hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: add additional mongoose and mongodb js/nosql-injection sinks

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2020-03-05 11:33:26 +01:00
parent b6c616efd3
commit 7a2faa0b6b
3 changed files with 375 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

325
javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
View File

@@ -120,43 +120,71 @@ private module MongoDB {
QueryCall() {
exists(string m | this = getACollection().getAMethodCall(m) |
m = "aggregate" and queryArgIdx = 0
or
m = "count" and queryArgIdx = 0
or
m = "deleteMany" and queryArgIdx = 0
or
m = "deleteOne" and queryArgIdx = 0
or
m = "distinct" and queryArgIdx = 1
or
m = "find" and queryArgIdx = 0
or
m = "findOne" and queryArgIdx = 0
or
m = "findOneAndDelete" and queryArgIdx = 0
or
m = "findOneAndRemove" and queryArgIdx = 0
or
m = "findOneAndDelete" and queryArgIdx = 0
or
m = "findOneAndUpdate" and queryArgIdx = 0
or
m = "remove" and queryArgIdx = 0
or
m = "replaceOne" and queryArgIdx = 0
or
m = "update" and queryArgIdx = 0
or
m = "updateMany" and queryArgIdx = 0
or
m = "updateOne" and queryArgIdx = 0
CollectionMethodSignatures::interpretsArgumentAsQuery(m, queryArgIdx)
)
}
override DataFlow::Node getAQueryArgument() { result = getArgument(queryArgIdx) }
}
/**
* Provides signatures for the Collection methods.
*/
module CollectionMethodSignatures {
/**
* Holds if Collection method `name` interprets parameter `n` as a query.
*/
predicate interpretsArgumentAsQuery(string name, int n) {
// FilterQuery
(
name = "aggregate" and n = 0
or
name = "count" and n = 0
or
name = "countDocuments" and n = 0
or
name = "deleteMany" and n = 0
or
name = "deleteOne" and n = 0
or
name = "distinct" and n = 1
or
name = "find" and n = 0
or
name = "findOne" and n = 0
or
name = "findOneAndDelete" and n = 0
or
name = "findOneAndRemove" and n = 0
or
name = "findOneAndReplace" and n = 0
or
name = "findOneAndUpdate" and n = 0
or
name = "remove" and n = 0
or
name = "replaceOne" and n = 0
or
name = "update" and n = 0
or
name = "updateMany" and n = 0
or
name = "updateOne" and n = 0
)
or
// UpdateQuery
(
name = "findOneAndUpdate" and n = 1
or
name = "update" and n = 1
or
name = "updateMany" and n = 1
or
name = "updateOne" and n = 1
)
}
}
/**
* An expression that is interpreted as a MongoDB query.
*/
@@ -184,8 +212,221 @@ private module Mongoose {
/**
* A Mongoose collection object.
*/
class Model extends MongoDB::Collection {
class Model extends DataFlow::SourceNode {
Model() { this = getAMongooseInstance().getAMemberCall("model") }
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
result = this and
t.start()
or
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
}
DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
}
/**
* Provides signatures for the Model methods.
*/
module ModelMethodSignatures {
/**
* Holds if Model method `name` interprets parameter `n` as a query.
*/
predicate interpretsArgumentAsQuery(string name, int n) {
// implement lots of the MongoDB collection interface
MongoDB::CollectionMethodSignatures::interpretsArgumentAsQuery(name, n)
or
name = "findByIdAndUpdate" and n = 1
}
/**
* Holds if Model method `name` returns a Query.
*/
predicate returnsQuery(string name) {
name = "$where" or
name = "count" or
name = "countDocuments" or
name = "deleteMany" or
name = "deleteOne" or
name = "find" or
name = "findById" or
name = "findByIdAndDelete" or
name = "findByIdAndRemove" or
name = "findByIdAndUpdate" or
name = "findOne" or
name = "findOneAndDelete" or
name = "findOneAndRemove" or
name = "findOneAndReplace" or
name = "findOneAndUpdate" or
name = "geosearch" or
name = "replaceOne" or
name = "update" or
name = "updateMany" or
name = "updateOne" or
name = "where"
}
}
/**
* Provides signatures for the Query methods.
*/
module QueryMethodSignatures {
/**
* Holds if Query method `name` interprets parameter `n` as a query.
*/
predicate interpretsArgumentAsQuery(string name, int n) {
n = 0 and
(
name = "and" or
name = "count" or
name = "countDocuments" or
name = "deleteMany" or
name = "deleteOne" or
name = "elemMatch" or
name = "find" or
name = "findOne" or
name = "findOneAndDelete" or
name = "findOneAndRemove" or
name = "findOneAndReplace" or
name = "findOneAndUpdate" or
name = "merge" or
name = "nor" or
name = "or" or
name = "remove" or
name = "replaceOne" or
name = "setQuery" or
name = "setUpdate" or
name = "update" or
name = "updateMany" or
name = "updateOne" or
name = "where"
)
or
n = 1 and
(
name = "distinct" or
name = "findOneAndUpdate" or
name = "update" or
name = "updateMany" or
name = "updateOne"
)
}
/**
* Holds if Query method `name` returns a Query.
*/
predicate returnsQuery(string name) {
name = "$where" or
name = "J" or
name = "all" or
name = "and" or
name = "batchsize" or
name = "box" or
name = "center" or
name = "centerSphere" or
name = "circle" or
name = "collation" or
name = "comment" or
name = "count" or
name = "countDocuments" or
name = "distinct" or
name = "elemMatch" or
name = "equals" or
name = "error" or
name = "estimatedDocumentCount" or
name = "exists" or
name = "explain" or
name = "find" or
name = "findById" or
name = "findOne" or
name = "findOneAndRemove" or
name = "findOneAndUpdate" or
name = "geometry" or
name = "get" or
name = "gt" or
name = "gte" or
name = "hint" or
name = "in" or
name = "intersects" or
name = "lean" or
name = "limit" or
name = "lt" or
name = "lte" or
name = "map" or
name = "map" or
name = "maxDistance" or
name = "maxTimeMS" or
name = "maxscan" or
name = "mod" or
name = "ne" or
name = "near" or
name = "nearSphere" or
name = "nin" or
name = "or" or
name = "orFail" or
name = "polygon" or
name = "populate" or
name = "read" or
name = "readConcern" or
name = "regexp" or
name = "remove" or
name = "select" or
name = "session" or
name = "set" or
name = "setOptions" or
name = "setQuery" or
name = "setUpdate" or
name = "size" or
name = "skip" or
name = "slaveOk" or
name = "slice" or
name = "snapshot" or
name = "sort" or
name = "update" or
name = "w" or
name = "where" or
name = "within" or
name = "wtimeout"
}
}
/**
* A Mongoose query object as a result of a Model method call.
*/
private class QueryFromModel extends DataFlow::MethodCallNode {
QueryFromModel() {
exists(string name, Model m |
ModelMethodSignatures::returnsQuery(name) and
m.ref().getAMethodCall(name) = this
)
}
}
/**
* A Mongoose query object as a result of a Query constructor invocation.
*/
private class QueryFromConstructor extends DataFlow::NewNode {
QueryFromConstructor() {
this = getAMongooseInstance().getAPropertyRead("Query").getAnInstantiation()
}
}
/**
* Gets a data flow node referring to a Mongoose query object.
*/
private DataFlow::SourceNode getAQuery(DataFlow::TypeTracker t) {
(
result instanceof QueryFromConstructor or
result instanceof QueryFromModel
) and
t.start()
or
exists(DataFlow::TypeTracker t2, DataFlow::SourceNode succ | succ = getAQuery(t2) |
result = succ.track(t2, t)
or
result = succ.getAMethodCall(any(string name | QueryMethodSignatures::returnsQuery(name))) and
t = t2
)
}
/**
@@ -204,4 +445,24 @@ private module Mongoose {
override string getCredentialsKind() { result = kind }
}
/**
* An expression that is interpreted as a (part of a) MongoDB query.
*/
class MongoDBQueryPart extends NoSQL::Query {
MongoDBQueryPart() {
exists(Model m, DataFlow::MethodCallNode mcn, string method, int n |
ModelMethodSignatures::interpretsArgumentAsQuery(method, n) and
mcn = m.ref().getAMethodCall(method) and
this = mcn.getArgument(n).asExpr()
)
or
this = any(QueryFromConstructor c).getArgument(2).asExpr()
or
exists(string method, int n | QueryMethodSignatures::interpretsArgumentAsQuery(method, n) |
this =
getAQuery(DataFlow::TypeTracker::end()).getAMethodCall(method).getArgument(n).asExpr()
)
}
}
}

68
javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
View File

@@ -26,6 +26,15 @@ nodes
| mongodb.js:60:16:60:30 | req.query.title |
| mongodb.js:65:12:65:16 | query |
| mongodb.js:65:12:65:16 | query |
| mongodb.js:70:7:70:25 | tag |
| mongodb.js:70:13:70:25 | req.query.tag |
| mongodb.js:70:13:70:25 | req.query.tag |
| mongodb.js:77:14:77:26 | { tags: tag } |
| mongodb.js:77:14:77:26 | { tags: tag } |
| mongodb.js:77:22:77:24 | tag |
| mongodb.js:85:12:85:24 | { tags: tag } |
| mongodb.js:85:12:85:24 | { tags: tag } |
| mongodb.js:85:20:85:22 | tag |
| mongodb_bodySafe.js:23:11:23:20 | query |
| mongodb_bodySafe.js:23:19:23:20 | {} |
| mongodb_bodySafe.js:24:19:24:33 | req.query.title |
@@ -63,6 +72,20 @@ nodes
| mongoose.js:60:25:60:29 | query |
| mongoose.js:63:24:63:28 | query |
| mongoose.js:63:24:63:28 | query |
| mongoose.js:65:32:65:36 | query |
| mongoose.js:65:32:65:36 | query |
| mongoose.js:67:27:67:31 | query |
| mongoose.js:67:27:67:31 | query |
| mongoose.js:68:8:68:12 | query |
| mongoose.js:68:8:68:12 | query |
| mongoose.js:72:8:72:12 | query |
| mongoose.js:72:8:72:12 | query |
| mongoose.js:73:7:73:11 | query |
| mongoose.js:73:7:73:11 | query |
| mongoose.js:74:16:74:20 | query |
| mongoose.js:74:16:74:20 | query |
| mongoose.js:76:10:76:14 | query |
| mongoose.js:76:10:76:14 | query |
| mongooseJsonParse.js:19:11:19:20 | query |
| mongooseJsonParse.js:19:19:19:20 | {} |
| mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -146,6 +169,14 @@ edges
| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
| mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag |
| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag |
| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
| mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
| mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query |
@@ -183,6 +214,20 @@ edges
| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
| mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
| mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
| mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
@@ -214,6 +259,20 @@ edges
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
| mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
| mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query |
@@ -261,6 +320,8 @@ edges
| mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on $@. | mongodb.js:26:19:26:26 | req.body | a user-provided value |
| mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on $@. | mongodb.js:49:19:49:33 | req.query.title | a user-provided value |
| mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on $@. | mongodb.js:60:16:60:30 | req.query.title | a user-provided value |
| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
| mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | a user-provided value |
| mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:30:25:30:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:30:25:30:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
@@ -275,6 +336,13 @@ edges
| mongoose.js:57:21:57:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:57:21:57:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:63:24:63:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:72:8:72:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:8:72:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:73:7:73:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:7:73:11 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:74:16:74:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:16:74:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongoose.js:76:10:76:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:76:10:76:14 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
| mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |

15
javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
View File

@@ -61,5 +61,18 @@ app.post('/documents/find', (req, res) => {
// NOT OK: query is tainted by user-provided object value
Document.updateOne(query);
});
Document.findByIdAndUpdate(X, query); // NOT OK
new Mongoose.Query(X, Y, query) // NOT OK
.and(query) // NOT OK
;
Document.where(query) // NOT OK
.and(query) // NOT OK
.or(query) // NOT OK
.distinct(X, query) // NOT OK
.comment(query) // OK
.count(query) // NOT OK
;
});