JS: support mongodb v3 (minimally)

https://github.com/github/codeql-javascript-team/issues/79
2026-04-30 11:15:13 +02:00 · 2020-03-04 11:29:57 +01:00
parent be09c17367
commit 21e6e69f22
3 changed files with 47 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
@@ -23,7 +23,15 @@ private module MongoDB {
   */
  private DataFlow::SourceNode getAMongoClient(DataFlow::TypeTracker t) {
    t.start() and
-    result = mongodb().getAPropertyRead("MongoClient")
+    (
+      result = mongodb().getAPropertyRead("MongoClient")
+      or
+      exists(DataFlow::ParameterNode p |
+        p = result and
+        p = getAMongoDbCallback().getParameter(1) and
+        not p.getName().toLowerCase() = "db" // mongodb v2 provides a `Db` here
+      )
+    )
    or
    exists(DataFlow::TypeTracker t2 | result = getAMongoClient(t2).track(t2, t))
  }
@@ -51,7 +59,15 @@ private module MongoDB {
   */
  private DataFlow::SourceNode getAMongoDb(DataFlow::TypeTracker t) {
    t.start() and
-    result = getAMongoDbCallback().getParameter(1)
+    (
+      exists(DataFlow::ParameterNode p |
+        p = result and
+        p = getAMongoDbCallback().getParameter(1) and
+        not p.getName().toLowerCase() = "client" // mongodb v3 provides a `Mongoclient` here
+      )
+      or
+      result = getAMongoClient().getAMethodCall("db")
+    )
    or
    exists(DataFlow::TypeTracker t2 | result = getAMongoDb(t2).track(t2, t))
  }
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -20,6 +20,12 @@ nodes
 | mongodb.js:49:19:49:33 | req.query.title |
 | mongodb.js:54:16:54:20 | query |
 | mongodb.js:54:16:54:20 | query |
+| mongodb.js:59:8:59:17 | query |
+| mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title |
+| mongodb.js:60:16:60:30 | req.query.title |
+| mongodb.js:65:12:65:16 | query |
+| mongodb.js:65:12:65:16 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title |
@@ -129,6 +135,17 @@ edges
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
+| mongodb.js:59:8:59:17 | query | mongodb.js:65:12:65:16 | query |
+| mongodb.js:59:8:59:17 | query | mongodb.js:65:12:65:16 | query |
+| mongodb.js:59:16:59:17 | {} | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query |
@@ -243,6 +260,7 @@ edges
 | mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value |
 | mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on $@. | mongodb.js:26:19:26:26 | req.body | a user-provided value |
 | mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on $@. | mongodb.js:49:19:49:33 | req.query.title | a user-provided value |
+| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on $@. | mongodb.js:60:16:60:30 | req.query.title | a user-provided value |
 | mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | a user-provided value |
 | mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:30:25:30:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:30:25:30:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
@@ -54,3 +54,14 @@ app.post('/documents/find', (req, res) => {
      doc.find(query);
    });
 });
+
+app.post('/documents/find', (req, res) => {
+	const query = {};
+	query.title = req.query.title;
+	MongoClient.connect('mongodb://localhost:27017/test', (err, client) => {
+		let doc = client.db("MASTER").collection('doc');
+
+		// NOT OK: query is tainted by user-provided object value
+		doc.find(query);
+	});
+});