hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Catch any keyword argument passed to MongoEngine's objects method

Browse Source 
After some research, we discovered that any keyword argument passed to the objects method will result in NoSQL injection. This includes scenarios where we have the following:

objects(name_of_model_attribute=unsanitized_user_input)
This commit is contained in:
thank_you
2021-04-07 16:45:48 -04:00
parent 719c30bd92
commit 83f28bfdda
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll
View File

@@ -63,7 +63,7 @@ private module NoSQL {
.getACall()
}
override DataFlow::Node getQueryNode() { result = this.getArgByName("__raw__") }
override DataFlow::Node getQueryNode() { result = this.getArgByName(any(string name)) }
}
private class MongoSanitizerCall extends DataFlow::CallCfgNode, NoSQLSanitizer::Range {