Merge branch 'master' of git.semmle.com:Semmle/ql into CustomTrack

2026-04-29 18:55:14 +02:00 · 2020-03-14 14:37:52 +01:00
parent 59d2d6d4fd 20cae302fd
commit 4f39c28741
186 changed files with 3391 additions and 2191 deletions
--- a/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js
+++ b/javascript/ql/test/query-tests/Expressions/RedundantExpression/tst.js
@@ -6,4 +6,6 @@ x == 23 || x == 23;
 x & x;

 // this may actually be OK, but it's not good style
-pop() && pop();
+pop() && pop();
+
+foo[bar++] && foo[bar++] // OK
--- a/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessCharacterEscape.expected
@@ -1,4 +1,5 @@
 | tst-IncompleteHostnameRegExp.js:42:13:42:65 | '^http[ ... \\/(.+)' | The escape sequence '\\/' is equivalent to just '/'. |
+| tst-SemiAnchoredRegExp.js:72:13:72:40 | '^good\\ ... \\\\.com' | The escape sequence '\\.' is equivalent to just '.'. |
 | tst-SemiAnchoredRegExp.js:109:2:109:45 | /^((\\+\| ... ?\\d\\d)/ | The escape sequence '\\:' is equivalent to just ':'. |
 | tst-escapes.js:19:8:19:11 | "\\ " | The escape sequence '\\ ' is equivalent to just ' '. |
 | tst-escapes.js:20:1:20:54 | /\\a\\b\\c ... x\\y\\z"/ | The escape sequence '\\a' is equivalent to just 'a'. |
@@ -56,3 +57,6 @@
 | tst-escapes.js:42:1:42:4 | "\\." | The escape sequence '\\.' is equivalent to just '.'. |
 | tst-escapes.js:48:8:48:15 | "'\\'\\\\'" | The escape sequence '\\'' is equivalent to just '''. |
 | tst-escapes.js:50:8:50:15 | '"\\"\\\\"' | The escape sequence '\\"' is equivalent to just '"'. |
+| tst-escapes.js:66:8:66:13 | "\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. |
+| tst-escapes.js:67:8:67:14 | "x\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. |
+| tst-escapes.js:71:8:71:17 | "\\\\\\\\\\\\\\]" | The escape sequence '\\]' is equivalent to just ']'. |
--- a/javascript/ql/test/query-tests/Security/CWE-020/UselessRegExpCharacterEscape.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-020/UselessRegExpCharacterEscape.expected
@@ -1,8 +1,6 @@
 | tst-IncompleteHostnameRegExp.js:55:26:55:27 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-IncompleteHostnameRegExp.js:55:13:55:39 | '^http: ... le.com' | regular expression |
 | tst-SemiAnchoredRegExp.js:70:19:70:20 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-SemiAnchoredRegExp.js:70:13:70:36 | '^good\\ ... r\\.com' | regular expression |
 | tst-SemiAnchoredRegExp.js:70:31:70:32 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-SemiAnchoredRegExp.js:70:13:70:36 | '^good\\ ... r\\.com' | regular expression |
-| tst-SemiAnchoredRegExp.js:72:21:72:22 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-SemiAnchoredRegExp.js:72:13:72:40 | '^good\\ ... \\\\.com' | regular expression |
-| tst-SemiAnchoredRegExp.js:72:35:72:36 | '\\.' is equivalent to just '.', so the sequence may still represent a meta-character | The escape sequence '\\.' is equivalent to just '.', so the sequence may still represent a meta-character when it is used in a $@. | tst-SemiAnchoredRegExp.js:72:13:72:40 | '^good\\ ... \\\\.com' | regular expression |
 | tst-escapes.js:13:11:13:12 | '\\b' is a backspace, and not a word-boundary assertion | The escape sequence '\\b' is a backspace, and not a word-boundary assertion when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression |
 | tst-escapes.js:13:13:13:14 | '\\c' is equivalent to just 'c', so the sequence is not a character class | The escape sequence '\\c' is equivalent to just 'c', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression |
 | tst-escapes.js:13:15:13:16 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:13:8:13:61 | "\\a\\b\\c ... \\x\\y\\z" | regular expression |
@@ -43,3 +41,6 @@
 | tst-escapes.js:60:14:60:15 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:60:8:60:19 | `\\k\\\\k\\d\\\\d` | regular expression |
 | tst-escapes.js:61:9:61:10 | '\\k' is equivalent to just 'k', so the sequence is not a backreference | The escape sequence '\\k' is equivalent to just 'k', so the sequence is not a backreference when it is used in a $@. | tst-escapes.js:61:8:61:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression |
 | tst-escapes.js:61:20:61:21 | '\\d' is equivalent to just 'd', so the sequence is not a character class | The escape sequence '\\d' is equivalent to just 'd', so the sequence is not a character class when it is used in a $@. | tst-escapes.js:61:8:61:25 | `\\k\\\\k${foo}\\d\\\\d` | regular expression |
+| tst-escapes.js:64:9:64:10 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:64:8:64:11 | "\\]" | regular expression |
+| tst-escapes.js:69:13:69:14 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:69:8:69:15 | "\\\\\\\\\\]" | regular expression |
+| tst-escapes.js:73:17:73:18 | '\\]' is equivalent to just ']', so the sequence may still represent a meta-character | The escape sequence '\\]' is equivalent to just ']', so the sequence may still represent a meta-character when it is used in a $@. | tst-escapes.js:73:8:73:19 | "\\\\\\\\\\\\\\\\\\]" | regular expression |
--- a/javascript/ql/test/query-tests/Security/CWE-020/tst-escapes.js
+++ b/javascript/ql/test/query-tests/Security/CWE-020/tst-escapes.js
@@ -59,3 +59,15 @@ RegExp("\b");
 RegExp(`\b`);
 RegExp(`\k\\k\d\\d`)
 RegExp(`\k\\k${foo}\d\\d`)
+
+// effective escapes
+RegExp("\]")
+RegExp("\\]")
+RegExp("\\\]"); // effectively escaped after all
+RegExp("x\\\]"); // effectively escaped after all
+RegExp("\\\\]")
+RegExp("\\\\\]")
+RegExp("\\\\\\]")
+RegExp("\\\\\\\]") // effectively escaped after all
+RegExp("\\\\\\\\]")
+RegExp("\\\\\\\\\]")
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
@@ -7,6 +7,17 @@ nodes
 | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:30:14:30 | v |
+| typedClient.ts:21:7:21:32 | v |
+| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
+| typedClient.ts:21:22:21:29 | req.body |
+| typedClient.ts:21:22:21:29 | req.body |
+| typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:33:22:33 | v |
+| typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v |
 edges
 | typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v |
 | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v |
@@ -15,5 +26,17 @@ edges
 | typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
 | typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
+| typedClient.ts:21:7:21:32 | v | typedClient.ts:22:33:22:33 | v |
+| typedClient.ts:21:7:21:32 | v | typedClient.ts:23:33:23:33 | v |
+| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | typedClient.ts:21:7:21:32 | v |
+| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:21:22:21:31 | req.body.x | typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
+| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 #select
 | typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on $@. | typedClient.ts:13:22:13:29 | req.body | a user-provided value |
+| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query depends on $@. | typedClient.ts:21:22:21:29 | req.body | a user-provided value |
+| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query depends on $@. | typedClient.ts:21:22:21:29 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts
@@ -3,3 +3,11 @@ declare module "mongodb" {
    find(query: any): any;
  }
 }
+declare module "mongoose" {
+  interface Model {
+    find(query: any): any;
+  }
+  interface Query {
+    find(query: any): any;
+  }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
@@ -1,7 +1,7 @@
 import * as mongodb from "mongodb";

-const express = require('express') as any;
-const bodyParser = require('body-parser') as any;
+const express = require("express") as any;
+const bodyParser = require("body-parser") as any;

 declare function getCollection(): mongodb.Collection;

@@ -9,7 +9,16 @@ let app = express();

 app.use(bodyParser.json());

-app.post('/find', (req, res) => {
+app.post("/find", (req, res) => {
  let v = JSON.parse(req.body.x);
  getCollection().find({ id: v }); // NOT OK
 });
+
+import * as mongoose from "mongoose";
+declare function getMongooseModel(): mongoose.Model;
+declare function getMongooseQuery(): mongoose.Query;
+app.post("/find", (req, res) => {
+  let v = JSON.parse(req.body.x);
+  getMongooseModel().find({ id: v }); // NOT OK
+  getMongooseQuery().find({ id: v }); // NOT OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -0,0 +1,23 @@
+| mongodb.js:18:7:18:21 | doc.find(query) |
+| mongodb.js:21:7:21:48 | doc.fin ... itle }) |
+| mongodb.js:24:7:24:53 | doc.fin ... r(1) }) |
+| mongodb.js:29:9:29:34 | doc.fin ... itle }) |
+| mongodb.js:32:9:32:46 | doc.fin ... tle) }) |
+| mongodb.js:43:7:43:21 | doc.find(query) |
+| mongodb.js:54:7:54:21 | doc.find(query) |
+| mongodb.js:65:3:65:17 | doc.find(query) |
+| mongodb.js:73:5:77:27 | client\\n ...  tag }) |
+| mongodb.js:81:3:85:25 | importe ...  tag }) |
+| mongodb_bodySafe.js:18:7:18:21 | doc.find(query) |
+| mongodb_bodySafe.js:29:7:29:21 | doc.find(query) |
+| mongoose.js:63:2:63:34 | Documen ... then(X) |
+| mongoose.js:65:2:65:51 | Documen ... on(){}) |
+| mongoose.js:67:2:68:27 | new Mon ... on(){}) |
+| mongoose.js:71:2:77:9 | Documen ... .exec() |
+| socketio.js:11:5:11:54 | db.run( ... ndle}`) |
+| tst2.js:7:3:7:62 | sql.que ... ms.id}` |
+| tst2.js:9:3:9:85 | new sql ...  + "'") |
+| tst3.js:10:3:12:4 | pool.qu ... ts\\n  }) |
+| tst3.js:17:3:19:4 | pool.qu ... ts\\n  }) |
+| tst4.js:8:3:8:67 | db.get( ...  + '"') |
+| tst.js:10:3:10:65 | db.get( ...  + '"') |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.ql
@@ -0,0 +1,3 @@
+import javascript
+
+select any(DatabaseAccess a)
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -20,6 +20,21 @@ nodes
 | mongodb.js:49:19:49:33 | req.query.title |
 | mongodb.js:54:16:54:20 | query |
 | mongodb.js:54:16:54:20 | query |
+| mongodb.js:59:8:59:17 | query |
+| mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title |
+| mongodb.js:60:16:60:30 | req.query.title |
+| mongodb.js:65:12:65:16 | query |
+| mongodb.js:65:12:65:16 | query |
+| mongodb.js:70:7:70:25 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag |
+| mongodb.js:70:13:70:25 | req.query.tag |
+| mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:22:77:24 | tag |
+| mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag |
 | mongodb_bodySafe.js:23:11:23:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title |
@@ -55,8 +70,22 @@ nodes
 | mongoose.js:57:21:57:25 | query |
 | mongoose.js:60:25:60:29 | query |
 | mongoose.js:60:25:60:29 | query |
-| mongoose.js:63:24:63:28 | query |
-| mongoose.js:63:24:63:28 | query |
+| mongoose.js:63:21:63:25 | query |
+| mongoose.js:63:21:63:25 | query |
+| mongoose.js:65:32:65:36 | query |
+| mongoose.js:65:32:65:36 | query |
+| mongoose.js:67:27:67:31 | query |
+| mongoose.js:67:27:67:31 | query |
+| mongoose.js:68:8:68:12 | query |
+| mongoose.js:68:8:68:12 | query |
+| mongoose.js:72:8:72:12 | query |
+| mongoose.js:72:8:72:12 | query |
+| mongoose.js:73:7:73:11 | query |
+| mongoose.js:73:7:73:11 | query |
+| mongoose.js:74:16:74:20 | query |
+| mongoose.js:74:16:74:20 | query |
+| mongoose.js:76:10:76:14 | query |
+| mongoose.js:76:10:76:14 | query |
 | mongooseJsonParse.js:19:11:19:20 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -129,6 +158,25 @@ edges
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
 | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query |
+| mongodb.js:59:8:59:17 | query | mongodb.js:65:12:65:16 | query |
+| mongodb.js:59:8:59:17 | query | mongodb.js:65:12:65:16 | query |
+| mongodb.js:59:16:59:17 | {} | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:8:59:17 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:59:16:59:17 | {} |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag |
+| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
+| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query |
@@ -164,8 +212,22 @@ edges
 | mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
-| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
 | mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
@@ -195,8 +257,22 @@ edges
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
-| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query |
@@ -243,6 +319,9 @@ edges
 | mongodb.js:18:16:18:20 | query | mongodb.js:13:19:13:26 | req.body | mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value |
 | mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on $@. | mongodb.js:26:19:26:26 | req.body | a user-provided value |
 | mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on $@. | mongodb.js:49:19:49:33 | req.query.title | a user-provided value |
+| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on $@. | mongodb.js:60:16:60:30 | req.query.title | a user-provided value |
+| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
+| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
 | mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | a user-provided value |
 | mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:30:25:30:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:30:25:30:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
@@ -256,7 +335,14 @@ edges
 | mongoose.js:54:25:54:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:54:25:54:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:57:21:57:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:57:21:57:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
-| mongoose.js:63:24:63:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:63:21:63:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:21:63:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:72:8:72:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:8:72:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:73:7:73:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:7:73:11 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:74:16:74:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:16:74:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:76:10:76:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:76:10:76:14 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/dbo.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/dbo.js
@@ -0,0 +1,13 @@
+let dbClient = require("mongodb").MongoClient,
+  db = null;
+module.exports = {
+  db: () => {
+    return db;
+  },
+  connect: fn => {
+    dbClient.connect(process.env.DB_URL, {}, (err, client) => {
+      db = client.db(process.env.DB_NAME);
+      return fn(err);
+    });
+  }
+};
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
@@ -54,3 +54,33 @@ app.post('/documents/find', (req, res) => {
      doc.find(query);
    });
 });
+
+app.post('/documents/find', (req, res) => {
+	const query = {};
+	query.title = req.query.title;
+	MongoClient.connect('mongodb://localhost:27017/test', (err, client) => {
+		let doc = client.db("MASTER").collection('doc');
+
+		// NOT OK: query is tainted by user-provided object value
+		doc.find(query);
+	});
+});
+
+app.post("/logs/count-by-tag", (req, res) => {
+  let tag = req.query.tag;
+
+  MongoClient.connect(process.env.DB_URL, {}, (err, client) => {
+    client
+      .db(process.env.DB_NAME)
+      .collection("logs")
+      // NOT OK: query is tainted by user-provided object value
+      .count({ tags: tag });
+  });
+
+  let importedDbo = require("./dbo.js");
+  importedDbo
+    .db()
+    .collection("logs")
+    // NOT OK: query is tainted by user-provided object value
+    .count({ tags: tag });
+});
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
@@ -60,6 +60,21 @@ app.post('/documents/find', (req, res) => {
    Document.updateMany(query);

    // NOT OK: query is tainted by user-provided object value
-    Document.updateOne(query);
-});
+	Document.updateOne(query).then(X);

+	Document.findByIdAndUpdate(X, query, function(){}); // NOT OK
+
+	new Mongoose.Query(X, Y, query)	// NOT OK
+		.and(query, function(){}) // NOT OK
+	;
+
+	Document.where(query)	// NOT OK
+		.and(query) // NOT OK
+		.or(query) // NOT OK
+		.distinct(X, query) // NOT OK
+		.comment(query) // OK
+		.count(query) // NOT OK
+		.exec()
+	;
+
+});