eslint-plugin-sql-template v3.0.0
eslint-plugin-sql-template
ESLint plugin with rules for using the sql
template tag from a library such as sql-tag on raw SQL queries.
That library escapes data provided to an SQL query statement via interpolation. This prevents, for instance, potential SQL injection attacks.
This ESLint plugin helps teams enforce the usage of that tag, to avoid overlooked vulnerabilities from creeping into their codebases.
Status
Installation
npm install eslint eslint-plugin-sql-template --save-dev
Usage
Add sql-template
to both the plugins
and rules
sections of your ESLint
configuration file. Example:
// eslint.config.js
import sqlTemplate from 'eslint-plugin-sql-template';
module.exports = [
{
plugins: {
'sql-template': sqlTemplate
},
rules: {
'sql-template/no-unsafe-query': 'error'
}
}
];
Rules
This plugin includes the following list of rules.
no-unsafe-query
Disallows the usage of raw SQL templates with interpolation when not protected with the sql
tag. Use this rule when you want to enforce protection against SQL injection attacks on all queries.
Example
Examples of incorrect code for this rule:
/*eslint sql-template/no-unsafe-query: "error"*/
const value = 42;
const query = `SELECT * FROM users WHERE id = ${value}`;
db.query(query);
const columns = 'id, name';
Users.query(`SELECT ${columns} FROM users`);
Examples of correct code for this rule:
/*eslint sql-template/no-unsafe-query: "error"*/
const value = 42;
const query = sql`SELECT * FROM users WHERE id = ${value}`;
db.query(query);
Users.query(`SELECT id, name FROM users`);
const punctuation = '!';
foo.bar(`Not SQL${punctuation}`);
License
Contributing
Development
Install dependencies:
npm i
Run tests:
npm run test
Cutting a release
The release process is automated via the release GitHub workflow. Run it by clicking the "Run workflow" button.