hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update qhelp file

Browse Source
This commit is contained in:
Your Name
2021-04-05 13:56:43 -04:00
parent 15e176a3b8
commit 9072d19cda
3 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
python/ql/src/experimental/Security/CWE-943/NoSQLInjection-Bad.py Normal file
View File

@@ -0,0 +1,15 @@
from flask import Flask, request
from flask_pymongo import PyMongo
import json
app = Flask(__name__)
app.config["MONGO_URI"] = "mongodb://localhost:27017/testdb"
mongo = PyMongo(app)
@app.route("/")
def home_page():
unsanitized_search = json.loads(request.args['search'])
db_results = mongo.db.user.find({'name': unsanitized_search})
return db_results[0].keys()

9
python/ql/src/experimental/Security/CWE-943/NoSQLInjection-Good.py Normal file
View File

@@ -0,0 +1,9 @@
# Annotated version
from mongosanitizer.sanitizer import sanitize
unsanitized_search = json.loads(request.args['search'])
sanitize(unsanitized_search)
db_results = mongo.db.user.find({'name': unsanitized_search})
return db_results[0].keys()

21
python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp
View File

@@ -4,14 +4,35 @@
<qhelp>
<overview>
<p>
Passing user-controlled sources into NoSQL queries can result in a NoSQL injection flaw.
This tainted NoSQL query will then execute behavior on a NoSQL database like MongoDB that is non-intended by the developer.
It is important to note that in order for the user-controlled source to act or be part of a NoSQL query requires the user-controller source to be converted into a Python object using something like <code>json.loads</code> or <code>xmltodict.parse</code>.
</p>
<p>
Because a user-controlled source is directly injected into the query, the malicious user can have complete control over the query itself.
When the query is executed they can commit different types of actions like bypass role restrictions or access and modify restricted data in the MongoDB database.
</p>
</overview>
<recommendation>
<p>
NoSQL injection can be prevented by escaping the user input of special characters that is passed into the NoSQL query.
Alternatively using a sanitize library such as MongoSanitizer to sanitize user input will ensure that users who attempt to construct malicious queries in the user-supplied source is not executed.
</p>
<recommendation>
<example>
<p>In the example below, the user-supplied source is passed to a MongoDB function that queries the MongoDB database.</p>
<sample src="NoSQLInjection-Bad.py" />
<p> This can be fixed by using a sanitizer library like MongoSanitizer as shown in this annotated code version below.</p>
<sample src="NoSQLInjection-Good.py" />
<example>
<references>
<li>OWASP NoSQL injection : <a href="https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf"></a>/>> </li>
<li>Security Stack Exchange Discussion : <a href="https://security.stackexchange.com/questions/83231/mongodb-nosql-injection-in-python-code"></a>/>> </li>
</references>
</qhelp>