const sql = new RegExp('w*((%27)|(\'))((%6F)|o|(%4F))((%72)|r|(%52))', 'i')
const sqlMeta = new RegExp('(%27)|(\')|(--)|(%23)|(#)', 'i')
const sqlMetaVersion2 = new RegExp('((%3D)|(=))[^\n]*((%27)|(\')|(--)|(%3B)|(;))', 'i')
const sqlUnion = new RegExp('((%27)|(\'))union', 'i')
The "sql" regex is looking for the literal char "w" zero or more times at the beginning. I assume that was intended to be \w?
The "sql" regex is basically looking for 'or trying to match the typical 1'or'1'='1 but this can be bypassed with a simple space between the 1 and the quote: 1' or'1'='1.
The same bypass is possible with 'union simply by adding a space ' union.
The "sqlMeta" blocks anything with a single quote (along with -- and #). This does not seem acceptable to me. You can't use contractions like "can't", names like o'malley.. or any app that has anything to do with code.
The sqlMeta actually makes all the other regexes (and therefore bypasses) irrelevant because all of the them expect a single quote. (if a single quote is enough to block checking for 'or and 'union is now redundant).
'or
trying to match the typical1'or'1'='1
but this can be bypassed with a simple space between the 1 and the quote:1' or'1'='1
.'union
simply by adding a space' union
.'or
and'union
is now redundant).