add consistency-checking for CWE-089

2026-04-30 11:15:13 +02:00 · 2020-07-06 14:53:47 +02:00
parent 2a8b37e004
commit 442ee8d1cc
8 changed files with 132 additions and 113 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql
@@ -1,6 +1,5 @@
 import javascript
 import testUtilities.ConsistencyChecking
-
 import semmle.javascript.security.dataflow.DomBasedXss as DomXss
 import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
 import semmle.javascript.security.dataflow.StoredXss as StoredXss
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql
@@ -0,0 +1,4 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.SqlInjection
+import semmle.javascript.security.dataflow.NosqlInjection
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -16,24 +16,24 @@
 | mongoose.js:63:2:63:34 | Documen ... then(X) |
 | mongoose.js:65:2:65:51 | Documen ... on(){}) |
 | mongoose.js:67:2:68:27 | new Mon ... on(){}) |
-| mongoose.js:71:2:77:9 | Documen ... .exec() |
-| mongoose.js:84:2:84:52 | Documen ... query)) |
+| mongoose.js:71:5:78:9 | Documen ... .exec() |
 | mongoose.js:85:2:85:52 | Documen ... query)) |
-| mongoose.js:86:2:86:57 | Documen ... query)) |
+| mongoose.js:86:2:86:52 | Documen ... query)) |
 | mongoose.js:87:2:87:57 | Documen ... query)) |
-| mongoose.js:88:2:88:52 | Documen ... query)) |
-| mongoose.js:89:2:89:55 | Documen ... query)) |
-| mongoose.js:91:2:91:52 | Documen ... query)) |
-| mongoose.js:92:2:92:49 | Documen ... query)) |
-| mongoose.js:93:2:93:57 | Documen ... query)) |
-| mongoose.js:94:2:94:54 | Documen ... query)) |
-| mongoose.js:95:2:95:52 | Documen ... query)) |
+| mongoose.js:88:2:88:57 | Documen ... query)) |
+| mongoose.js:89:2:89:52 | Documen ... query)) |
+| mongoose.js:90:2:90:55 | Documen ... query)) |
+| mongoose.js:92:2:92:52 | Documen ... query)) |
+| mongoose.js:93:2:93:49 | Documen ... query)) |
+| mongoose.js:94:2:94:57 | Documen ... query)) |
+| mongoose.js:95:2:95:54 | Documen ... query)) |
 | mongoose.js:96:2:96:52 | Documen ... query)) |
-| mongoose.js:98:2:98:50 | Documen ... query)) |
+| mongoose.js:97:2:97:52 | Documen ... query)) |
+| mongoose.js:99:2:99:50 | Documen ... query)) |
 | socketio.js:11:5:11:54 | db.run( ... ndle}`) |
 | tst2.js:7:3:7:62 | sql.que ... ms.id}` |
 | tst2.js:9:3:9:85 | new sql ...  + "'") |
-| tst3.js:10:3:12:4 | pool.qu ... ts\\n  }) |
-| tst3.js:17:3:19:4 | pool.qu ... ts\\n  }) |
+| tst3.js:9:3:11:4 | pool.qu ... ts\\n  }) |
+| tst3.js:16:3:18:4 | pool.qu ... ts\\n  }) |
 | tst4.js:8:3:8:67 | db.get( ...  + '"') |
 | tst.js:10:3:10:65 | db.get( ...  + '"') |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -102,30 +102,34 @@ nodes
 | mongoose.js:67:27:67:31 | query |
 | mongoose.js:68:8:68:12 | query |
 | mongoose.js:68:8:68:12 | query |
-| mongoose.js:72:8:72:12 | query |
-| mongoose.js:72:8:72:12 | query |
-| mongoose.js:73:7:73:11 | query |
-| mongoose.js:73:7:73:11 | query |
-| mongoose.js:74:16:74:20 | query |
-| mongoose.js:74:16:74:20 | query |
-| mongoose.js:76:10:76:14 | query |
-| mongoose.js:76:10:76:14 | query |
-| mongoose.js:81:46:81:50 | query |
-| mongoose.js:81:46:81:50 | query |
-| mongoose.js:82:47:82:51 | query |
-| mongoose.js:82:47:82:51 | query |
-| mongoose.js:84:46:84:50 | query |
-| mongoose.js:84:46:84:50 | query |
-| mongoose.js:86:51:86:55 | query |
-| mongoose.js:86:51:86:55 | query |
-| mongoose.js:88:46:88:50 | query |
-| mongoose.js:88:46:88:50 | query |
-| mongoose.js:91:46:91:50 | query |
-| mongoose.js:91:46:91:50 | query |
-| mongoose.js:93:51:93:55 | query |
-| mongoose.js:93:51:93:55 | query |
-| mongoose.js:95:46:95:50 | query |
-| mongoose.js:95:46:95:50 | query |
+| mongoose.js:71:20:71:24 | query |
+| mongoose.js:71:20:71:24 | query |
+| mongoose.js:72:16:72:20 | query |
+| mongoose.js:72:16:72:20 | query |
+| mongoose.js:73:8:73:12 | query |
+| mongoose.js:73:8:73:12 | query |
+| mongoose.js:74:7:74:11 | query |
+| mongoose.js:74:7:74:11 | query |
+| mongoose.js:75:16:75:20 | query |
+| mongoose.js:75:16:75:20 | query |
+| mongoose.js:77:10:77:14 | query |
+| mongoose.js:77:10:77:14 | query |
+| mongoose.js:82:46:82:50 | query |
+| mongoose.js:82:46:82:50 | query |
+| mongoose.js:83:47:83:51 | query |
+| mongoose.js:83:47:83:51 | query |
+| mongoose.js:85:46:85:50 | query |
+| mongoose.js:85:46:85:50 | query |
+| mongoose.js:87:51:87:55 | query |
+| mongoose.js:87:51:87:55 | query |
+| mongoose.js:89:46:89:50 | query |
+| mongoose.js:89:46:89:50 | query |
+| mongoose.js:92:46:92:50 | query |
+| mongoose.js:92:46:92:50 | query |
+| mongoose.js:94:51:94:55 | query |
+| mongoose.js:94:51:94:55 | query |
+| mongoose.js:96:46:96:50 | query |
+| mongoose.js:96:46:96:50 | query |
 | mongooseJsonParse.js:19:11:19:20 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -156,12 +160,12 @@ nodes
 | tst2.js:9:27:9:84 | "select ... d + "'" |
 | tst2.js:9:66:9:78 | req.params.id |
 | tst2.js:9:66:9:78 | req.params.id |
-| tst3.js:8:7:9:55 | query1 |
-| tst3.js:8:16:9:55 | "SELECT ...  PRICE" |
-| tst3.js:9:16:9:34 | req.params.category |
-| tst3.js:9:16:9:34 | req.params.category |
-| tst3.js:10:14:10:19 | query1 |
-| tst3.js:10:14:10:19 | query1 |
+| tst3.js:7:7:8:55 | query1 |
+| tst3.js:7:16:8:55 | "SELECT ...  PRICE" |
+| tst3.js:8:16:8:34 | req.params.category |
+| tst3.js:8:16:8:34 | req.params.category |
+| tst3.js:9:14:9:19 | query1 |
+| tst3.js:9:14:9:19 | query1 |
 | tst4.js:8:10:8:66 | 'SELECT ... d + '"' |
 | tst4.js:8:10:8:66 | 'SELECT ... d + '"' |
 | tst4.js:8:46:8:60 | $routeParams.id |
@@ -288,30 +292,34 @@ edges
 | mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:81:46:81:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:81:46:81:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:82:47:82:51 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:82:47:82:51 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:84:46:84:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:84:46:84:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:86:51:86:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:86:51:86:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:88:46:88:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:88:46:88:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:91:46:91:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:91:46:91:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:93:51:93:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:93:51:93:55 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:95:46:95:50 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:95:46:95:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:71:20:71:24 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:71:20:71:24 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:16:72:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:16:72:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:8:73:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:8:73:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:7:74:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:7:74:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:75:16:75:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:75:16:75:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:77:10:77:14 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:77:10:77:14 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:82:46:82:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:82:46:82:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:83:47:83:51 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:83:47:83:51 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:85:46:85:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:85:46:85:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:87:51:87:55 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:87:51:87:55 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:89:46:89:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:89:46:89:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:92:46:92:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:92:46:92:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:94:51:94:55 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:94:51:94:55 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
 | mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
@@ -350,30 +358,34 @@ edges
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:81:46:81:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:81:46:81:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:47:82:51 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:47:82:51 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:84:46:84:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:84:46:84:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:86:51:86:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:86:51:86:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:88:46:88:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:88:46:88:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:91:46:91:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:91:46:91:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:93:51:93:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:93:51:93:55 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:95:46:95:50 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:95:46:95:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:71:20:71:24 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:71:20:71:24 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:16:72:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:16:72:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:8:73:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:8:73:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:7:74:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:7:74:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:75:16:75:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:75:16:75:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:77:10:77:14 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:77:10:77:14 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:46:82:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:82:46:82:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:83:47:83:51 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:83:47:83:51 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:85:46:85:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:85:46:85:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:87:51:87:55 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:87:51:87:55 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:89:46:89:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:89:46:89:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:92:46:92:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:92:46:92:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:94:51:94:55 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:94:51:94:55 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
 | mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
 | mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
@@ -405,11 +417,11 @@ edges
 | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" |
 | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" |
 | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" |
-| tst3.js:8:7:9:55 | query1 | tst3.js:10:14:10:19 | query1 |
-| tst3.js:8:7:9:55 | query1 | tst3.js:10:14:10:19 | query1 |
-| tst3.js:8:16:9:55 | "SELECT ...  PRICE" | tst3.js:8:7:9:55 | query1 |
-| tst3.js:9:16:9:34 | req.params.category | tst3.js:8:16:9:55 | "SELECT ...  PRICE" |
-| tst3.js:9:16:9:34 | req.params.category | tst3.js:8:16:9:55 | "SELECT ...  PRICE" |
+| tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 |
+| tst3.js:7:7:8:55 | query1 | tst3.js:9:14:9:19 | query1 |
+| tst3.js:7:16:8:55 | "SELECT ...  PRICE" | tst3.js:7:7:8:55 | query1 |
+| tst3.js:8:16:8:34 | req.params.category | tst3.js:7:16:8:55 | "SELECT ...  PRICE" |
+| tst3.js:8:16:8:34 | req.params.category | tst3.js:7:16:8:55 | "SELECT ...  PRICE" |
 | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' |
 | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' |
 | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' |
@@ -446,23 +458,25 @@ edges
 | mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:72:8:72:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:8:72:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:73:7:73:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:7:73:11 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:74:16:74:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:16:74:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:76:10:76:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:76:10:76:14 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:81:46:81:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:81:46:81:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:82:47:82:51 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:82:47:82:51 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:84:46:84:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:84:46:84:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:86:51:86:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:86:51:86:55 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:88:46:88:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:88:46:88:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:91:46:91:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:91:46:91:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:93:51:93:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:93:51:93:55 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:95:46:95:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:95:46:95:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:71:20:71:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:71:20:71:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:72:16:72:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:16:72:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:73:8:73:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:8:73:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:74:7:74:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:7:74:11 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:75:16:75:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:75:16:75:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:77:10:77:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:77:10:77:14 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:82:46:82:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:82:46:82:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:83:47:83:51 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:83:47:83:51 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:85:46:85:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:85:46:85:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:87:51:87:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:87:51:87:55 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:89:46:89:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:89:46:89:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:92:46:92:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:92:46:92:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:94:51:94:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:94:51:94:55 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:96:46:96:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:96:46:96:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
 | socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query depends on $@. | socketio.js:10:25:10:30 | handle | a user-provided value |
 | tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query depends on $@. | tst2.js:9:66:9:78 | req.params.id | a user-provided value |
-| tst3.js:10:14:10:19 | query1 | tst3.js:9:16:9:34 | req.params.category | tst3.js:10:14:10:19 | query1 | This query depends on $@. | tst3.js:9:16:9:34 | req.params.category | a user-provided value |
+| tst3.js:9:14:9:19 | query1 | tst3.js:8:16:8:34 | req.params.category | tst3.js:9:14:9:19 | query1 | This query depends on $@. | tst3.js:8:16:8:34 | req.params.category | a user-provided value |
 | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | tst4.js:8:46:8:60 | $routeParams.id | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query depends on $@. | tst4.js:8:46:8:60 | $routeParams.id | a user-provided value |
 | tst.js:10:10:10:64 | 'SELECT ... d + '"' | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' | This query depends on $@. | tst.js:10:46:10:58 | req.params.id | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
@@ -68,7 +68,8 @@ app.post('/documents/find', (req, res) => {
 		.and(query, function(){}) // NOT OK
 	;

-	Document.where(query)	// NOT OK
+    Document.where(query)	// NOT OK - `.where()` on a Model. 
+        .where(query)	// NOT OK - `.where()` on a Query. 
 		.and(query) // NOT OK
 		.or(query) // NOT OK
 		.distinct(X, query) // NOT OK
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js
@@ -4,10 +4,9 @@ const pg = require('pg');
 const pool = new pg.Pool(config);

 function handler(req, res) {
-  // BAD: the category might have SQL special characters in it
  var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
             + req.params.category + "' ORDER BY PRICE";
-  pool.query(query1, [], function(err, results) {
+  pool.query(query1, [], function(err, results) { // BAD: the category might have SQL special characters in it
    // process results
  });