ronin-code-sql 2.0.0.beta1

data/lib/ronin/code/sql/version.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+#
+# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-code-sql is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-code-sql is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-code-sql.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+module Ronin
+  module Code
+    module SQL
+      # Ronin SQL version
+      VERSION = '2.0.0.beta1'
+    end
+  end
+end

data/lib/ronin/code/sql.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+#
+# ronin-code-sql - A Ruby DSL for crafting SQL Injections.
+#
+# Copyright (c) 2007-2022 Hal Brodigan (postmodern.mod3 at gmail.com)
+#
+# ronin-code-sql is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# ronin-code-sql is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with ronin-code-sql.  If not, see <https://www.gnu.org/licenses/>.
+#
+
+require 'ronin/code/sql/statement_list'
+require 'ronin/code/sql/injection'
+
+module Ronin
+  module Code
+    #
+    # Provides a Domain Specific Language (DSL) for crafting complex
+    # {StatementList SQL} and SQL {Injection Injections} (SQLi).
+    #
+    # @see http://en.wikipedia.org/wiki/SQL_injection
+    #
+    module SQL
+
+      #
+      # Creates a new SQL statement list.
+      #
+      # @yield [(statements)]
+      #   If a block is given, it will be evaluated within the statement list.
+      #   If the block accepts an argument, the block will be called with the
+      #   new statement list.
+      #
+      # @yieldparam [StatementList] statements
+      #   The new statement list.
+      #
+      # @return [StatementList]
+      #   The new SQL statement list.
+      #
+      # @example
+      #   sql { select(1,2,3,4,id).from(users) }
+      #   # => #<Ronin::Code::SQL::StatementList: SELECT (1,2,3,4,id) FROM users>
+      #
+      # @api public
+      #
+      def sql(&block)
+        StatementList.new(&block)
+      end
+
+      #
+      # Creates a new SQL injection (SQLi)
+      #
+      # @param [Hash{Symbol => Object}] kwargs
+      #   Additional keyword arguments for {Injection#initialize}.
+      #
+      # @option kwargs [:integer, :decimal, :string, :column] :escape
+      #   The type of element to escape out of.
+      #
+      # @option kwargs [Boolean] :terminate
+      #   Specifies whether to terminate the SQLi with a comment.
+      #
+      # @option kwargs [String, Symbol, Integer] :place_holder
+      #   Place-holder data.
+      #
+      # @yield [(injection)]
+      #   If a block is given, it will be evaluated within the injection.
+      #   If the block accepts an argument, the block will be called with the
+      #   new injection.
+      #
+      # @yieldparam [Injection] injection
+      #   The new injection.
+      #
+      # @return [Injection]
+      #   The new SQL injection.
+      #
+      # @example
+      #   sqli { self.and { 1 == 1 }.select(1,2,3,4,id).from(users) }
+      #   # => #<Ronin::Code::SQL::Injection: 1 AND 1=1; SELECT (1,2,3,4,id) FROM users; SELECT (1,2,3,4,id) FROM users>
+      #
+      # @api public
+      #
+      def sqli(**kwargs,&block)
+        Injection.new(**kwargs,&block)
+      end
+
+    end
+  end
+end

data/ronin-code-sql.gemspec

@@ -0,0 +1,62 @@
+# encoding: utf-8
+
+require 'yaml'
+
+Gem::Specification.new do |gem|
+  gemspec = YAML.load_file('gemspec.yml')
+
+  gem.name    = gemspec.fetch('name')
+  gem.version = gemspec.fetch('version') do
+                  lib_dir = File.join(File.dirname(__FILE__),'lib')
+                  $LOAD_PATH << lib_dir unless $LOAD_PATH.include?(lib_dir)
+
+                  require 'ronin/code/sql/version'
+                  Ronin::Code::SQL::VERSION
+                end
+
+  gem.summary     = gemspec['summary']
+  gem.description = gemspec['description']
+  gem.licenses    = Array(gemspec['license'])
+  gem.authors     = Array(gemspec['authors'])
+  gem.email       = gemspec['email']
+  gem.homepage    = gemspec['homepage']
+  gem.metadata    = gemspec['metadata'] if gemspec['metadata']
+
+  glob = lambda { |patterns| gem.files & Dir[*patterns] }
+
+  gem.files  = `git ls-files`.split($/)
+  gem.files  = glob[gemspec['files']] if gemspec['files']
+  gem.files += Array(gemspec['generated_files'])
+
+  gem.executables = gemspec.fetch('executables') do
+    glob['bin/*'].map { |path| File.basename(path) }
+  end
+  gem.default_executable = gem.executables.first if Gem::VERSION < '1.7.'
+
+  gem.extensions       = glob[gemspec['extensions'] || 'ext/**/extconf.rb']
+  gem.test_files       = glob[gemspec['test_files'] || 'spec/{**/}*_spec.rb']
+  gem.extra_rdoc_files = glob[gemspec['extra_doc_files'] || '*.{txt,md}']
+
+  gem.require_paths = Array(gemspec.fetch('require_paths') {
+    %w[ext lib].select { |dir| File.directory?(dir) }
+  })
+
+  gem.requirements              = gemspec['requirements']
+  gem.required_ruby_version     = gemspec['required_ruby_version']
+  gem.required_rubygems_version = gemspec['required_rubygems_version']
+  gem.post_install_message      = gemspec['post_install_message']
+
+  split = lambda { |string| string.split(/,\s*/) }
+
+  if gemspec['dependencies']
+    gemspec['dependencies'].each do |name,versions|
+      gem.add_dependency(name,split[versions])
+    end
+  end
+
+  if gemspec['development_dependencies']
+    gemspec['development_dependencies'].each do |name,versions|
+      gem.add_development_dependency(name,split[versions])
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+require 'rspec'
+require 'simplecov'
+SimpleCov.start

data/spec/sql/binary_expr_examples.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+require 'ronin/code/sql/binary_expr'
+
+shared_examples_for "BinaryExpr" do |method,operator=method|
+  describe "##{method}" do
+    let(:operand) { 1 }
+    let(:expr)    { subject.send(method,operand) }
+
+    it "should be a BinaryExpr" do
+      expect(expr).to be_kind_of(Ronin::Code::SQL::BinaryExpr)
+    end
+
+    it "should set the left-hand side operand" do
+      expect(expr.left).to eq(subject)
+    end
+
+    it "should have a '#{operator}' operator" do
+      expect(expr.operator).to eq(operator)
+    end
+
+    it "should set the right-hand side operand" do
+      expect(expr.right).to eq(operand)
+    end
+  end
+end

data/spec/sql/binary_expr_spec.rb

@@ -0,0 +1,5 @@
+require 'spec_helper'
+require 'ronin/code/sql/binary_expr'
+
+describe Ronin::Code::SQL::BinaryExpr do
+end

data/spec/sql/clause_examples.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+shared_examples_for "Clause" do |method,keyword,argument_or_block=nil|
+  describe "##{method}" do
+    case argument_or_block
+    when Proc
+      before { subject.send(method,&argument_or_block) }
+    when Array
+      let(:arguments) { argument_or_block }
+
+      before { subject.send(method,*arguments) }
+    when NilClass
+      before { subject.send(method) }
+    else
+      let(:argument) { argument_or_block }
+
+      before { subject.send(method,argument) }
+    end
+
+    it "should add a #{keyword} clause" do
+      expect(clause.keyword).to eq(keyword)
+    end
+
+    case argument_or_block
+    when Proc
+      it "should accept a block" do
+        expect(clause.argument).not_to be_nil
+      end
+    when NilClass
+      it "should not have an argument" do
+        expect(clause.argument).to be_nil
+      end
+    when Array
+      it "should accept an argument" do
+        expect(clause.argument).to eq(arguments)
+      end
+    else
+      it "should accept an argument" do
+        expect(clause.argument).to eq(argument)
+      end
+    end
+  end
+end

data/spec/sql/clause_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+require 'ronin/code/sql/clause'
+
+describe Ronin::Code::SQL::Clause do
+  describe "#initialize" do
+    context "when given an argument" do
+      let(:argument) { 1 }
+
+      subject { described_class.new(:CLAUSE,argument) }
+
+      it "should set the argument" do
+        expect(subject.argument).to eq(argument)
+      end
+    end
+
+    context "when given a block" do
+      subject do
+        described_class.new(:CLAUSE) { 1 }
+      end
+
+      it "should use the return value as the argument" do
+        expect(subject.argument).to eq(1)
+      end
+
+      context "that accepts an argument" do
+        it "should yield itself" do
+        end
+      end
+    end
+  end
+end

data/spec/sql/clauses_spec.rb

@@ -0,0 +1,47 @@
+require 'spec_helper'
+require 'sql/clause_examples'
+require 'ronin/code/sql/clause'
+require 'ronin/code/sql/clauses'
+
+describe Ronin::Code::SQL::Clauses do
+  subject { Object.new.extend(described_class) }
+
+  let(:clause) { subject.clauses.last }
+
+  it { expect(subject.clauses).to be_empty }
+
+  describe "#clause" do
+    let(:keyword) { :EXEC }
+
+    before { subject.clause(keyword) }
+
+    it "should add an arbitrary clause" do
+      expect(clause.keyword).to eq(keyword)
+    end
+  end
+
+  include_examples "Clause", :from, :FROM, :table
+  include_examples "Clause", :into, :INTO, :table
+  include_examples "Clause", :where, :WHERE, proc { id == 1 }
+  include_examples "Clause", :join, :JOIN, :table
+  include_examples "Clause", :inner_join, [:INNER, :JOIN], :table
+  include_examples "Clause", :left_join, [:LEFT, :JOIN], :table
+  include_examples "Clause", :right_join, [:RIGHT, :JOIN], :table
+  include_examples "Clause", :full_join, [:FULL, :JOIN], :table
+  include_examples "Clause", :on, :ON, proc { id == 1 }
+  include_examples "Clause", :union, :UNION, proc { select(:*).from(:table) }
+  include_examples "Clause", :union_all, [:UNION, :ALL], proc {
+                               select(:*).from(:table)
+                             }
+  include_examples "Clause", :group_by, [:GROUP, :BY], [:column1, :column2]
+  include_examples "Clause", :having, :HAVING, proc { max(priv) > 100 }
+  include_examples "Clause", :limit, :LIMIT, 100
+  include_examples "Clause", :offset, :OFFSET, 20
+  include_examples "Clause", :top, :TOP, 50
+  include_examples "Clause", :into, :INTO, :table
+  include_examples "Clause", :values, :VALUES, [1,2,3,4]
+  include_examples "Clause", :default_values, [:DEFAULT, :VALUES]
+  include_examples "Clause", :set, :SET, {x: 1, y: 2}
+  include_examples "Clause", :indexed_by, [:INDEXED, :BY], :index_name
+  include_examples "Clause", :not_indexed, [:NOT, :INDEXED]
+end

data/spec/sql/emittable_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'ronin/code/sql/emittable'
+require 'ronin/code/sql/literal'
+
+describe Ronin::Code::SQL::Emittable do
+  subject { Ronin::Code::SQL::Literal.new('hello') }
+
+  describe "#emitter" do
+    it "should return an Ronin::Code::SQL::Emitter" do
+      expect(subject.emitter).to be_kind_of(Ronin::Code::SQL::Emitter)
+    end
+
+    it "should accept Emitter options" do
+      expect(subject.emitter(case: :lower).case).to eq(:lower)
+    end
+  end
+
+  describe "#to_sql" do
+    it "should emit the object" do
+      expect(subject.to_sql).to eq("'hello'")
+    end
+
+    context "when given options" do
+      it "should pass them to #emitter" do
+        expect(subject.to_sql(quotes: :double)).to eq('"hello"')
+      end
+    end
+  end
+
+  describe "#to_s" do
+    it "should call #to_sql with no arguments" do
+      expect(subject.to_s).to eq(subject.to_sql)
+    end
+  end
+
+  describe "#inspect" do
+    it "should call #to_sql with no arguments" do
+      expect(subject.inspect).to include(subject.to_sql)
+    end
+  end
+end