stash

javascript/ql/lib/semmle/javascript/security/dataflow/SqlInjectionQuery.qll

@@ -9,6 +9,7 @@
 
 import javascript
 import SqlInjectionCustomizations::SqlInjection
+import semmle.javascript.frameworks.TypeORM
 
 /**
  * A taint-tracking configuration for reasoning about string based query injection vulnerabilities.
@@ -18,7 +19,7 @@ class Configuration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof Source }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof TypeOrm::QueryString }
 
   override predicate isSanitizer(DataFlow::Node node) {
     super.isSanitizer(node) or

javascript/ql/src/Security/CWE-089/SqlInjection.ql

@@ -22,8 +22,8 @@ from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode
 where
   (
     cfg instanceof SqlInjection::Configuration and type = "string"
-    or
-    cfg instanceof NosqlInjection::Configuration and type = "object"
+    // or
+    // cfg instanceof NosqlInjection::Configuration and type = "object"
   ) and
   cfg.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),