sqlspec 0.14.1__py3-none-any.whl → 0.16.0__py3-none-any.whl

sqlspec/statement/pipelines/validators/_security.py

@@ -1,967 +0,0 @@
-"""Security validator for SQL statements."""
-
-import contextlib
-import logging
-import re
-from dataclasses import dataclass, field
-from enum import Enum, auto
-from typing import TYPE_CHECKING, Any, Optional
-
-from sqlglot import exp
-from sqlglot.expressions import EQ, Binary, Func, Literal, Or, Subquery, Union
-
-from sqlspec.exceptions import RiskLevel
-from sqlspec.protocols import ProcessorProtocol
-from sqlspec.statement.pipelines.context import ValidationError
-from sqlspec.utils.type_guards import has_expressions, has_sql_method
-
-if TYPE_CHECKING:
-    from sqlspec.statement.pipelines.context import SQLProcessingContext
-
-__all__ = ("SecurityIssue", "SecurityIssueType", "SecurityValidator", "SecurityValidatorConfig")
-
-# Constants for magic values
-MAX_FUNCTION_ARGS = 10
-MAX_NESTING_LEVELS = 5
-MIN_UNION_COUNT_FOR_INJECTION = 2
-
-logger = logging.getLogger(__name__)
-
-# Constants
-SUSPICIOUS_FUNC_THRESHOLD = 2
-
-
-class SecurityIssueType(Enum):
-    """Types of security issues that can be detected."""
-
-    INJECTION = auto()
-    TAUTOLOGY = auto()
-    SUSPICIOUS_KEYWORD = auto()
-    COMBINED_ATTACK = auto()
-    AST_ANOMALY = auto()  # New: AST-based detection
-    STRUCTURAL_ATTACK = auto()  # New: Structural analysis
-
-
-@dataclass
-class SecurityIssue:
-    """Represents a detected security issue in SQL."""
-
-    issue_type: "SecurityIssueType"
-    risk_level: "RiskLevel"
-    description: str
-    location: Optional[str] = None
-    pattern_matched: Optional[str] = None
-    recommendation: Optional[str] = None
-    metadata: "dict[str, Any]" = field(default_factory=dict)
-    ast_node_type: Optional[str] = None  # New: AST node type for AST-based detection
-    confidence: float = 1.0  # New: Confidence level (0.0 to 1.0)
-
-
-@dataclass
-class SecurityValidatorConfig:
-    """Configuration for the unified security validator."""
-
-    # Feature toggles
-    check_injection: bool = True
-    check_tautology: bool = True
-    check_keywords: bool = True
-    check_combined_patterns: bool = True
-    check_ast_anomalies: bool = True  # New: AST-based anomaly detection
-    check_structural_attacks: bool = True  # New: Structural attack detection
-
-    # Risk levels
-    default_risk_level: "RiskLevel" = RiskLevel.HIGH
-    injection_risk_level: "RiskLevel" = RiskLevel.HIGH
-    tautology_risk_level: "RiskLevel" = RiskLevel.MEDIUM
-    keyword_risk_level: "RiskLevel" = RiskLevel.MEDIUM
-    ast_anomaly_risk_level: "RiskLevel" = RiskLevel.MEDIUM
-
-    # Thresholds
-    max_union_count: int = 3
-    max_null_padding: int = 5
-    max_system_tables: int = 2
-    max_nesting_depth: int = 5  # New: Maximum nesting depth
-    max_literal_length: int = 1000  # New: Maximum literal length
-    min_confidence_threshold: float = 0.7  # New: Minimum confidence for reporting
-
-    # Allowed/blocked lists
-    allowed_functions: "list[str]" = field(default_factory=list)
-    blocked_functions: "list[str]" = field(default_factory=list)
-    allowed_system_schemas: "list[str]" = field(default_factory=list)
-
-    # Custom patterns (legacy support)
-    custom_injection_patterns: "list[str]" = field(default_factory=list)
-    custom_suspicious_patterns: "list[str]" = field(default_factory=list)
-
-
-# Common regex patterns used across security checks
-PATTERNS = {
-    # Injection patterns
-    "union_null": re.compile(r"UNION\s+(?:ALL\s+)?SELECT\s+(?:NULL(?:\s*,\s*NULL)*)", re.IGNORECASE),
-    "comment_evasion": re.compile(r"/\*.*?\*/|--.*?$|#.*?$", re.MULTILINE),
-    "encoded_chars": re.compile(r"(?:CHAR|CHR)\s*\([0-9]+\)", re.IGNORECASE),
-    "hex_encoding": re.compile(r"0x[0-9a-fA-F]+"),
-    "concat_evasion": re.compile(r"(?:CONCAT|CONCAT_WS|\|\|)\s*\([^)]+\)", re.IGNORECASE),
-    # Tautology patterns
-    "always_true": re.compile(r"(?:1\s*=\s*1|'1'\s*=\s*'1'|true|TRUE)\s*(?:OR|AND)?", re.IGNORECASE),
-    "or_patterns": re.compile(r"\bOR\s+1\s*=\s*1\b", re.IGNORECASE),
-    # Suspicious function patterns
-    "file_operations": re.compile(r"\b(?:LOAD_FILE|INTO\s+(?:OUTFILE|DUMPFILE))\b", re.IGNORECASE),
-    "exec_functions": re.compile(r"\b(?:EXEC|EXECUTE|xp_cmdshell|sp_executesql)\b", re.IGNORECASE),
-    "admin_functions": re.compile(r"\b(?:CREATE\s+USER|DROP\s+USER|GRANT|REVOKE)\b", re.IGNORECASE),
-}
-
-# System schemas that are often targeted in attacks
-SYSTEM_SCHEMAS = {
-    "mysql": ["information_schema", "mysql", "performance_schema", "sys"],
-    "postgresql": ["information_schema", "pg_catalog", "pg_temp"],
-    "mssql": ["information_schema", "sys", "master", "msdb"],
-    "oracle": ["sys", "system", "dba_", "all_", "user_"],
-}
-
-# Functions commonly used in SQL injection attacks
-SUSPICIOUS_FUNCTIONS = [
-    # String manipulation
-    "concat",
-    "concat_ws",
-    "substring",
-    "substr",
-    "char",
-    "chr",
-    "ascii",
-    "hex",
-    "unhex",
-    # File operations
-    "load_file",
-    "outfile",
-    "dumpfile",
-    # System information
-    "database",
-    "version",
-    "user",
-    "current_user",
-    "system_user",
-    "session_user",
-    # Time-based
-    "sleep",
-    "benchmark",
-    "pg_sleep",
-    "waitfor",
-    # Execution
-    "exec",
-    "execute",
-    "xp_cmdshell",
-    "sp_executesql",
-    # XML/JSON (for data extraction)
-    "extractvalue",
-    "updatexml",
-    "xmltype",
-    "json_extract",
-]
-
-
-class SecurityValidator(ProcessorProtocol):
-    """Unified security validator that performs comprehensive security checks in a single pass."""
-
-    def __init__(self, config: Optional["SecurityValidatorConfig"] = None, **kwargs: Any) -> None:
-        """Initialize the security validator with configuration."""
-        self.config = config or SecurityValidatorConfig()
-        self._compiled_patterns: dict[str, re.Pattern[str]] = {}
-        self._compile_custom_patterns()
-
-    def _compile_custom_patterns(self) -> None:
-        """Compile custom regex patterns from configuration."""
-        for i, pattern in enumerate(self.config.custom_injection_patterns):
-            with contextlib.suppress(re.error):
-                self._compiled_patterns[f"custom_injection_{i}"] = re.compile(pattern, re.IGNORECASE)
-
-        for i, pattern in enumerate(self.config.custom_suspicious_patterns):
-            with contextlib.suppress(re.error):
-                self._compiled_patterns[f"custom_suspicious_{i}"] = re.compile(pattern, re.IGNORECASE)
-
-    def add_error(
-        self,
-        context: "SQLProcessingContext",
-        message: str,
-        code: str,
-        risk_level: RiskLevel,
-        expression: "Optional[exp.Expression]" = None,
-    ) -> None:
-        """Add a validation error to the context."""
-        error = ValidationError(
-            message=message, code=code, risk_level=risk_level, processor=self.__class__.__name__, expression=expression
-        )
-        context.validation_errors.append(error)
-
-    def process(
-        self, expression: Optional[exp.Expression], context: "SQLProcessingContext"
-    ) -> Optional[exp.Expression]:
-        """Process the SQL expression and detect security issues in a single pass."""
-        if not context.current_expression:
-            return None
-
-        security_issues: list[SecurityIssue] = []
-        visited_nodes: set[int] = set()
-
-        # Single AST traversal for all security checks
-        nesting_depth = 0
-        for node in context.current_expression.walk():
-            node_id = id(node)
-            if node_id in visited_nodes:
-                continue
-            visited_nodes.add(node_id)
-
-            # Track nesting depth
-            if isinstance(node, (Subquery, exp.Select)):
-                nesting_depth += 1
-
-            if self.config.check_injection:
-                injection_issues = self._check_injection_patterns(node, context)
-                security_issues.extend(injection_issues)
-
-            if self.config.check_tautology:
-                tautology_issues = self._check_tautology_patterns(node, context)
-                security_issues.extend(tautology_issues)
-
-            if self.config.check_keywords:
-                keyword_issues = self._check_suspicious_keywords(node, context)
-                security_issues.extend(keyword_issues)
-
-            # New: Check AST anomalies
-            if self.config.check_ast_anomalies:
-                anomaly_issues = self._check_ast_anomalies(node, context, nesting_depth)
-                security_issues.extend(anomaly_issues)
-
-            # New: Check structural attacks
-            if self.config.check_structural_attacks:
-                structural_issues = self._check_structural_attacks(node, context)
-                security_issues.extend(structural_issues)
-
-        if self.config.check_combined_patterns and security_issues:
-            combined_issues = self._check_combined_patterns(context.current_expression, security_issues)
-            security_issues.extend(combined_issues)
-
-        # Also check the initial SQL string for custom patterns (handles unparsed parts)
-        if self.config.check_injection and context.initial_sql_string:
-            for name, pattern in self._compiled_patterns.items():
-                if name.startswith("custom_injection_") and pattern.search(context.initial_sql_string):
-                    security_issues.append(
-                        SecurityIssue(
-                            issue_type=SecurityIssueType.INJECTION,
-                            risk_level=self.config.injection_risk_level,
-                            description=f"Custom injection pattern matched: {name}",
-                            location=context.initial_sql_string[:100],
-                            pattern_matched=name,
-                        )
-                    )
-
-        if security_issues:
-            max(issue.risk_level for issue in security_issues)
-
-        for issue in security_issues:
-            error = ValidationError(
-                message=issue.description,
-                code="security-issue",
-                risk_level=issue.risk_level,
-                processor="SecurityValidator",
-                expression=expression,
-            )
-            context.validation_errors.append(error)
-
-        # Store metadata in context for access by caller
-        context.metadata["security_validator"] = {
-            "security_issues": security_issues,
-            "checks_performed": [
-                "injection" if self.config.check_injection else None,
-                "tautology" if self.config.check_tautology else None,
-                "keywords" if self.config.check_keywords else None,
-                "combined" if self.config.check_combined_patterns else None,
-            ],
-            "total_issues": len(security_issues),
-            "issue_breakdown": {
-                issue_type.name: sum(1 for issue in security_issues if issue.issue_type == issue_type)
-                for issue_type in SecurityIssueType
-            },
-        }
-
-        # Filter issues by confidence threshold
-        filtered_issues = [
-            issue for issue in security_issues if issue.confidence >= self.config.min_confidence_threshold
-        ]
-
-        if filtered_issues != security_issues:
-            context.validation_errors = []
-            for issue in filtered_issues:
-                error = ValidationError(
-                    message=issue.description,
-                    code="security-issue",
-                    risk_level=issue.risk_level,
-                    processor="SecurityValidator",
-                    expression=expression,
-                )
-                context.validation_errors.append(error)
-
-            context.metadata["security_validator"] = {
-                "security_issues": filtered_issues,
-                "total_issues_found": len(security_issues),
-                "issues_after_confidence_filter": len(filtered_issues),
-                "confidence_threshold": self.config.min_confidence_threshold,
-                "checks_performed": [
-                    "injection" if self.config.check_injection else None,
-                    "tautology" if self.config.check_tautology else None,
-                    "keywords" if self.config.check_keywords else None,
-                    "combined" if self.config.check_combined_patterns else None,
-                    "ast_anomalies" if self.config.check_ast_anomalies else None,
-                    "structural" if self.config.check_structural_attacks else None,
-                ],
-                "issue_breakdown": {
-                    issue_type.name: sum(1 for issue in filtered_issues if issue.issue_type == issue_type)
-                    for issue_type in SecurityIssueType
-                },
-            }
-
-        return expression
-
-    def _check_injection_patterns(
-        self, node: "exp.Expression", context: "SQLProcessingContext"
-    ) -> "list[SecurityIssue]":
-        """Check for SQL injection patterns in the node."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(node, exp.Union):
-            union_issues = self._check_union_injection(node, context)
-            issues.extend(union_issues)
-
-        sql_text = node.sql()
-        if PATTERNS["comment_evasion"].search(sql_text):
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.INJECTION,
-                    risk_level=self.config.injection_risk_level,
-                    description="Comment-based SQL injection attempt detected",
-                    location=sql_text[:100],
-                    pattern_matched="comment_evasion",
-                    recommendation="Remove or sanitize SQL comments",
-                )
-            )
-
-        if PATTERNS["encoded_chars"].search(sql_text) or PATTERNS["hex_encoding"].search(sql_text):
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.INJECTION,
-                    risk_level=self.config.injection_risk_level,
-                    description="Encoded character evasion detected",
-                    location=sql_text[:100],
-                    pattern_matched="encoding_evasion",
-                    recommendation="Validate and decode input properly",
-                )
-            )
-
-        if isinstance(node, exp.Table):
-            system_access = self._check_system_schema_access(node)
-            if system_access:
-                issues.append(system_access)
-
-        for name, pattern in self._compiled_patterns.items():
-            if name.startswith("custom_injection_") and pattern.search(sql_text):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.INJECTION,
-                        risk_level=self.config.injection_risk_level,
-                        description=f"Custom injection pattern matched: {name}",
-                        location=sql_text[:100],
-                        pattern_matched=name,
-                    )
-                )
-
-        return issues
-
-    def _check_union_injection(self, union_node: "exp.Union", context: "SQLProcessingContext") -> "list[SecurityIssue]":
-        """Check for UNION-based SQL injection patterns."""
-        issues: list[SecurityIssue] = []
-
-        # Count UNIONs in the query
-        if context.current_expression:
-            union_count = len(list(context.current_expression.find_all(exp.Union)))
-        else:
-            return []
-        if union_count > self.config.max_union_count:
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.INJECTION,
-                    risk_level=self.config.injection_risk_level,
-                    description=f"Excessive UNION operations detected ({union_count})",
-                    location=union_node.sql()[:100],
-                    pattern_matched="excessive_unions",
-                    recommendation="Limit the number of UNION operations",
-                    metadata={"union_count": union_count},
-                )
-            )
-
-        if isinstance(union_node, exp.Union) and isinstance(union_node.right, exp.Select):
-            select_expr = union_node.right
-            if select_expr.expressions:
-                null_count = sum(1 for expr in select_expr.expressions if isinstance(expr, exp.Null))
-                if null_count > self.config.max_null_padding:
-                    issues.append(
-                        SecurityIssue(
-                            issue_type=SecurityIssueType.INJECTION,
-                            risk_level=self.config.injection_risk_level,
-                            description=f"UNION with excessive NULL padding ({null_count} NULLs)",
-                            location=union_node.sql()[:100],
-                            pattern_matched="union_null_padding",
-                            recommendation="Validate UNION queries for proper column matching",
-                            metadata={"null_count": null_count},
-                        )
-                    )
-
-        return issues
-
-    def _check_system_schema_access(self, table_node: "exp.Table") -> Optional["SecurityIssue"]:
-        """Check if a table reference is accessing system schemas."""
-        table_name = table_node.name.lower() if table_node.name else ""
-        schema_name = table_node.db.lower() if table_node.db else ""
-        table_node.catalog.lower() if table_node.catalog else ""
-
-        if schema_name in self.config.allowed_system_schemas:
-            return None
-
-        # Check against known system schemas
-        for db_type, schemas in SYSTEM_SCHEMAS.items():
-            if schema_name in schemas or any(schema in table_name for schema in schemas):
-                return SecurityIssue(
-                    issue_type=SecurityIssueType.INJECTION,
-                    risk_level=self.config.injection_risk_level,
-                    description=f"Access to system schema detected: {schema_name or table_name}",
-                    location=table_node.sql(),
-                    pattern_matched="system_schema_access",
-                    recommendation="Restrict access to system schemas",
-                    metadata={"database_type": db_type, "schema": schema_name, "table": table_name},
-                )
-
-        return None
-
-    def _check_tautology_patterns(
-        self, node: "exp.Expression", context: "SQLProcessingContext"
-    ) -> "list[SecurityIssue]":
-        """Check for tautology conditions that are always true."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(node, exp.Boolean) and node.this is True:
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.TAUTOLOGY,
-                    risk_level=self.config.tautology_risk_level,
-                    description="Tautology: always-true literal condition detected",
-                    location=node.sql(),
-                    pattern_matched="always-true",
-                    recommendation="Remove always-true conditions from WHERE clause",
-                )
-            )
-
-        if isinstance(node, (exp.EQ, exp.NEQ, exp.GT, exp.LT, exp.GTE, exp.LTE)) and self._is_tautology(node):
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.TAUTOLOGY,
-                    risk_level=self.config.tautology_risk_level,
-                    description="Tautology: always-true condition detected",
-                    location=node.sql(),
-                    pattern_matched="tautology_condition",
-                    recommendation="Review WHERE conditions for always-true statements",
-                )
-            )
-
-        if isinstance(node, exp.Or):
-            or_sql = node.sql()
-            if PATTERNS["or_patterns"].search(or_sql) or PATTERNS["always_true"].search(or_sql):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.TAUTOLOGY,
-                        risk_level=self.config.tautology_risk_level,
-                        description="OR with always-true condition detected",
-                        location=or_sql[:100],
-                        pattern_matched="or_tautology",
-                        recommendation="Validate OR conditions in WHERE clauses",
-                    )
-                )
-
-        return issues
-
-    def _is_tautology(self, comparison: "exp.Expression") -> bool:
-        """Check if a comparison is a tautology."""
-        if not isinstance(comparison, exp.Binary):
-            return False
-
-        # In sqlglot, binary expressions use 'this' and 'expression' for operands
-        left = comparison.this
-        right = comparison.expression
-
-        if self._expressions_identical(left, right):
-            if isinstance(comparison, (exp.EQ, exp.GTE, exp.LTE)):
-                return True
-            if isinstance(comparison, (exp.NEQ, exp.GT, exp.LT)):
-                return False
-
-        if isinstance(left, exp.Literal) and isinstance(right, exp.Literal):
-            try:
-                left_val = left.this
-                right_val = right.this
-
-                if isinstance(comparison, exp.EQ):
-                    return bool(left_val == right_val)
-                if isinstance(comparison, exp.NEQ):
-                    return bool(left_val != right_val)
-            except Exception:
-                # Value extraction failed, can't evaluate the condition
-                logger.debug("Failed to extract values for comparison evaluation")
-
-        return False
-
-    @staticmethod
-    def _expressions_identical(expr1: "exp.Expression", expr2: "exp.Expression") -> bool:
-        """Check if two expressions are structurally identical."""
-        if type(expr1) is not type(expr2):
-            return False
-
-        if isinstance(expr1, exp.Column) and isinstance(expr2, exp.Column):
-            return expr1.name == expr2.name and expr1.table == expr2.table
-
-        if isinstance(expr1, exp.Literal) and isinstance(expr2, exp.Literal):
-            return bool(expr1.this == expr2.this)
-
-        # For other expressions, compare their SQL representations
-        return expr1.sql() == expr2.sql()
-
-    def _check_suspicious_keywords(
-        self, node: "exp.Expression", context: "SQLProcessingContext"
-    ) -> "list[SecurityIssue]":
-        """Check for suspicious functions and keywords."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(node, exp.Func):
-            func_name = node.name.lower() if node.name else ""
-
-            if func_name in self.config.blocked_functions:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=RiskLevel.HIGH,
-                        description=f"Blocked function used: {func_name}",
-                        location=node.sql()[:100],
-                        pattern_matched="blocked_function",
-                        recommendation=f"Function {func_name} is not allowed",
-                    )
-                )
-            elif func_name in SUSPICIOUS_FUNCTIONS and func_name not in self.config.allowed_functions:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=self.config.keyword_risk_level,
-                        description=f"Suspicious function detected: {func_name}",
-                        location=node.sql()[:100],
-                        pattern_matched="suspicious_function",
-                        recommendation=f"Review usage of {func_name} function",
-                        metadata={"function": func_name},
-                    )
-                )
-
-        if isinstance(node, exp.Command):
-            # Commands are often used for dynamic SQL execution
-            command_text = str(node)
-            if any(
-                keyword in command_text.lower() for keyword in ["execute", "exec", "sp_executesql", "grant", "revoke"]
-            ):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=RiskLevel.HIGH,
-                        description=f"Dynamic SQL execution command detected: {command_text.split()[0].lower()}",
-                        location=command_text[:100],
-                        pattern_matched="exec_command",
-                        recommendation="Avoid dynamic SQL execution",
-                    )
-                )
-
-        if has_sql_method(node):
-            sql_text = node.sql()
-
-            # File operations
-            if PATTERNS["file_operations"].search(sql_text):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=RiskLevel.HIGH,
-                        description="File operation detected in SQL",
-                        location=sql_text[:100],
-                        pattern_matched="file_operation",
-                        recommendation="File operations should be handled at application level",
-                    )
-                )
-
-            # Execution functions
-            if PATTERNS["exec_functions"].search(sql_text):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=RiskLevel.HIGH,
-                        description="Dynamic SQL execution function detected",
-                        location=sql_text[:100],
-                        pattern_matched="exec_function",
-                        recommendation="Avoid dynamic SQL execution",
-                    )
-                )
-
-            # Administrative commands
-            if PATTERNS["admin_functions"].search(sql_text):
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                        risk_level=RiskLevel.HIGH,
-                        description="Administrative command detected",
-                        location=sql_text[:100],
-                        pattern_matched="admin_function",
-                        recommendation="Administrative commands should be restricted",
-                    )
-                )
-
-            # Check custom suspicious patterns
-            for name, pattern in self._compiled_patterns.items():
-                if name.startswith("custom_suspicious_") and pattern.search(sql_text):
-                    issues.append(
-                        SecurityIssue(
-                            issue_type=SecurityIssueType.SUSPICIOUS_KEYWORD,
-                            risk_level=self.config.keyword_risk_level,
-                            description=f"Custom suspicious pattern matched: {name}",
-                            location=sql_text[:100],
-                            pattern_matched=name,
-                        )
-                    )
-
-        return issues
-
-    @staticmethod
-    def _check_combined_patterns(
-        expression: "exp.Expression",  # noqa: ARG004
-        existing_issues: "list[SecurityIssue]",
-    ) -> "list[SecurityIssue]":
-        """Check for combined attack patterns that indicate sophisticated attacks."""
-        combined_issues: list[SecurityIssue] = []
-
-        # Group issues by type
-        issue_types = {issue.issue_type for issue in existing_issues}
-
-        # Tautology + UNION = Classic SQLi
-        if SecurityIssueType.TAUTOLOGY in issue_types and SecurityIssueType.INJECTION in issue_types:
-            has_union = any(
-                "union" in issue.pattern_matched.lower() for issue in existing_issues if issue.pattern_matched
-            )
-            if has_union:
-                combined_issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.COMBINED_ATTACK,
-                        risk_level=RiskLevel.HIGH,
-                        description="Classic SQL injection pattern detected (Tautology + UNION)",
-                        pattern_matched="classic_sqli",
-                        recommendation="This appears to be a deliberate SQL injection attempt",
-                        metadata={"attack_components": ["tautology", "union"], "confidence": "high"},
-                    )
-                )
-
-        # Multiple suspicious functions + system schema = Data extraction attempt
-        suspicious_func_count = sum(
-            1
-            for issue in existing_issues
-            if issue.issue_type == SecurityIssueType.SUSPICIOUS_KEYWORD and "function" in (issue.pattern_matched or "")
-        )
-        system_schema_access = any("system_schema" in (issue.pattern_matched or "") for issue in existing_issues)
-
-        if suspicious_func_count >= SUSPICIOUS_FUNC_THRESHOLD and system_schema_access:
-            combined_issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.COMBINED_ATTACK,
-                    risk_level=RiskLevel.HIGH,
-                    description="Data extraction attempt detected (Multiple functions + System schema)",
-                    pattern_matched="data_extraction",
-                    recommendation="Block queries attempting to extract system information",
-                    metadata={"suspicious_functions": suspicious_func_count, "targets_system_schema": True},
-                )
-            )
-
-        # Encoding + Injection = Evasion attempt
-        has_encoding = any("encoding" in (issue.pattern_matched or "").lower() for issue in existing_issues)
-        has_comment = any("comment" in (issue.pattern_matched or "").lower() for issue in existing_issues)
-
-        if has_encoding or has_comment:
-            combined_issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.COMBINED_ATTACK,
-                    risk_level=RiskLevel.HIGH,
-                    description="Evasion technique detected in SQL injection attempt",
-                    pattern_matched="evasion_attempt",
-                    recommendation="Input appears to be crafted to bypass security filters",
-                    metadata={
-                        "evasion_techniques": [
-                            "encoding" if has_encoding else None,
-                            "comments" if has_comment else None,
-                        ]
-                    },
-                )
-            )
-
-        return combined_issues
-
-    def _check_ast_anomalies(
-        self, node: "exp.Expression", context: "SQLProcessingContext", nesting_depth: int
-    ) -> "list[SecurityIssue]":
-        """Check for AST-based anomalies that could indicate injection attempts.
-
-        This method uses sophisticated AST analysis instead of regex patterns.
-        """
-        issues: list[SecurityIssue] = []
-
-        if nesting_depth > self.config.max_nesting_depth:
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.AST_ANOMALY,
-                    risk_level=self.config.ast_anomaly_risk_level,
-                    description=f"Excessive query nesting detected (depth: {nesting_depth})",
-                    location=node.sql()[:100] if has_sql_method(node) else str(node)[:100],
-                    pattern_matched="excessive_nesting",
-                    recommendation="Review query structure for potential injection",
-                    ast_node_type=type(node).__name__,
-                    confidence=0.8,
-                    metadata={"nesting_depth": nesting_depth, "max_allowed": self.config.max_nesting_depth},
-                )
-            )
-
-        if isinstance(node, Literal) and isinstance(node.this, str):
-            literal_length = len(str(node.this))
-            if literal_length > self.config.max_literal_length:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.AST_ANOMALY,
-                        risk_level=self.config.ast_anomaly_risk_level,
-                        description=f"Suspiciously long literal detected ({literal_length} chars)",
-                        location=str(node.this)[:100],
-                        pattern_matched="long_literal",
-                        recommendation="Validate input length and content",
-                        ast_node_type="Literal",
-                        confidence=0.6,
-                        metadata={"literal_length": literal_length, "max_allowed": self.config.max_literal_length},
-                    )
-                )
-
-        if isinstance(node, Func):
-            func_issues = self._analyze_function_anomalies(node)
-            issues.extend(func_issues)
-
-        if isinstance(node, Binary):
-            binary_issues = self._analyze_binary_anomalies(node)
-            issues.extend(binary_issues)
-
-        return issues
-
-    def _check_structural_attacks(
-        self, node: "exp.Expression", context: "SQLProcessingContext"
-    ) -> "list[SecurityIssue]":
-        """Check for structural attack patterns using AST analysis."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(node, Union):
-            union_issues = self._analyze_union_structure(node)
-            issues.extend(union_issues)
-
-        if isinstance(node, Subquery):
-            subquery_issues = self._analyze_subquery_structure(node)
-            issues.extend(subquery_issues)
-
-        if isinstance(node, Or):
-            or_issues = self._analyze_or_structure(node)
-            issues.extend(or_issues)
-
-        return issues
-
-    @staticmethod
-    def _analyze_function_anomalies(func_node: Func) -> "list[SecurityIssue]":
-        """Analyze function calls for anomalous patterns."""
-        issues: list[SecurityIssue] = []
-
-        if not func_node.name:
-            return issues
-
-        func_name = func_node.name.lower()
-
-        if func_node.this and isinstance(func_node.this, Func):
-            nested_func = func_node.this
-            if nested_func.name and nested_func.name.lower() in SUSPICIOUS_FUNCTIONS:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.AST_ANOMALY,
-                        risk_level=RiskLevel.MEDIUM,
-                        description=f"Nested suspicious function call: {nested_func.name.lower()} inside {func_name}",
-                        location=func_node.sql()[:100] if has_sql_method(func_node) else str(func_node)[:100],
-                        pattern_matched="nested_suspicious_function",
-                        recommendation="Review nested function calls for evasion attempts",
-                        ast_node_type="Func",
-                        confidence=0.7,
-                        metadata={"outer_function": func_name, "inner_function": nested_func.name.lower()},
-                    )
-                )
-
-        if has_expressions(func_node) and func_node.expressions:
-            arg_count = len(func_node.expressions)
-            if func_name in {"concat", "concat_ws"} and arg_count > MAX_FUNCTION_ARGS:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.AST_ANOMALY,
-                        risk_level=RiskLevel.MEDIUM,
-                        description=f"Excessive arguments to {func_name} function ({arg_count} args)",
-                        location=func_node.sql()[:100] if has_sql_method(func_node) else str(func_node)[:100],
-                        pattern_matched="excessive_function_args",
-                        recommendation="Review function arguments for potential injection",
-                        ast_node_type="Func",
-                        confidence=0.6,
-                        metadata={"function": func_name, "arg_count": arg_count},
-                    )
-                )
-
-        return issues
-
-    def _analyze_binary_anomalies(self, binary_node: Binary) -> "list[SecurityIssue]":
-        """Analyze binary operations for suspicious patterns."""
-        issues: list[SecurityIssue] = []
-
-        # Check for deeply nested binary operations (potential injection)
-        depth = self._calculate_binary_depth(binary_node)
-        if depth > MAX_NESTING_LEVELS:  # Arbitrary threshold
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.AST_ANOMALY,
-                    risk_level=RiskLevel.LOW,
-                    description=f"Deeply nested binary operations detected (depth: {depth})",
-                    location=binary_node.sql()[:100],
-                    pattern_matched="deep_binary_nesting",
-                    recommendation="Review complex condition structures",
-                    ast_node_type="Binary",
-                    confidence=0.5,
-                    metadata={"nesting_depth": depth},
-                )
-            )
-
-        return issues
-
-    def _analyze_union_structure(self, union_node: Union) -> "list[SecurityIssue]":
-        """Analyze UNION structure for injection patterns."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(union_node, exp.Union):
-            left_cols = self._count_select_columns(union_node.left)
-            right_cols = self._count_select_columns(union_node.right)
-
-            if left_cols != right_cols and left_cols > 0 and right_cols > 0:
-                issues.append(
-                    SecurityIssue(
-                        issue_type=SecurityIssueType.STRUCTURAL_ATTACK,
-                        risk_level=RiskLevel.HIGH,
-                        description=f"UNION with mismatched column counts ({left_cols} vs {right_cols})",
-                        location=union_node.sql()[:100],
-                        pattern_matched="union_column_mismatch",
-                        recommendation="UNION queries should have matching column counts",
-                        ast_node_type="Union",
-                        confidence=0.9,
-                        metadata={"left_columns": left_cols, "right_columns": right_cols},
-                    )
-                )
-
-        return issues
-
-    @staticmethod
-    def _analyze_subquery_structure(subquery_node: Subquery) -> "list[SecurityIssue]":
-        """Analyze subquery structure for injection patterns."""
-        issues: list[SecurityIssue] = []
-
-        if subquery_node.this and isinstance(subquery_node.this, exp.Select):
-            select_expr = subquery_node.this
-
-            if has_expressions(select_expr) and select_expr.expressions:
-                literal_count = sum(1 for expr in select_expr.expressions if isinstance(expr, Literal))
-                total_expressions = len(select_expr.expressions)
-
-                if literal_count == total_expressions and total_expressions > MIN_UNION_COUNT_FOR_INJECTION:
-                    issues.append(
-                        SecurityIssue(
-                            issue_type=SecurityIssueType.STRUCTURAL_ATTACK,
-                            risk_level=RiskLevel.MEDIUM,
-                            description=f"Subquery selecting only literals ({literal_count} literals)",
-                            location=subquery_node.sql()[:100],
-                            pattern_matched="literal_only_subquery",
-                            recommendation="Review subqueries that only select literal values",
-                            ast_node_type="Subquery",
-                            confidence=0.7,
-                            metadata={"literal_count": literal_count, "total_expressions": total_expressions},
-                        )
-                    )
-
-        return issues
-
-    def _analyze_or_structure(self, or_node: Or) -> "list[SecurityIssue]":
-        """Analyze OR conditions for tautology patterns."""
-        issues: list[SecurityIssue] = []
-
-        if isinstance(or_node, exp.Binary) and (
-            self._is_always_true_condition(or_node.left) or self._is_always_true_condition(or_node.right)
-        ):
-            issues.append(
-                SecurityIssue(
-                    issue_type=SecurityIssueType.STRUCTURAL_ATTACK,
-                    risk_level=RiskLevel.HIGH,
-                    description="OR condition with always-true clause detected",
-                    location=or_node.sql()[:100],
-                    pattern_matched="or_tautology_ast",
-                    recommendation="Remove always-true conditions from OR clauses",
-                    ast_node_type="Or",
-                    confidence=0.95,
-                    metadata={
-                        "left_always_true": self._is_always_true_condition(or_node.left),
-                        "right_always_true": self._is_always_true_condition(or_node.right),
-                    },
-                )
-            )
-
-        return issues
-
-    def _calculate_binary_depth(self, node: Binary, depth: int = 0) -> int:
-        """Calculate the depth of nested binary operations."""
-        max_depth = depth
-
-        if isinstance(node, exp.Binary) and isinstance(node.left, Binary):
-            max_depth = max(max_depth, self._calculate_binary_depth(node.left, depth + 1))
-
-        if isinstance(node, exp.Binary) and isinstance(node.right, Binary):
-            max_depth = max(max_depth, self._calculate_binary_depth(node.right, depth + 1))
-
-        return max_depth
-
-    @staticmethod
-    def _count_select_columns(node: "exp.Expression") -> int:
-        """Count the number of columns in a SELECT statement."""
-        if isinstance(node, exp.Select) and has_expressions(node):
-            return len(node.expressions) if node.expressions else 0
-        return 0
-
-    @staticmethod
-    def _is_always_true_condition(node: "exp.Expression") -> bool:
-        """Check if a condition is always true using AST analysis."""
-        if isinstance(node, Literal) and str(node.this).upper() in {"TRUE", "1"}:
-            return True
-
-        # Check for 1=1 or similar tautologies
-        return bool(
-            isinstance(node, EQ)
-            and isinstance(node, exp.Binary)
-            and (
-                isinstance(node.left, Literal)
-                and isinstance(node.right, Literal)
-                and str(node.left.this) == str(node.right.this)
-            )
-        )