hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add check for mongoengine raw queries

Browse Source 
After initial research on our end, we believe that the only vulnerability within the objects() method is passing a query into the __raw__ keyword argument. More info can be found below:

http://docs.mongoengine.org/guide/querying.html?highlight=inc__#raw-queries
This commit is contained in:
thank_you
2021-04-05 20:44:16 -04:00
parent 759fa2cd01
commit 6ade120983
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View File

@@ -63,7 +63,7 @@ private module NoSQL {
.getACall()
}
override DataFlow::Node getQueryNode() { result = this.getArg(0) }
override DataFlow::Node getQueryNode() { result = this.getArgByName("__raw__") }
}
private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range {