JS: Add model of pg-promise

2026-05-04 21:25:44 +02:00 · 2021-03-25 16:14:53 +00:00
parent e3ab94fc6b
commit 149af57eac
4 changed files with 329 additions and 10 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -37,6 +37,24 @@
 | mongoose.js:97:2:97:52 | Documen ... query)) |
 | mongoose.js:99:2:99:50 | Documen ... query)) |
 | mongoose.js:113:2:113:53 | Documen ... () { }) |
+| pg-promise.js:9:3:9:15 | db.any(query) |
+| pg-promise.js:10:3:10:16 | db.many(query) |
+| pg-promise.js:11:3:11:22 | db.manyOrNone(query) |
+| pg-promise.js:12:3:12:15 | db.map(query) |
+| pg-promise.js:13:3:13:17 | db.multi(query) |
+| pg-promise.js:14:3:14:23 | db.mult ... (query) |
+| pg-promise.js:15:3:15:16 | db.none(query) |
+| pg-promise.js:16:3:16:15 | db.one(query) |
+| pg-promise.js:17:3:17:21 | db.oneOrNone(query) |
+| pg-promise.js:18:3:18:17 | db.query(query) |
+| pg-promise.js:19:3:19:18 | db.result(query) |
+| pg-promise.js:21:3:23:4 | db.one( ... OK\\n  }) |
+| pg-promise.js:24:3:27:4 | db.one( ... OK\\n  }) |
+| pg-promise.js:28:3:31:4 | db.one( ... er\\n  }) |
+| pg-promise.js:32:3:35:4 | db.one( ... OK\\n  }) |
+| pg-promise.js:36:3:43:4 | db.one( ...  ]\\n  }) |
+| pg-promise.js:44:3:50:4 | db.one( ...  }\\n  }) |
+| pg-promise.js:51:3:58:4 | db.one( ...  }\\n  }) |
 | socketio.js:11:5:11:54 | db.run( ... ndle}`) |
 | tst2.js:7:3:7:62 | sql.que ... ms.id}` |
 | tst2.js:9:3:9:85 | new sql ...  + "'") |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -206,6 +206,59 @@ nodes
 | mongooseModelClient.js:12:22:12:29 | req.body |
 | mongooseModelClient.js:12:22:12:29 | req.body |
 | mongooseModelClient.js:12:22:12:32 | req.body.id |
+| pg-promise.js:6:7:7:55 | query |
+| pg-promise.js:6:15:7:55 | "SELECT ...  PRICE" |
+| pg-promise.js:7:16:7:34 | req.params.category |
+| pg-promise.js:7:16:7:34 | req.params.category |
+| pg-promise.js:9:10:9:14 | query |
+| pg-promise.js:9:10:9:14 | query |
+| pg-promise.js:10:11:10:15 | query |
+| pg-promise.js:10:11:10:15 | query |
+| pg-promise.js:11:17:11:21 | query |
+| pg-promise.js:11:17:11:21 | query |
+| pg-promise.js:12:10:12:14 | query |
+| pg-promise.js:12:10:12:14 | query |
+| pg-promise.js:13:12:13:16 | query |
+| pg-promise.js:13:12:13:16 | query |
+| pg-promise.js:14:18:14:22 | query |
+| pg-promise.js:14:18:14:22 | query |
+| pg-promise.js:15:11:15:15 | query |
+| pg-promise.js:15:11:15:15 | query |
+| pg-promise.js:16:10:16:14 | query |
+| pg-promise.js:16:10:16:14 | query |
+| pg-promise.js:17:16:17:20 | query |
+| pg-promise.js:17:16:17:20 | query |
+| pg-promise.js:18:12:18:16 | query |
+| pg-promise.js:18:12:18:16 | query |
+| pg-promise.js:19:13:19:17 | query |
+| pg-promise.js:19:13:19:17 | query |
+| pg-promise.js:22:11:22:15 | query |
+| pg-promise.js:22:11:22:15 | query |
+| pg-promise.js:30:13:30:25 | req.params.id |
+| pg-promise.js:30:13:30:25 | req.params.id |
+| pg-promise.js:30:13:30:25 | req.params.id |
+| pg-promise.js:34:13:34:25 | req.params.id |
+| pg-promise.js:34:13:34:25 | req.params.id |
+| pg-promise.js:34:13:34:25 | req.params.id |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:39:7:39:19 | req.params.id |
+| pg-promise.js:39:7:39:19 | req.params.id |
+| pg-promise.js:39:7:39:19 | req.params.id |
+| pg-promise.js:40:7:40:21 | req.params.name |
+| pg-promise.js:40:7:40:21 | req.params.name |
+| pg-promise.js:40:7:40:21 | req.params.name |
+| pg-promise.js:41:7:41:20 | req.params.foo |
+| pg-promise.js:41:7:41:20 | req.params.foo |
+| pg-promise.js:47:11:47:23 | req.params.id |
+| pg-promise.js:47:11:47:23 | req.params.id |
+| pg-promise.js:47:11:47:23 | req.params.id |
+| pg-promise.js:54:11:54:23 | req.params.id |
+| pg-promise.js:54:11:54:23 | req.params.id |
+| pg-promise.js:54:11:54:23 | req.params.id |
+| pg-promise.js:56:14:56:29 | req.params.title |
+| pg-promise.js:56:14:56:29 | req.params.title |
+| pg-promise.js:56:14:56:29 | req.params.title |
 | redis.js:10:16:10:23 | req.body |
 | redis.js:10:16:10:23 | req.body |
 | redis.js:10:16:10:27 | req.body.key |
@@ -553,6 +606,52 @@ edges
 | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id |
 | mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
 | mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:10:11:10:15 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:10:11:10:15 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:11:17:11:21 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:11:17:11:21 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:12:10:12:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:12:10:12:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:13:12:13:16 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:13:12:13:16 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:14:18:14:22 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:14:18:14:22 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:15:11:15:15 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:15:11:15:15 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:16:10:16:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:16:10:16:14 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:17:16:17:20 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:17:16:17:20 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:18:12:18:16 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:18:12:18:16 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:19:13:19:17 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:19:13:19:17 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:22:11:22:15 | query |
+| pg-promise.js:6:7:7:55 | query | pg-promise.js:22:11:22:15 | query |
+| pg-promise.js:6:15:7:55 | "SELECT ...  PRICE" | pg-promise.js:6:7:7:55 | query |
+| pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:6:15:7:55 | "SELECT ...  PRICE" |
+| pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:6:15:7:55 | "SELECT ...  PRICE" |
+| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id |
+| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name |
+| pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] |
+| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id |
+| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id |
+| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title |
 | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key |
 | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key |
 | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key |
@@ -665,6 +764,28 @@ edges
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
+| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:12:10:12:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:12:10:12:14 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:13:12:13:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:13:12:13:16 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:14:18:14:22 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:14:18:14:22 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:15:11:15:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:15:11:15:15 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:16:10:16:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:16:10:16:14 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:17:16:17:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:17:16:17:20 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:18:12:18:16 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:18:12:18:16 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:19:13:19:17 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:19:13:19:17 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:22:11:22:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:22:11:22:15 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
+| pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | pg-promise.js:30:13:30:25 | req.params.id | This query depends on $@. | pg-promise.js:30:13:30:25 | req.params.id | a user-provided value |
+| pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | pg-promise.js:34:13:34:25 | req.params.id | This query depends on $@. | pg-promise.js:34:13:34:25 | req.params.id | a user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on $@. | pg-promise.js:39:7:39:19 | req.params.id | a user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on $@. | pg-promise.js:40:7:40:21 | req.params.name | a user-provided value |
+| pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | pg-promise.js:41:7:41:20 | req.params.foo | pg-promise.js:38:13:42:5 | [\\n      ... n\\n    ] | This query depends on $@. | pg-promise.js:41:7:41:20 | req.params.foo | a user-provided value |
+| pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | pg-promise.js:39:7:39:19 | req.params.id | This query depends on $@. | pg-promise.js:39:7:39:19 | req.params.id | a user-provided value |
+| pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | pg-promise.js:40:7:40:21 | req.params.name | This query depends on $@. | pg-promise.js:40:7:40:21 | req.params.name | a user-provided value |
+| pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | pg-promise.js:47:11:47:23 | req.params.id | This query depends on $@. | pg-promise.js:47:11:47:23 | req.params.id | a user-provided value |
+| pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | pg-promise.js:54:11:54:23 | req.params.id | This query depends on $@. | pg-promise.js:54:11:54:23 | req.params.id | a user-provided value |
+| pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | pg-promise.js:56:14:56:29 | req.params.title | This query depends on $@. | pg-promise.js:56:14:56:29 | req.params.title | a user-provided value |
 | redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query depends on $@. | redis.js:10:16:10:23 | req.body | a user-provided value |
 | redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query depends on $@. | redis.js:12:15:12:22 | req.body | a user-provided value |
 | redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query depends on $@. | redis.js:12:15:12:22 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise.js
@@ -0,0 +1,59 @@
+const pgp = require('pg-promise')();
+
+require('express')().get('/foo', (req, res) => {
+  const db = pgp(process.env['DB_CONNECTION_STRING']);
+
+  var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+             + req.params.category + "' ORDER BY PRICE";
+  
+  db.any(query); // NOT OK
+  db.many(query); // NOT OK
+  db.manyOrNone(query); // NOT OK
+  db.map(query); // NOT OK
+  db.multi(query); // NOT OK
+  db.multiResult(query); // NOT OK
+  db.none(query); // NOT OK
+  db.one(query); // NOT OK
+  db.oneOrNone(query); // NOT OK
+  db.query(query); // NOT OK
+  db.result(query); // NOT OK
+  
+  db.one({
+    text: query // NOT OK
+  });
+  db.one({
+    text: 'SELECT * FROM news where id = $1', // OK
+    values: req.params.id, // OK
+  });
+  db.one({
+    text: 'SELECT * FROM news where id = $1:raw',
+    values: req.params.id, // NOT OK - interpreted as raw parameter
+  });
+  db.one({
+    text: 'SELECT * FROM news where id = $1^',
+    values: req.params.id, // NOT OK
+  });
+  db.one({
+    text: 'SELECT * FROM news where id = $1:raw AND name = $2:raw AND foo = $3',
+    values: [
+      req.params.id, // NOT OK
+      req.params.name, // NOT OK
+      req.params.foo, // OK - not using raw interpolation
+    ]
+  });
+  db.one({
+    text: 'SELECT * FROM news where id = ${id}:raw AND name = ${name}',
+    values: {
+      id: req.params.id, // NOT OK
+      name: req.params.name, // OK - not using raw interpolation
+    }
+  });
+  db.one({
+    text: "SELECT * FROM news where id = ${id}:value AND name LIKE '%${name}:value%' AND title LIKE \"%${title}:value%\"",
+    values: {
+      id: req.params.id, // NOT OK
+      name: req.params.name, // OK - :value cannot break out of single quotes
+      title: req.params.title, // NOT OK - enclosed by wrong type of quote
+    }
+  });
+});