hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Improve sequelize model

Browse Source
This commit is contained in:
Asger Feldthaus
2021-03-30 10:38:13 +01:00
parent 93500bd95a
commit 35f294f096
4 changed files with 37 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
javascript/ql/src/semmle/javascript/frameworks/SQL.qll
View File

@@ -463,22 +463,34 @@ private module MsSql {
* Provides classes modelling the `sequelize` package.
*/
private module Sequelize {
/** Gets an import of the `sequelize` module. */
API::Node sequelize() { result = API::moduleImport("sequelize") }
/** Gets an import of the `sequelize` module or one that re-exports it. */
API::Node sequelize() { result = API::moduleImport(["sequelize", "sequelize-typescript"]) }
/** Gets an expression that creates an instance of the `Sequelize` class. */
API::Node newSequelize() { result = sequelize().getInstance() }
API::Node instance() {
result = [sequelize(), sequelize().getMember("Sequelize")].getInstance()
or
result = API::Node::ofType(["sequelize", "sequelize-typescript"], ["Sequelize", "default"])
}
/** A call to `Sequelize.query`. */
private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
QueryCall() { this = newSequelize().getMember("query").getACall() }
QueryCall() { this = instance().getMember("query").getACall() }
override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
override DataFlow::Node getAQueryArgument() {
result = getArgument(0)
or
result = getOptionArgument(0, "query")
}
}
/** An expression that is passed to `Sequelize.query` method and hence interpreted as SQL. */
class QueryString extends SQL::SqlString {
QueryString() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
QueryString() {
this = any(QueryCall qc).getAQueryArgument().asExpr()
or
this = sequelize().getMember(["literal", "asIs"]).getParameter(0).getARhs().asExpr()
}
}
/**

4
javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
View File

@@ -33,6 +33,10 @@
| postgres-types.ts:4:18:4:29 | 'SELECT 123' |
| postgresImport.js:4:18:4:43 | 'SELECT ... number' |
| sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
| sequelize2.js:12:17:15:1 | {\\n que ... [123]\\n} |
| sequelize2.js:13:10:13:20 | 'SELECT $1' |
| sequelize2.js:17:31:17:41 | '123 + 345' |
| sequelize-types.ts:7:24:7:35 | 'SELECT 123' |
| sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
| sequelizeImport.js:3:17:3:118 | 'SELECT ... Y name' |
| spanner2.js:5:26:5:35 | "SQL code" |

9
javascript/ql/test/library-tests/frameworks/SQL/sequelize-types.ts Normal file
View File

@@ -0,0 +1,9 @@
import Sequelize from 'sequelize';
export class Foo {
constructor(private seq: Sequelize) {}
method() {
this.seq.query('SELECT 123');
}
}

6
javascript/ql/test/library-tests/frameworks/SQL/sequelize2.js
View File

@@ -9,3 +9,9 @@ const sequelize = new Sequelize('database', {
});
sequelize.query('SELECT * FROM Products WHERE (name LIKE \'%' + criteria + '%\') AND deletedAt IS NULL) ORDER BY name');
sequelize.query({
query: 'SELECT $1',
values: [123]
});
let value = Sequelize.literal('123 + 345');