Python: prepare to promote NoSqlInjection

Mostly move files, preserving authourship. This will not compile.
2026-04-28 10:15:14 +02:00 · 2023-08-15 10:01:20 +02:00
parent 334502a3de
commit 60dc1afbc0
17 changed files with 1 additions and 1 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected
@@ -1,168 +0,0 @@
-edges
-| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:1:26:1:32 | GSSA Variable request |
-| flask_mongoengine_bad.py:1:26:1:32 | GSSA Variable request | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request |
-| flask_mongoengine_bad.py:1:26:1:32 | GSSA Variable request | flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request |
-| flask_mongoengine_bad.py:19:5:19:17 | SSA variable unsafe_search | flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search |
-| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | flask_mongoengine_bad.py:19:5:19:17 | SSA variable unsafe_search |
-| flask_mongoengine_bad.py:20:5:20:15 | SSA variable json_search | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search |
-| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:20:5:20:15 | SSA variable json_search |
-| flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() |
-| flask_mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search | flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search |
-| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | flask_mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search |
-| flask_mongoengine_bad.py:27:5:27:15 | SSA variable json_search | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict |
-| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | flask_mongoengine_bad.py:27:5:27:15 | SSA variable json_search |
-| flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() |
-| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_pymongo_bad.py:1:26:1:32 | GSSA Variable request |
-| flask_pymongo_bad.py:1:26:1:32 | GSSA Variable request | flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request |
-| flask_pymongo_bad.py:11:5:11:17 | SSA variable unsafe_search | flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search |
-| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | flask_pymongo_bad.py:11:5:11:17 | SSA variable unsafe_search |
-| flask_pymongo_bad.py:12:5:12:15 | SSA variable json_search | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict |
-| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | flask_pymongo_bad.py:12:5:12:15 | SSA variable json_search |
-| flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:1:26:1:32 | GSSA Variable request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request |
-| mongoengine_bad.py:18:5:18:17 | SSA variable unsafe_search | mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | mongoengine_bad.py:18:5:18:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:19:5:19:15 | SSA variable json_search | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict |
-| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:19:5:19:15 | SSA variable json_search |
-| mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search | mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:27:5:27:15 | SSA variable json_search | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict |
-| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:27:5:27:15 | SSA variable json_search |
-| mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:34:5:34:17 | SSA variable unsafe_search | mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | mongoengine_bad.py:34:5:34:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:35:5:35:15 | SSA variable json_search | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict |
-| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:35:5:35:15 | SSA variable json_search |
-| mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:42:5:42:17 | SSA variable unsafe_search | mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | mongoengine_bad.py:42:5:42:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:43:5:43:15 | SSA variable json_search | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict |
-| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:43:5:43:15 | SSA variable json_search |
-| mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:50:5:50:17 | SSA variable unsafe_search | mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | mongoengine_bad.py:50:5:50:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:51:5:51:15 | SSA variable json_search | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search |
-| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:51:5:51:15 | SSA variable json_search |
-| mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:57:5:57:17 | SSA variable unsafe_search | mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | mongoengine_bad.py:57:5:57:17 | SSA variable unsafe_search |
-| mongoengine_bad.py:58:5:58:15 | SSA variable json_search | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict |
-| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:58:5:58:15 | SSA variable json_search |
-| mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() |
-| pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:1:26:1:32 | GSSA Variable request |
-| pymongo_test.py:1:26:1:32 | GSSA Variable request | pymongo_test.py:12:21:12:27 | ControlFlowNode for request |
-| pymongo_test.py:1:26:1:32 | GSSA Variable request | pymongo_test.py:29:27:29:33 | ControlFlowNode for request |
-| pymongo_test.py:1:26:1:32 | GSSA Variable request | pymongo_test.py:39:27:39:33 | ControlFlowNode for request |
-| pymongo_test.py:12:5:12:17 | SSA variable unsafe_search | pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search |
-| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | pymongo_test.py:12:5:12:17 | SSA variable unsafe_search |
-| pymongo_test.py:13:5:13:15 | SSA variable json_search | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict |
-| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | pymongo_test.py:13:5:13:15 | SSA variable json_search |
-| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() |
-| pymongo_test.py:29:5:29:12 | SSA variable event_id | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict |
-| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | pymongo_test.py:29:5:29:12 | SSA variable event_id |
-| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript |
-| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() |
-| pymongo_test.py:39:5:39:12 | SSA variable event_id | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict |
-| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | pymongo_test.py:39:5:39:12 | SSA variable event_id |
-| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript |
-| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() |
-nodes
-| flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| flask_mongoengine_bad.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
-| flask_mongoengine_bad.py:19:5:19:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_mongoengine_bad.py:20:5:20:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| flask_mongoengine_bad.py:20:19:20:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| flask_mongoengine_bad.py:20:30:20:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search |
-| flask_mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| flask_mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_mongoengine_bad.py:27:5:27:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| flask_mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| flask_mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| flask_pymongo_bad.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
-| flask_pymongo_bad.py:11:5:11:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| flask_pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| flask_pymongo_bad.py:12:5:12:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| flask_pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| flask_pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| mongoengine_bad.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
-| mongoengine_bad.py:18:5:18:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:18:21:18:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:19:5:19:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:19:19:19:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:19:30:19:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| mongoengine_bad.py:26:5:26:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:26:21:26:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:27:5:27:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:27:19:27:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:27:30:27:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| mongoengine_bad.py:34:5:34:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:34:21:34:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:35:5:35:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:35:19:35:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:35:30:35:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| mongoengine_bad.py:42:5:42:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:43:5:43:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:43:19:43:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:43:30:43:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| mongoengine_bad.py:50:5:50:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:51:5:51:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:51:19:51:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:51:30:51:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | semmle.label | ControlFlowNode for json_search |
-| mongoengine_bad.py:57:5:57:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| mongoengine_bad.py:58:5:58:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | semmle.label | ControlFlowNode for ImportMember |
-| pymongo_test.py:1:26:1:32 | GSSA Variable request | semmle.label | GSSA Variable request |
-| pymongo_test.py:12:5:12:17 | SSA variable unsafe_search | semmle.label | SSA variable unsafe_search |
-| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| pymongo_test.py:13:5:13:15 | SSA variable json_search | semmle.label | SSA variable json_search |
-| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| pymongo_test.py:29:5:29:12 | SSA variable event_id | semmle.label | SSA variable event_id |
-| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| pymongo_test.py:39:5:39:12 | SSA variable event_id | semmle.label | SSA variable event_id |
-| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-subpaths
-#select
-| flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_mongoengine_bad.py:30:39:30:59 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | flask_mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | flask_pymongo_bad.py:14:31:14:51 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | flask_pymongo_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:22:26:22:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:30:26:30:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:38:26:38:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | mongoengine_bad.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
-| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | This NoSQL query contains an unsanitized $@. | pymongo_test.py:1:26:1:32 | ControlFlowNode for ImportMember | user-provided value |
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-943/NoSQLInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py
@@ -1,33 +0,0 @@
-from flask import Flask, request
-from flask_mongoengine import MongoEngine
-import json
-
-app = Flask(__name__)
-app.config.from_pyfile('the-config.cfg')
-db = MongoEngine(app)
-
-
-class Movie(db.Document):
-    title = db.StringField(required=True)
-
-
-Movie(title='test').save()
-
-
-@app.route("/subclass_objects")
-def subclass_objects():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    return Movie.objects(__raw__=json_search)
-
-@app.route("/get_db_find")
-def get_db_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    retrieved_db = db.get_db()
-    return retrieved_db["Movie"].find({'name': json_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_good.py
@@ -1,27 +0,0 @@
-from flask import Flask, request
-from flask_mongoengine import MongoEngine
-from mongosanitizer.sanitizer import sanitize
-import json
-
-app = Flask(__name__)
-app.config.from_pyfile('the-config.cfg')
-db = MongoEngine(app)
-
-
-class Movie(db.Document):
-    title = db.StringField(required=True)
-
-
-Movie(title='test').save()
-
-
-@app.route("/subclass_objects")
-def subclass_objects():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-    safe_search = sanitize(json_search)
-
-    return Movie.objects(__raw__=safe_search)
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_bad.py
@@ -1,17 +0,0 @@
-from flask import Flask, request
-from flask_pymongo import PyMongo
-import json
-
-app = Flask(__name__)
-mongo = PyMongo(app)
-
-
-@app.route("/")
-def home_page():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    return mongo.db.user.find({'name': json_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/flask_pymongo_good.py
@@ -1,19 +0,0 @@
-from flask import Flask, request
-from flask_pymongo import PyMongo
-from mongosanitizer.sanitizer import sanitize
-import json
-
-app = Flask(__name__)
-mongo = PyMongo(app)
-
-
-@app.route("/")
-def home_page():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-    safe_search = sanitize(json_search)
-
-    return mongo.db.user.find({'name': safe_search})
-
-# if __name__ == "__main__":
-#    app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_bad.py
@@ -1,64 +0,0 @@
-from flask import Flask, request
-import mongoengine as me
-from mongoengine.connection import get_db, connect
-import json
-
-app = Flask(__name__)
-
-
-class Movie(me.Document):
-    title = me.StringField(required=True)
-
-
-Movie(title='test').save()
-
-
-@app.route("/connect_find")
-def connect_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    db = me.connect('mydb')  
-    return db.movie.find({'name': json_search})
-
-@app.route("/connection_connect_find")
-def connection_connect_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    db = connect('mydb')
-    return db.movie.find({'name': json_search})
-
-@app.route("/get_db_find")
-def get_db_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    db = me.get_db()
-    return db.movie.find({'name': json_search})
-
-@app.route("/connection_get_db_find")
-def connection_get_db_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    db = get_db()
-    return db.movie.find({'name': json_search})
-
-@app.route("/subclass_objects")
-def subclass_objects():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    return Movie.objects(__raw__=json_search)
-
-@app.route("/subscript_find")
-def subscript_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    db = me.connect('mydb')  
-    return db['movie'].find({'name': json_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_good.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_good.py
@@ -1,27 +0,0 @@
-from flask import Flask, request
-import mongoengine as me
-from mongoengine.connection import get_db, connect
-from mongosanitizer.sanitizer import sanitize
-import json
-
-app = Flask(__name__)
-
-
-class Movie(me.Document):
-    title = me.StringField(required=True)
-
-
-Movie(title='test').save()
-
-
-@app.route("/connect_find")
-def connect_find():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-    safe_search = sanitize(json_search)
-
-    db = me.connect('mydb')  
-    return db.movie.find({'name': safe_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)
--- a/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_test.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_test.py
@@ -1,47 +0,0 @@
-from flask import Flask, request
-from pymongo import MongoClient
-from mongosanitizer.sanitizer import sanitize
-import json
-
-app = Flask(__name__)
-client = MongoClient()
-
-
-@app.route("/bad")
-def bad():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    return client.db.collection.find_one({'data': json_search})
-
-
-@app.route("/good")
-def good():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-    safe_search = sanitize(json_search)
-
-    return client.db.collection.find_one({'data': safe_search})
-
-
-@app.route("/bad2")
-def bad2():
-    event_id = json.loads(request.args['event_id'])
-    client = MongoClient("localhost", 27017, maxPoolSize=50)
-    db = client.localhost
-    collection = db['collection']
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
-
-
-@app.route("/bad3")
-def bad3():
-    # using `get_` methods instead of subscript/attribute lookups
-    event_id = json.loads(request.args['event_id'])
-    client = MongoClient("localhost", 27017, maxPoolSize=50)
-    db = client.get_database(name="localhost")
-    collection = db.get_collection("collection")
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
-
-
-if __name__ == "__main__":
-    app.run(debug=True)
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE-943/NoSQLInjection.ql`