eslint-plugin-sql-template

ESLint plugin with rules for using the sql template tag from a library such as sql-tag on raw SQL queries.

That library escapes data provided to an SQL query statement via interpolation. This prevents, for instance, potential SQL injection attacks.

This ESLint plugin helps teams enforce the usage of that tag, to avoid overlooked vulnerabilities from creeping into their codebases.

npm install eslint eslint-plugin-sql-template --save-dev

Add sql-template to both the plugins and rules sections of your ESLint configuration file. Example:

// eslint.config.js
import sqlTemplate from 'eslint-plugin-sql-template';

module.exports = [
  {
    plugins: {
      'sql-template': sqlTemplate
    },
    rules: {
      'sql-template/no-unsafe-query': 'error'
    }
  }
];

This plugin includes the following list of rules.

Disallows the usage of raw SQL templates with interpolation when not protected with the sql tag. Use this rule when you want to enforce protection against SQL injection attacks on all queries.

Examples of incorrect code for this rule:

/*eslint sql-template/no-unsafe-query: "error"*/

const value = 42;
const query = `SELECT * FROM users WHERE id = ${value}`;
db.query(query);

const columns = 'id, name';
Users.query(`SELECT ${columns} FROM users`);

Examples of correct code for this rule:

/*eslint sql-template/no-unsafe-query: "error"*/

const value = 42;
const query = sql`SELECT * FROM users WHERE id = ${value}`;
db.query(query);

Users.query(`SELECT id, name FROM users`);

const punctuation = '!';
foo.bar(`Not SQL${punctuation}`);

MIT

Install dependencies:

npm i

Run tests:

npm run test

The release process is automated via the release GitHub workflow. Run it by clicking the "Run workflow" button.