Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
sql-parser-cst
Advanced tools
SQL Parser which produces a Concrete Syntax Tree (CST).
Unlike a more usual parser which produces an Abstract Syntax Tree (AST), this parser preserves all the syntax elements present in the parsed source code, with the goal of being able to re-create the exact original source code.
Note: This is pre-alpha quality software in early development stages.
import { parse, show, sqlite } from "sql-parser-cst";
const cst = parse("SELECT * FROM my_table", {
dialect: sqlite,
// These are optional:
preserveSpaces: true, // Adds spaces/tabs
preserveNewlines: true, // Adds newlines
preserveComments: true, // Adds comments
includeRange: true, // Adds source code location data
});
// Change table name
cst.statements[0].clauses[1].tables[0].table.text = "your_table";
// Serialize back to SQL
show(cst); // --> SELECT * FROM your_table
For example, given the following SQL:
/* My query */
SELECT ("first_name" || ' jr.') as fname
-- use important table
FROM persons
An AST-parser might parse this to the following abstract syntax tree:
{
"type": "select_statement",
"columns": [
{
"type": "alias",
"expr": {
"type": "binary_expr",
"left": { "type": "column_ref", "column": "first_name" },
"operator": "||",
"right": { "type": "string", "value": " jr." }
},
"alias": "fname"
}
],
"from": [{ "type": "table_ref", "table": "persons" }]
}
Note that the above AST is missing the following information:
AS
or as
was written)In contrast, this CST parser produces the following concrete syntax tree, which preserves all of this information:
{
"type": "select_statement",
"clauses": [
{
"type": "select_clause",
"selectKw": { "type": "keyword", "text": "SELECT" },
"columns": [
{
"type": "alias",
"expr": {
"type": "paren_expr",
"expr": {
"type": "binary_expr",
"left": {
"type": "column_ref",
"column": { "type": "identifier", "text": "\"first_name\"" }
},
"operator": "||",
"right": { "type": "string", "text": "' jr.'" }
}
},
"asKw": { "type": "keyword", "text": "as" },
"alias": { "type": "identifier", "text": "fname" }
}
]
},
{
"type": "from_clause",
"fromKw": { "type": "keyword", "text": "FROM" },
"tables": [
{
"type": "table_ref",
"table": { "type": "keyword", "text": "persons" }
}
],
"leading": [
{ "type": "newline", "text": "\n" },
{ "type": "line_comment", "text": "-- use important table" },
{ "type": "newline", "text": "\n" }
]
}
],
"leading": [
{ "type": "block_comment", "text": "/* My query */" },
{ "type": "newline", "text": "\n" }
]
}
Note the following conventions:
type: keyword
nodes, which are usually
stored in fields named like someNameKw
.type: paren_expr
node.text
fields.leading
and trailing
fields,
which store comments and newlines immediately before or after that node.
These fields will also contain information about regular spaces/tabs
(e.g. {"type": "space", "text": " \t"}
). This has been left out from this
example for the sake of simplicity.This started as a fork of node-sql-parser, which is based on @flora/sql-parser, which in turn was extracted from Alibaba's nquery module.
There's very little left of the original code though.
FAQs
Parses SQL into Concrete Syntax Tree (CST)
We found that sql-parser-cst demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.