ronin-code-sql 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bebb1935967905988d415c412fa1a88b3e8785da8ec9c22cfcd9e9a9ec4a7a34
-  data.tar.gz: dd91249093d87d6d351fd4f4a766010e053ed780b419e5e370395e5d168a1d1f
+  metadata.gz: 0165dc3946e79bbbe0485338ff3c428f79f5eb28e35efc20fab1d2a0c92eb0d6
+  data.tar.gz: 6fc74345c7179f833eec309052ff8c8cccacbf5e98ac29267e50443f3dd2af4c
 SHA512:
-  metadata.gz: efdbd2b72acd2d75865109d0b803c5a65681085c7fd76cef7c630da3fade71326aa982328cf0ec2dc30ca4e4929f3a52b767872405dc1584246629da1f94ccc3
-  data.tar.gz: c8fec6e491e0cea640b18ea4be2d4ff479e679f15eaddaafbbc07b17b28fe1c8a3a32b96243237f2904850dae3397bcc8c4a3ed45b5fb3c109a0dd28a4104b3f
+  metadata.gz: 7bd8f7552183364ab26f237413935ca10e0772acf2d3a62b4634ada80de19a02532c22ee9aa9a41e764d4c4ccc522ce1e66dad1d7fb4e6df77879516d93ec2e8
+  data.tar.gz: bb5767cac1ba1fe4ae7fc68b30477f0e6e862c0fc2831fd142124eeabb1d2038f4c00148c3ac3ec599d257c9e247ca9b7248903e71e79ce1bc11d5bde2a9bc6b

data/.github/workflows/ruby.yml

@@ -12,11 +12,13 @@ jobs:
           - '3.0'
           - '3.1'
           - '3.2'
+          - '3.3'
+          - '3.4'
           - jruby
           - truffleruby
     name: Ruby ${{ matrix.ruby }}
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -26,3 +28,17 @@ jobs:
         run: bundle install --jobs 4 --retry 3
       - name: Run tests
         run: bundle exec rake test
+
+  # rubocop linting
+  rubocop:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0
+      - name: Install dependencies
+        run: bundle install --jobs 4 --retry 3
+      - name: Run rubocop
+        run: bundle exec rubocop --parallel

data/.rubocop.yml

@@ -0,0 +1,13 @@
+AllCops:
+  NewCops: enable
+  SuggestExtensions: false
+  TargetRubyVersion: 3.1
+
+inherit_gem:
+  rubocop-ronin: rubocop.yml
+
+#
+# ronin-code-sql specific exceptions
+#
+Lint/BinaryOperatorWithIdenticalOperands: { Exclude: ['spec/**/*_spec.rb'] }
+Naming/MethodParameterName: { Exclude: ['lib/ronin/code/sql/functions.rb'] }

data/.ruby-version

@@ -1 +1 @@
-ruby-3.1
+ruby-3.3

data/ChangeLog.md

@@ -1,4 +1,19 @@
-### 2.0.0 / 2023-XX-XX
+### 2.1.1 / 2025-02-14
+
+* Omit parentheses when formatting SQL lists containing only one element
+  (ex: `order_by(1)` -> `ORDER BY 1`, not `ORDER BY (1)`).
+* Use `require_relative` to improve load times.
+
+### 2.1.0 / 2023-06-26
+
+* Added {Ronin::Code::SQL::Mixin}.
+* Added {Ronin::Code::SQLI} as an alias for {Ronin::Code::SQL::Injection}.
+* Added support for the `syntax:` and `comment:` keyword arguments to
+  {Ronin::Code::SQL::Statement#to_sql} and {Ronin::Code::SQL::Injection#to_sql}.
+* Added {Ronin::Code::SQL::Clauses#order_by}.
+* Added {Ronin::Code::SQL::Emitter#emit_comment}.
+
+### 2.0.0 / 2023-02-01
 
 * Require `ruby` >= 3.0.0.
 * Added [ronin-support] ~> 0.1 as a dependency.

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec
@@ -25,4 +27,6 @@ group :development do
   gem 'dead_end',        require: false
   gem 'sord',            require: false, platform: :mri
   gem 'stackprof',       require: false, platform: :mri
+  gem 'rubocop',         require: false, platform: :mri
+  gem 'rubocop-ronin',   require: false, platform: :mri
 end

data/README.md

@@ -8,7 +8,6 @@
 * [Issues](https://github.com/ronin-rb/ronin-code-sql/issues)
 * [Documentation](https://ronin-rb.dev/docs/ronin-code-sql/frames)
 * [Discord](https://discord.gg/6WAb3PsVX9) |
-  [Twitter](https://twitter.com/ronin_rb) |
   [Mastodon](https://infosec.exchange/@ronin_rb)
 
 ## Description
@@ -61,7 +60,7 @@ string.sql_decode
 Injecting a `1=1` test into a Integer comparison:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.or { 1 == 1 }
 puts sqli
 # 1 OR 1=1
@@ -70,7 +69,7 @@ puts sqli
 Injecting a `1=1` test into a String comparison:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
+sqli = Ronin::Code::SQLI.new(escape: :string)
 sqli.or { string(1) == string(1) }
 puts sqli
 # 1' OR '1'='1
@@ -79,7 +78,7 @@ puts sqli
 Columns:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { admin == 1 }
 puts sqli
 # 1 AND admin=1
@@ -88,7 +87,7 @@ puts sqli
 Clauses:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.or { 1 == 1 }.limit(0)
 puts sqli
 # 1 OR 1=1 LIMIT 0
@@ -97,7 +96,7 @@ puts sqli
 Statements:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { 1 == 0 }
 sqli.insert.into(:users).values('hacker','passw0rd','t')
 puts sqli
@@ -107,7 +106,7 @@ puts sqli
 Sub-Statements:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union { select(1,2,3,4,id).from(users) }
 puts sqli
 # 1 UNION SELECT (1,2,3,4,id) FROM users
@@ -116,7 +115,7 @@ puts sqli
 Test if a table exists:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and { select(count).from(:users) == 1 }
 puts sqli
 # 1 AND (SELECT COUNT(*) FROM users)=1
@@ -125,7 +124,7 @@ puts sqli
 Create errors by using non-existent tables:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
+sqli = Ronin::Code::SQLI.new(escape: :string)
 sqli.and { non_existent_table == '1' }
 puts sqli
 # 1' AND non_existent_table='1
@@ -134,7 +133,7 @@ puts sqli
 Dumping all values of a column:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new(escape: :string)
+sqli = Ronin::Code::SQLI.new(escape: :string)
 sqli.or { username.is_not(null) }.or { username == '' }
 puts sqli
 # 1' OR username IS NOT NULL OR username='
@@ -143,7 +142,7 @@ puts sqli
 Enumerate through database table names:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.and {
   ascii(
     lower(
@@ -160,7 +159,7 @@ puts sqli
 Find user supplied tables via the `sysObjects` table:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union_all {
   select(1,2,3,4,5,6,name).from(sysObjects).where { xtype == 'U' }
 }
@@ -171,12 +170,21 @@ puts sqli.to_sql(terminate: true)
 Bypass filters using `/**/` instead of spaces:
 
 ```ruby
-sqli = Ronin::Code::SQL::Injection.new
+sqli = Ronin::Code::SQLI.new
 sqli.union { select(1,2,3,4,id).from(users) }
 puts sqli.to_sql(space: '/**/')
 # 1/**/UNION/**/SELECT/**/(1,2,3,4,id)/**/FROM/**/users
 ```
 
+Bypass filters using MySQL `#` comments:
+
+```ruby
+sqli = Ronin::Code::SQLI.new
+sqli.or { 1 == 1 }
+puts sqli.to_sql(terminate: true, comment: '#')
+# 1 OR 1=1 OR 1=1;#
+```
+
 ## Requirements
 
 * [Ruby] >= 3.0.0
@@ -192,7 +200,7 @@ $ gem install ronin-code-sql
 
 ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 
-Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 ronin-code-sql is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published

data/Rakefile

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'rubygems'
 
 begin

data/gemspec.yml

@@ -3,7 +3,7 @@ summary: A Ruby DSL for crafting SQL Injections.
 description:
   ronin-code-sql is a Ruby DSL for crafting SQL Injections.
 
-license: LGPL-3.0
+license: LGPL-3.0-or-later
 authors: Postmodern
 email: postmodern.mod3@gmail.com
 homepage: https://github.com/ronin-rb/ronin-code-sql#readme

data/lib/ronin/code/sql/binary_expr.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -18,8 +18,8 @@
 # along with ronin-code-sql.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-require 'ronin/code/sql/operators'
-require 'ronin/code/sql/emittable'
+require_relative 'operators'
+require_relative 'emittable'
 
 module Ronin
   module Code
@@ -29,11 +29,44 @@ module Ronin
       #
       # @api semipublic
       #
-      class BinaryExpr < Struct.new(:left,:operator,:right)
+      class BinaryExpr
 
         include Operators
         include Emittable
 
+        # The left-hand side of the binary expression.
+        #
+        # @return [Statement, Function, BinaryExpr, Field, Literal]
+        attr_reader :left
+
+        # The binary expression's operator.
+        #
+        # @return [Symbol]
+        attr_reader :operator
+
+        # The right-hand side of the binary expression.
+        #
+        # @return [Object]
+        attr_reader :right
+
+        #
+        # Initializes the binary expression.
+        #
+        # @param [Statement, Function, BinaryExpr, Field, Literal] left
+        #   The left-hand side of the binary expression.
+        #
+        # @param [Symbol] operator
+        #   The binary expression's operator.
+        #
+        # @param [Object] right
+        #   The right-hand side of the binary expression.
+        #
+        def initialize(left,operator,right)
+          @left     = left
+          @operator = operator
+          @right    = right
+        end
+
         #
         # Converts the binary expression to SQL.
         #

data/lib/ronin/code/sql/clause.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -18,12 +18,12 @@
 # along with ronin-code-sql.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-require 'ronin/code/sql/literals'
-require 'ronin/code/sql/fields'
-require 'ronin/code/sql/functions'
-require 'ronin/code/sql/statement'
-require 'ronin/code/sql/statements'
-require 'ronin/code/sql/emittable'
+require_relative 'literals'
+require_relative 'fields'
+require_relative 'functions'
+require_relative 'statement'
+require_relative 'statements'
+require_relative 'emittable'
 
 module Ronin
   module Code
@@ -33,7 +33,7 @@ module Ronin
       #
       # @api semipublic
       #
-      class Clause < Struct.new(:keyword,:argument)
+      class Clause
 
         include Literals
         include Fields
@@ -41,13 +41,23 @@ module Ronin
         include Statements
         include Emittable
 
+        # The name of the clause.
+        #
+        # @return [Symbol]
+        attr_reader :keyword
+
+        # The clause's argument.
+        #
+        # @return [Object, nil]
+        attr_reader :argument
+
         #
         # Initializes the SQL clause.
         #
         # @param [Symbol] keyword
         #   The name of the clause.
         #
-        # @param [Object] argument
+        # @param [Object, nil] argument
         #   Additional argument for the clause.
         #
         # @yield [(clause)]
@@ -58,13 +68,14 @@ module Ronin
         #   Otherwise the block will be evaluated within the clause.
         #
         def initialize(keyword,argument=nil,&block)
-          super(keyword,argument)
+          @keyword  = keyword
+          @argument = argument
 
           if block
-            self.argument = case block.arity
-                            when 0 then instance_eval(&block)
-                            else        block.call(self)
-                            end
+            @argument = case block.arity
+                        when 0 then instance_eval(&block)
+                        else        block.call(self)
+                        end
           end
         end
 

data/lib/ronin/code/sql/clauses.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -75,7 +75,7 @@ module Ronin
         #
         # Appends an `INTO` clause.
         #
-        # @param [Field, Symbol] table
+        # @param [Field, Symbol, nil] table
         #   The table to insert into.
         #
         # @return [self]
@@ -194,6 +194,20 @@ module Ronin
           clause([:GROUP, :BY],columns,&block)
         end
 
+        #
+        # Appends a `ORDER BY` clause.
+        #
+        # @param [Array<Field, Symbol>] columns
+        #   The columns for `ORDER BY`.
+        #
+        # @return [self]
+        #
+        # @since 2.1.0
+        #
+        def order_by(*columns,&block)
+          clause([:ORDER, :BY],columns,&block)
+        end
+
         #
         # Appends a `HAVING` clause.
         #
@@ -231,7 +245,7 @@ module Ronin
         # Appends a `TOP` clause.
         #
         # @param [Integer] value
-        #   The number of top rows to select. 
+        #   The number of top rows to select.
         #
         # @return [self]
         #
@@ -239,18 +253,6 @@ module Ronin
           clause(:TOP,value,&block)
         end
 
-        #
-        # Appends a `INTO` clause.
-        #
-        # @param [Field, Symbol] table
-        #   The table to insert/replace into.
-        #
-        # @return [self]
-        #
-        def into(table)
-          clause(:INTO,table)
-        end
-
         #
         # Appends a `VALUES` clause.
         #

data/lib/ronin/code/sql/emittable.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -18,7 +18,7 @@
 # along with ronin-code-sql.  If not, see <https://www.gnu.org/licenses/>.
 #
 
-require 'ronin/code/sql/emitter'
+require_relative 'emitter'
 
 module Ronin
   module Code
@@ -36,7 +36,7 @@ module Ronin
         #   Additional keyword arguments for {Emitter#initialize}.
         #
         # @api private
-        #   
+        #
         def emitter(**kwargs)
           Emitter.new(**kwargs)
         end
@@ -56,6 +56,13 @@ module Ronin
         # @option kwargs [:single, :double] :quotes (:single)
         #   Type of quotes to use for Strings.
         #
+        # @option kwargs [nil, :mysql, :postgres, :oracle, :mssql] :syntax
+        #   Specific SQL syntax to use.
+        #
+        # @option kwargs [nil, String] :comment
+        #   Optional String to use as the SQL comment when terminating
+        #   injection string
+        #
         # @return [String]
         #   The raw SQL.
         #

data/lib/ronin/code/sql/emitter.rb

@@ -2,7 +2,7 @@
 #
 # ronin-code-sql - A Ruby DSL for crafting SQL Injections.
 #
-# Copyright (c) 2007-2023 Hal Brodigan (postmodern.mod3 at gmail.com)
+# Copyright (c) 2007-2025 Hal Brodigan (postmodern.mod3 at gmail.com)
 #
 # ronin-code-sql is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Lesser General Public License as published
@@ -31,14 +31,30 @@ module Ronin
       class Emitter
 
         # The case to use when emitting keywords
+        #
+        # @return [:lower, :upper, :random, nil]
         attr_reader :case
 
         # String to use for white-space
+        #
+        # @return [String]
         attr_reader :space
 
         # Type of String quotes to use
+        #
+        # @return [:single, :double]
         attr_reader :quotes
 
+        # Generate DB-specific code
+        #
+        # @return [nil, :mysql, :postgres, :oracle, :mssql]
+        attr_reader :syntax
+
+        # String to use as 'comment' or `nil` to let the emitter decide
+        #
+        # @return [String, nil]
+        attr_reader :comment
+
         #
         # Initializes the SQL Emitter.
         #
@@ -48,16 +64,24 @@ module Ronin
         # @param [:single, :double] quotes
         #   Type of quotes to use for Strings.
         #
+        # @param [nil, :mysql, :postgres, :oracle, :mssql] syntax
+        #   Syntax used during code-generation
+        #
+        # @param [nil, String] comment
+        #   String to use as the comment when terminating injection string
+        #
         # @param [Hash{Symbol => Object}] kwargs
         #   Emitter options.
         #
         # @option kwargs [:lower, :upper, :random, nil] :case
         #   Case for keywords.
         #
-        def initialize(space: ' ', quotes: :single, **kwargs)
-          @case   = kwargs[:case] # HACK: because `case` is a ruby keyword
-          @space  = space
-          @quotes = quotes
+        def initialize(space: ' ', quotes: :single, syntax: nil, comment: nil, **kwargs)
+          @case    = kwargs[:case] # HACK: because `case` is a ruby keyword
+          @syntax  = syntax
+          @comment = comment
+          @space   = space
+          @quotes  = quotes
         end
 
         #
@@ -70,36 +94,37 @@ module Ronin
         #   The raw SQL.
         #
         def emit_keyword(keyword)
-          keyword = Array(keyword).join(@space)
+          string = Array(keyword).join(@space)
 
           case @case
-          when :upper  then keyword.upcase
-          when :lower  then keyword.downcase
+          when :upper  then string.upcase
+          when :lower  then string.downcase
           when :random
-            keyword.tap do
-              (keyword.length / 2).times do
-                index = rand(keyword.length)
-                keyword[index] = keyword[index].swapcase
+            string.tap do
+              (string.length / 2).times do
+                index = rand(string.length)
+
+                string[index] = string[index].swapcase
               end
             end
           else
-            keyword
+            string
           end
         end
 
         #
         # Emits a SQL operator.
         #
-        # @param [Array<Symbol>, Symbol] op
+        # @param [Array<Symbol>, Symbol] operator
         #   The operator symbol.
         #
         # @return [String]
         #   The raw SQL.
         #
-        def emit_operator(op)
-          case op
-          when /^\W+$/          then op.to_s
-          else                       emit_keyword(op)
+        def emit_operator(operator)
+          case operator
+          when /^\W+$/ then operator.to_s
+          else              emit_keyword(operator)
           end
         end
 
@@ -132,6 +157,19 @@ module Ronin
           "1=1"
         end
 
+        #
+        # Emits a SQL comment.
+        #
+        # @return [String]
+        #   The raw SQL.
+        #
+        # @since 2.1.0
+        #
+        def emit_comment
+          # Return chosen comment or default one which works everywhere
+          @comment || '-- '
+        end
+
         #
         # Emits a SQL Integer.
         #
@@ -200,7 +238,11 @@ module Ronin
         #   The raw SQL.
         #
         def emit_list(list)
-          '(' + list.map { |element| emit(element) }.join(',') + ')'
+          if list.length == 1
+            emit(list.first)
+          else
+            "(#{list.map { |element| emit(element) }.join(',')})"
+          end
         end
 
         #
@@ -250,7 +292,8 @@ module Ronin
 
           case expr
           when BinaryExpr
-            left, right = emit_argument(expr.left), emit_argument(expr.right)
+            left  = emit_argument(expr.left)
+            right = emit_argument(expr.right)
 
             case op
             when /^\W+$/ then "#{left}#{op}#{right}"
@@ -366,16 +409,16 @@ module Ronin
           sql = emit_keyword(stmt.keyword)
 
           unless stmt.argument.nil?
-            case stmt.argument
-            when Array
-              sql << @space << if stmt.argument.length == 1
+            sql << @space << case stmt.argument
+                             when Array
+                               if stmt.argument.length == 1
                                  emit_argument(stmt.argument[0])
                                else
                                  emit_list(stmt.argument)
                                end
-            else
-              sql << @space << emit_argument(stmt.argument)
-            end
+                             else
+                               emit_argument(stmt.argument)
+                             end
           end
 
           unless stmt.clauses.empty?