PR init

python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp

@@ -0,0 +1,17 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+</overview>
+
+<recommendation>
+<recommendation>
+
+<example>
+<example>
+
+<references>
+</references>
+</qhelp>

python/ql/src/experimental/Security/CWE-943/NoSQLInjection.ql

@@ -0,0 +1,20 @@
+/**
+ * @name NoSQL Injection
+ * @description Building a NoSQL query from user-controlled sources is vulnerable to insertion of
+ *              malicious NoSQL code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @id python/nosql-injection
+ * @tags experimental
+ *       security
+ *       external/cwe/cwe-943
+ */
+
+import python
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+// https://ghsecuritylab.slack.com/archives/CQJU6RN49/p1617022135088100
+import semmle.python.dataflow.new.TaintTracking2
+import DataFlow::PathGraph
+// from, where, select statements

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -13,3 +13,13 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+
+/**
+ * To-Do:
+ *
+ * NoSQLExecution: Collects functions that execute nosql queries
+ *  getNoSQLNode - get (Sink) argument holding the query
+ * NoSQLEscape: Collects functions that escape nosql queries
+ *  getNoSQLEscapeNode - get argument holding the query to-sanitize
+ */
+module NoSQLExecution { }

python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll

@@ -9,3 +9,11 @@ private import semmle.python.dataflow.new.TaintTracking
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
+
+/**
+ * PyMongoQuery
+ * MongoEngineQuery
+ * Custom escapes
+ */
+private module NoSQL { }
+// introduce more json libs like python\ql\src\semmle\python\frameworks\Stdlib.qll:941

python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll

@@ -0,0 +1,13 @@
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Create custom sink to cast in main query
+ * This file will hold all configs
+ */
+class Foo extends DataFlow::Node {
+  Foo() { none() }
+}

python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjectio.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-943/RegexInjection.ql

python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py

@@ -0,0 +1,30 @@
+from flask import Flask, request
+from flask_mongoengine import MongoEngine
+import mongoengine as me
+import json
+
+app = Flask(__name__)
+db = MongoEngine(app)
+
+
+class Movie(me.Document):
+    title = me.StringField(required=True)
+    year = me.IntField()
+    rated = me.StringField()
+    director = me.StringField()
+    actors = me.ListField()
+
+
+Movie(title='aa').save()
+Movie(title='bb').save()
+
+
+@app.route("/")
+def home_page():
+    unsanitized_search = json.loads(request.args['search'])
+
+    data = Movie.objects(title=unsanitized_search)
+    return data.to_json()
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_good.py

@@ -0,0 +1,32 @@
+from flask import Flask, request
+from flask_mongoengine import MongoEngine
+import mongoengine as me
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+db = MongoEngine(app)
+
+
+class Movie(me.Document):
+    title = me.StringField(required=True)
+    year = me.IntField()
+    rated = me.StringField()
+    director = me.StringField()
+    actors = me.ListField()
+
+
+Movie(title='aa').save()
+Movie(title='bb').save()
+
+
+@app.route("/")
+def home_page():
+    unsanitized_search = json.loads(request.args['search'])
+    sanitize(unsanitized_search)
+
+    data = Movie.objects(title=unsanitized_search)
+    return data.to_json()
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_bad.py

@@ -0,0 +1,18 @@
+from flask import Flask, request
+from flask_pymongo import PyMongo
+import json
+
+app = Flask(__name__)
+app.config["MONGO_URI"] = "mongodb://localhost:27017/testdb"
+mongo = PyMongo(app)
+
+
+@app.route("/")
+def home_page():
+    unsanitized_search = json.loads(request.args['search'])
+
+    db_results = mongo.db.user.find({'name': unsanitized_search})
+    return db_results[0].keys()
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_good.py

@@ -0,0 +1,20 @@
+from flask import Flask, request
+from flask_pymongo import PyMongo
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+app.config["MONGO_URI"] = "mongodb://localhost:27017/testdb"
+mongo = PyMongo(app)
+
+
+@app.route("/")
+def home_page():
+    unsanitized_search = json.loads(request.args['search'])
+    sanitize(unsanitized_search)
+
+    db_results = mongo.db.user.find({'name': unsanitized_search})
+    return db_results[0].keys()
+
+# if __name__ == "__main__":
+#    app.run(debug=True)