hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Recognize "sql" option as a query string

Browse Source
This commit is contained in:
Asger Feldthaus
2022-01-13 13:03:41 +01:00
parent 69973dadb3
commit 708408a458
4 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
View File

@@ -41,6 +41,9 @@
| mongoose.js:97:2:97:52 | Documen ... query)) |
| mongoose.js:99:2:99:50 | Documen ... query)) |
| mongoose.js:113:2:113:53 | Documen ... () { }) |
| mysql.js:8:9:11:47 | connect ... ds) {}) |
| mysql.js:14:9:16:47 | connect ... ds) {}) |
| mysql.js:19:9:20:48 | connect ... ds) {}) |
| pg-promise-types.ts:8:5:8:22 | this.db.one(taint) |
| pg-promise.js:9:3:9:15 | db.any(query) |
| pg-promise.js:10:3:10:16 | db.many(query) |

19
javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
View File

@@ -296,6 +296,15 @@ nodes
| mongooseModelClient.js:12:22:12:29 | req.body |
| mongooseModelClient.js:12:22:12:29 | req.body |
| mongooseModelClient.js:12:22:12:32 | req.body.id |
| mysql.js:6:9:6:31 | temp |
| mysql.js:6:16:6:31 | req.params.value |
| mysql.js:6:16:6:31 | req.params.value |
| mysql.js:15:18:15:65 | 'SELECT ... + temp |
| mysql.js:15:18:15:65 | 'SELECT ... + temp |
| mysql.js:15:62:15:65 | temp |
| mysql.js:19:26:19:73 | 'SELECT ... + temp |
| mysql.js:19:26:19:73 | 'SELECT ... + temp |
| mysql.js:19:70:19:73 | temp |
| pg-promise-types.ts:7:9:7:28 | taint |
| pg-promise-types.ts:7:17:7:28 | req.params.x |
| pg-promise-types.ts:7:17:7:28 | req.params.x |
@@ -792,6 +801,14 @@ edges
| mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id |
| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
| mysql.js:6:9:6:31 | temp | mysql.js:15:62:15:65 | temp |
| mysql.js:6:9:6:31 | temp | mysql.js:19:70:19:73 | temp |
| mysql.js:6:16:6:31 | req.params.value | mysql.js:6:9:6:31 | temp |
| mysql.js:6:16:6:31 | req.params.value | mysql.js:6:9:6:31 | temp |
| mysql.js:15:62:15:65 | temp | mysql.js:15:18:15:65 | 'SELECT ... + temp |
| mysql.js:15:62:15:65 | temp | mysql.js:15:18:15:65 | 'SELECT ... + temp |
| mysql.js:19:70:19:73 | temp | mysql.js:19:26:19:73 | 'SELECT ... + temp |
| mysql.js:19:70:19:73 | temp | mysql.js:19:26:19:73 | 'SELECT ... + temp |
| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint |
| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint |
| pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:7:9:7:28 | taint |
@@ -978,6 +995,8 @@ edges
| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
| mysql.js:15:18:15:65 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:15:18:15:65 | 'SELECT ... + temp | This query depends on $@. | mysql.js:6:16:6:31 | req.params.value | a user-provided value |
| mysql.js:19:26:19:73 | 'SELECT ... + temp | mysql.js:6:16:6:31 | req.params.value | mysql.js:19:26:19:73 | 'SELECT ... + temp | This query depends on $@. | mysql.js:6:16:6:31 | req.params.value | a user-provided value |
| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query depends on $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | a user-provided value |
| pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
| pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |

22
javascript/ql/test/query-tests/Security/CWE-089/untyped/mysql.js Normal file
View File

@@ -0,0 +1,22 @@
const app = require("express")();
const mysql = require('mysql');
const pool = mysql.createPool(getConfig());
app.get("search", function handler(req, res) {
let temp = req.params.value;
pool.getConnection(function(err, connection) {
connection.query({
sql: 'SELECT * FROM `books` WHERE `author` = ?', // OK
values: [temp]
}, function(error, results, fields) {});
});
pool.getConnection(function(err, connection) {
connection.query({
sql: 'SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK
}, function(error, results, fields) {});
});
pool.getConnection(function(err, connection) {
connection.query('SELECT * FROM `books` WHERE `author` = ' + temp, // NOT OK
function(error, results, fields) {});
});
});