         #
         # Appends a `HAVING` clause.
         #
@@ -231,7 +245,7 @@ module Ronin
         # Appends a `TOP` clause.
         #
         # @param [Integer] value
-        #   The number of top rows to select. 
+        #   The number of top rows to select.
         #
         # @return [self]
         #
@@ -239,18 +253,6 @@ module Ronin
           clause(:TOP,value,&block)
         end
 
-        #
-        # Appends a `INTO` clause.
-        #
-        # @param [Field, Symbol] table
-        #   The table to insert/replace into.
-        #
-        # @return [self]
-        #
-        def into(table)
-          clause(:INTO,table)
-        end
-
         #
         # Appends a `VALUES` clause.
         #

data/lib/ronin/code/sql/emittable.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -36,7 +36,7 @@ module Ronin
         #   Additional keyword arguments for {Emitter#initialize}.
         #
         # @api private
-        #   
+        #
         def emitter(**kwargs)
           Emitter.new(**kwargs)
         end
@@ -56,6 +56,13 @@ module Ronin
         # @option kwargs [:single, :double] :quotes (:single)
         #   Type of quotes to use for Strings.
         #
+        # @option kwargs [nil, :mysql, :postgres, :oracle, :mssql] :syntax
+        #   Specific SQL syntax to use.
+        #
+        # @option kwargs [nil, String] :comment
+        #   Optional String to use as the SQL comment when terminating
+        #   injection string
+        #
         # @return [String]
         #   The raw SQL.
         #

data/lib/ronin/code/sql/emitter.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -31,14 +31,30 @@ module Ronin
       class Emitter
 
         # The case to use when emitting keywords
+        #
+        # @return [:lower, :upper, :random, nil]
         attr_reader :case
 
         # String to use for white-space
+        #
+        # @return [String]
         attr_reader :space
 
         # Type of String quotes to use
+        #
+        # @return [:single, :double]
         attr_reader :quotes
 
+        # Generate DB-specific code
+        #
+        # @return [nil, :mysql, :postgres, :oracle, :mssql]
+        attr_reader :syntax
+
+        # String to use as 'comment' or `nil` to let the emitter decide
+        #
+        # @return [String, nil]
+        attr_reader :comment
+
         #
         # Initializes the SQL Emitter.
         #
@@ -48,16 +64,24 @@ module Ronin
         # @param [:single, :double] quotes
         #   Type of quotes to use for Strings.
         #
+        # @param [nil, :mysql, :postgres, :oracle, :mssql] syntax
+        #   Syntax used during code-generation
+        #
+        # @param [nil, String] comment
+        #   String to use as the comment when terminating injection string
+        #
         # @param [Hash{Symbol => Object}] kwargs
         #   Emitter options.
         #
         # @option kwargs [:lower, :upper, :random, nil] :case
         #   Case for keywords.
         #
-        def initialize(space: ' ', quotes: :single, **kwargs)
-          @case   = kwargs[:case] # HACK: because `case` is a ruby keyword
-          @space  = space
-          @quotes = quotes
+        def initialize(space: ' ', quotes: :single, syntax: nil, comment: nil, **kwargs)
+          @case    = kwargs[:case] # HACK: because `case` is a ruby keyword
+          @syntax  = syntax
+          @comment = comment
+          @space   = space
+          @quotes  = quotes
         end
 
         #
@@ -70,36 +94,37 @@ module Ronin
         #   The raw SQL.
         #
         def emit_keyword(keyword)
-          keyword = Array(keyword).join(@space)
+          string = Array(keyword).join(@space)
 
           case @case
-          when :upper  then keyword.upcase
-          when :lower  then keyword.downcase
+          when :upper  then string.upcase
+          when :lower  then string.downcase
           when :random
-            keyword.tap do
-              (keyword.length / 2).times do
-                index = rand(keyword.length)
-                keyword[index] = keyword[index].swapcase
+            string.tap do
+              (string.length / 2).times do
+                index = rand(string.length)
+
+                string[index] = string[index].swapcase
               end
             end
           else
-            keyword
+            string
           end
         end
 
         #
         # Emits a SQL operator.
         #
-        # @param [Array<Symbol>, Symbol] op
+        # @param [Array<Symbol>, Symbol] operator
         #   The operator symbol.
         #
         # @return [String]
         #   The raw SQL.
         #
-        def emit_operator(op)
-          case op
-          when /^\W+$/          then op.to_s
-          else                       emit_keyword(op)
+        def emit_operator(operator)
+          case operator
+          when /^\W+$/ then operator.to_s
+          else              emit_keyword(operator)
           end
         end
 
@@ -132,6 +157,19 @@ module Ronin
           "1=1"
         end
 
+        #
+        # Emits a SQL comment.
+        #
+        # @return [String]
+        #   The raw SQL.
+        #
+        # @since 2.1.0
+        #
+        def emit_comment
+          # Return chosen comment or default one which works everywhere
+          @comment || '-- '
+        end
+
         #
         # Emits a SQL Integer.
         #
@@ -200,7 +238,7 @@ module Ronin
         #   The raw SQL.
         #
         def emit_list(list)
-          '(' + list.map { |element| emit(element) }.join(',') + ')'
+          "(#{list.map { |element| emit(element) }.join(',')})"
         end
 
         #
@@ -250,7 +288,8 @@ module Ronin
 
           case expr
           when BinaryExpr
-            left, right = emit_argument(expr.left), emit_argument(expr.right)
+            left  = emit_argument(expr.left)
+            right = emit_argument(expr.right)
 
             case op
             when /^\W+$/ then "#{left}#{op}#{right}"
@@ -366,16 +405,16 @@ module Ronin
           sql = emit_keyword(stmt.keyword)
 
           unless stmt.argument.nil?
-            case stmt.argument
-            when Array
-              sql << @space << if stmt.argument.length == 1
+            sql << @space << case stmt.argument
+                             when Array
+                               if stmt.argument.length == 1
                                  emit_argument(stmt.argument[0])
                                else
                                  emit_list(stmt.argument)
                                end
-            else
-              sql << @space << emit_argument(stmt.argument)
-            end
+                             else
+                               emit_argument(stmt.argument)
+                             end
           end
 
           unless stmt.clauses.empty?