JavaScript: Add models for more Mongoose methods.

2026-01-06 03:00:24 +01:00 · 2020-11-26 15:24:56 +00:00
parent 2945eada9e
commit 978d2db252
6 changed files with 134 additions and 2 deletions
--- a/javascript/ql/src/Security/CWE-089/SqlInjection.qhelp
+++ b/javascript/ql/src/Security/CWE-089/SqlInjection.qhelp
@@ -17,6 +17,11 @@ Most database connector libraries offer a way of safely
 embedding untrusted data into a query by means of query parameters
 or prepared statements.
 </p>
+<p>
+For NoSQL queries, make use of an operator like MongoDB's <code>$eq</code>
+to ensure that untrusted data is interpreted as a literal value and not as
+a query object.
+</p>
 </recommendation>

 <example>
@@ -52,5 +57,6 @@ immune to injection attacks.

 <references>
 <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
+<li>MongoDB: <a href="https://docs.mongodb.com/manual/reference/operator/query/eq">$eq operator</a>.</li>
 </references>
 </qhelp>