JS: add additional mongoose and mongodb js/nosql-injection sinks

2026-05-02 12:15:17 +02:00 · 2020-03-05 11:33:26 +01:00
parent b6c616efd3
commit 7a2faa0b6b
3 changed files with 375 additions and 33 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -26,6 +26,15 @@ nodes
 | mongodb.js:60:16:60:30 | req.query.title |
 | mongodb.js:65:12:65:16 | query |
 | mongodb.js:65:12:65:16 | query |
+| mongodb.js:70:7:70:25 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag |
+| mongodb.js:70:13:70:25 | req.query.tag |
+| mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:22:77:24 | tag |
+| mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag |
 | mongodb_bodySafe.js:23:11:23:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title |
@@ -63,6 +72,20 @@ nodes
 | mongoose.js:60:25:60:29 | query |
 | mongoose.js:63:24:63:28 | query |
 | mongoose.js:63:24:63:28 | query |
+| mongoose.js:65:32:65:36 | query |
+| mongoose.js:65:32:65:36 | query |
+| mongoose.js:67:27:67:31 | query |
+| mongoose.js:67:27:67:31 | query |
+| mongoose.js:68:8:68:12 | query |
+| mongoose.js:68:8:68:12 | query |
+| mongoose.js:72:8:72:12 | query |
+| mongoose.js:72:8:72:12 | query |
+| mongoose.js:73:7:73:11 | query |
+| mongoose.js:73:7:73:11 | query |
+| mongoose.js:74:16:74:20 | query |
+| mongoose.js:74:16:74:20 | query |
+| mongoose.js:76:10:76:14 | query |
+| mongoose.js:76:10:76:14 | query |
 | mongooseJsonParse.js:19:11:19:20 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -146,6 +169,14 @@ edges
 | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
 | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
 | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query |
+| mongodb.js:70:7:70:25 | tag | mongodb.js:77:22:77:24 | tag |
+| mongodb.js:70:7:70:25 | tag | mongodb.js:85:20:85:22 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
+| mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:70:7:70:25 | tag |
+| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query |
@@ -183,6 +214,20 @@ edges
 | mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:68:8:68:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:72:8:72:12 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:73:7:73:11 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:74:16:74:20 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:76:10:76:14 | query |
 | mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
@@ -214,6 +259,20 @@ edges
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:68:8:68:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:72:8:72:12 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:73:7:73:11 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:74:16:74:20 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:76:10:76:14 | query |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} | mongooseJsonParse.js:19:11:19:20 | query |
@@ -261,6 +320,8 @@ edges
 | mongodb.js:32:18:32:45 | { title ... itle) } | mongodb.js:26:19:26:26 | req.body | mongodb.js:32:18:32:45 | { title ... itle) } | This query depends on $@. | mongodb.js:26:19:26:26 | req.body | a user-provided value |
 | mongodb.js:54:16:54:20 | query | mongodb.js:49:19:49:33 | req.query.title | mongodb.js:54:16:54:20 | query | This query depends on $@. | mongodb.js:49:19:49:33 | req.query.title | a user-provided value |
 | mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on $@. | mongodb.js:60:16:60:30 | req.query.title | a user-provided value |
+| mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
+| mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
 | mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | a user-provided value |
 | mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:30:25:30:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:30:25:30:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
@@ -275,6 +336,13 @@ edges
 | mongoose.js:57:21:57:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:57:21:57:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:63:24:63:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:72:8:72:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:72:8:72:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:73:7:73:11 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:73:7:73:11 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:74:16:74:20 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:74:16:74:20 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:76:10:76:14 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:76:10:76:14 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
@@ -61,5 +61,18 @@ app.post('/documents/find', (req, res) => {

    // NOT OK: query is tainted by user-provided object value
    Document.updateOne(query);
-});

+	Document.findByIdAndUpdate(X, query); // NOT OK
+
+	new Mongoose.Query(X, Y, query)	// NOT OK
+		.and(query) // NOT OK
+	;
+
+	Document.where(query)	// NOT OK
+		.and(query) // NOT OK
+		.or(query) // NOT OK
+		.distinct(X, query) // NOT OK
+		.comment(query) // OK
+		.count(query) // NOT OK
+	;
+});