add graphql injection to the sql-injection query

2026-05-01 11:45:14 +02:00 · 2021-06-08 23:27:39 +02:00
parent e7b9603c5b
commit 50d574d20d
7 changed files with 332 additions and 10 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -1,4 +1,49 @@
 nodes
+| graphql.js:8:11:8:28 | id |
+| graphql.js:8:16:8:28 | req.params.id |
+| graphql.js:8:16:8:28 | req.params.id |
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:12:46:12:47 | id |
+| graphql.js:26:11:26:28 | id |
+| graphql.js:26:16:26:28 | req.params.id |
+| graphql.js:26:16:26:28 | req.params.id |
+| graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:37:27:38 | id |
+| graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id |
+| graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id |
+| graphql.js:39:11:39:28 | id |
+| graphql.js:39:16:39:28 | req.params.id |
+| graphql.js:39:16:39:28 | req.params.id |
+| graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:21:44:22 | id |
+| graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id |
+| graphql.js:55:11:55:28 | id |
+| graphql.js:55:16:55:28 | req.params.id |
+| graphql.js:55:16:55:28 | req.params.id |
+| graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:46:56:47 | id |
+| graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id |
+| graphql.js:74:9:74:25 | id |
+| graphql.js:74:14:74:25 | req.query.id |
+| graphql.js:74:14:74:25 | req.query.id |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:56:75:57 | id |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:88:13:88:14 | id |
 | json-schema-validator.js:25:15:25:48 | query |
 | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:25:34:25:47 | req.query.data |
@@ -332,6 +377,46 @@ nodes
 | tst.js:10:46:10:58 | req.params.id |
 | tst.js:10:46:10:58 | req.params.id |
 edges
+| graphql.js:8:11:8:28 | id | graphql.js:12:46:12:47 | id |
+| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id |
+| graphql.js:8:16:8:28 | req.params.id | graphql.js:8:11:8:28 | id |
+| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:12:46:12:47 | id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` |
+| graphql.js:26:11:26:28 | id | graphql.js:27:37:27:38 | id |
+| graphql.js:26:11:26:28 | id | graphql.js:30:39:30:40 | id |
+| graphql.js:26:11:26:28 | id | graphql.js:33:25:33:26 | id |
+| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id |
+| graphql.js:26:16:26:28 | req.params.id | graphql.js:26:11:26:28 | id |
+| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:27:37:27:38 | id | graphql.js:27:30:27:40 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:30:39:30:40 | id | graphql.js:30:32:30:42 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:33:25:33:26 | id | graphql.js:33:18:33:28 | `foo ${id}` |
+| graphql.js:39:11:39:28 | id | graphql.js:44:21:44:22 | id |
+| graphql.js:39:11:39:28 | id | graphql.js:48:51:48:52 | id |
+| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id |
+| graphql.js:39:16:39:28 | req.params.id | graphql.js:39:11:39:28 | id |
+| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:44:21:44:22 | id | graphql.js:44:14:44:24 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:48:51:48:52 | id | graphql.js:48:44:48:54 | `foo ${id}` |
+| graphql.js:55:11:55:28 | id | graphql.js:56:46:56:47 | id |
+| graphql.js:55:11:55:28 | id | graphql.js:58:73:58:74 | id |
+| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id |
+| graphql.js:55:16:55:28 | req.params.id | graphql.js:55:11:55:28 | id |
+| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:56:46:56:47 | id | graphql.js:56:39:56:49 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:58:73:58:74 | id | graphql.js:58:66:58:76 | `foo ${id}` |
+| graphql.js:74:9:74:25 | id | graphql.js:75:56:75:57 | id |
+| graphql.js:74:9:74:25 | id | graphql.js:88:13:88:14 | id |
+| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id |
+| graphql.js:74:14:74:25 | req.query.id | graphql.js:74:9:74:25 | id |
+| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" |
+| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query |
@@ -740,6 +825,16 @@ edges
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 | tst.js:10:46:10:58 | req.params.id | tst.js:10:10:10:64 | 'SELECT ... d + '"' |
 #select
+| graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | graphql.js:8:16:8:28 | req.params.id | graphql.js:10:34:20:5 | `\\n      ... }\\n    ` | This query depends on $@. | graphql.js:8:16:8:28 | req.params.id | a user-provided value |
+| graphql.js:27:30:27:40 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:27:30:27:40 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:30:32:30:42 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:30:32:30:42 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:33:18:33:28 | `foo ${id}` | graphql.js:26:16:26:28 | req.params.id | graphql.js:33:18:33:28 | `foo ${id}` | This query depends on $@. | graphql.js:26:16:26:28 | req.params.id | a user-provided value |
+| graphql.js:44:14:44:24 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:44:14:44:24 | `foo ${id}` | This query depends on $@. | graphql.js:39:16:39:28 | req.params.id | a user-provided value |
+| graphql.js:48:44:48:54 | `foo ${id}` | graphql.js:39:16:39:28 | req.params.id | graphql.js:48:44:48:54 | `foo ${id}` | This query depends on $@. | graphql.js:39:16:39:28 | req.params.id | a user-provided value |
+| graphql.js:56:39:56:49 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:56:39:56:49 | `foo ${id}` | This query depends on $@. | graphql.js:55:16:55:28 | req.params.id | a user-provided value |
+| graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query depends on $@. | graphql.js:55:16:55:28 | req.params.id | a user-provided value |
+| graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
+| graphql.js:84:14:90:8 | `{\\n     ...      }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n     ...      }` | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
 | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
@@ -0,0 +1,113 @@
+var express = require('express');
+var app = express();
+
+import { Octokit } from "@octokit/core";
+const kit = new Octokit();
+
+app.get('/post/:id', function(req, res) {
+    const id = req.params.id;
+    // NOT OK
+    const response = kit.graphql(`
+      query {
+        repository(owner: "github", name: "${id}") {
+          object(expression: "master:foo") {
+            ... on Blob {
+              text
+            }
+          }
+        }
+      }
+    `);
+});
+
+import { graphql, withCustomRequest } from "@octokit/graphql";
+
+app.get('/user/:id/', function(req, res) {
+    const id = req.params.id;
+    const response = graphql(`foo ${id}`); // NOT OK
+
+    const myGraphql = withCustomRequest(request);
+    const response = myGraphql(`foo ${id}`); // NOT OK
+
+    const withDefaults = graphql.defaults({});
+    withDefaults(`foo ${id}`); // NOT OK
+});
+
+const { request } = require("@octokit/request");
+
+app.get('/article/:id/', async function(req, res) {
+    const id = req.params.id;
+    const result = await request("POST /graphql", {
+      headers: {
+        authorization: "token 0000000000000000000000000000000000000001",
+      },
+      query: `foo ${id}`, // NOT OK
+    });
+
+    const withDefaults = request.defaults({});
+    withDefaults("POST /graphql", { query: `foo ${id}` }); // NOT OK
+});
+
+import { Octokit as Core } from "@octokit/rest";
+const kit2 = new Core();
+
+app.get('/event/:id/', async function(req, res) {
+    const id = req.params.id;
+    const result = await kit2.graphql(`foo ${id}`); // NOT OK
+
+    const result2 = await kit2.request("POST /graphql", { query: `foo ${id}` }); // NOT OK
+});
+
+import { graphql as nativeGraphql, buildSchema }  from 'graphql';
+var schema = buildSchema(`
+  type Query {
+    hello: String
+  }
+`);
+var root = {
+  hello: () => {
+    return 'Hello world!';
+  },
+};
+
+app.get('/thing/:id', async function(req, res) {
+  const id = req.query.id;
+  const result = await nativeGraphql(schema, "{ foo" + id + " }", root); // NOT OK
+  
+  fetch("https://my-grpahql-server.com/graphql", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      // NOT OK
+      query: `{
+        thing {
+          name
+          url
+          ${id}
+        }
+      }`
+    })
+  })
+
+  fetch("https://my-grpahql-server.com/graphql", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json"
+    },
+    body: JSON.stringify({
+      // OK
+      query: `{
+        thing {
+          name
+          url
+          $id
+        }
+      }`,
+      variables: {
+        id: id
+      }
+    })
+  })
+});