JS: add test for DatabaseAccess

2026-04-30 19:26:02 +02:00 · 2020-03-10 08:56:03 +01:00
parent 6b9bd8bd97
commit aae92ad795
3 changed files with 67 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
@@ -429,6 +429,11 @@ private module Mongoose {
    )
  }

+  /**
+   * Gets a data flow node referring to a Mongoose query object.
+   */
+  private DataFlow::SourceNode getAQuery() { result = getAQuery(DataFlow::TypeTracker::end()) }
+
  /**
   * An expression passed to `mongoose.createConnection` to supply credentials.
   */
@@ -460,9 +465,43 @@ private module Mongoose {
      this = any(QueryFromConstructor c).getArgument(2).asExpr()
      or
      exists(string method, int n | QueryMethodSignatures::interpretsArgumentAsQuery(method, n) |
-        this =
-          getAQuery(DataFlow::TypeTracker::end()).getAMethodCall(method).getArgument(n).asExpr()
+        this = getAQuery().getAMethodCall(method).getArgument(n).asExpr()
      )
    }
  }
+
+  /**
+   * An evaluation of a MongoDB query.
+   */
+  class MongoDBQueryEvaluation extends DatabaseAccess {
+    DataFlow::MethodCallNode mcn;
+
+    MongoDBQueryEvaluation() {
+      this = mcn and
+      (
+        exists(Model m, string method |
+          ModelMethodSignatures::returnsQuery(method) and
+          mcn = m.ref().getAMethodCall(method) and
+          // callback provided to a Model method call
+          exists(mcn.getCallback(mcn.getNumArgument() - 1))
+        )
+        or
+        getAQuery().getAMethodCall() = mcn and
+        (
+          // explicit execution using a Query method call
+          exists(string executor | executor = "exec" or executor = "then" or executor = "catch" |
+            mcn.getMethodName() = executor
+          )
+          or
+          // callback provided to a Query method call
+          exists(mcn.getCallback(mcn.getNumArgument() - 1))
+        )
+      )
+    }
+
+    override DataFlow::Node getAQueryArgument() {
+      // NB: this does not account for all of the chained calls leading to this execution
+      mcn.getAnArgument().asExpr().(MongoDBQueryPart).flow() = result
+    }
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -0,0 +1,23 @@
+| mongodb.js:18:7:18:21 | doc.find(query) |
+| mongodb.js:21:7:21:48 | doc.fin ... itle }) |
+| mongodb.js:24:7:24:53 | doc.fin ... r(1) }) |
+| mongodb.js:29:9:29:34 | doc.fin ... itle }) |
+| mongodb.js:32:9:32:46 | doc.fin ... tle) }) |
+| mongodb.js:43:7:43:21 | doc.find(query) |
+| mongodb.js:54:7:54:21 | doc.find(query) |
+| mongodb.js:65:3:65:17 | doc.find(query) |
+| mongodb.js:73:5:77:27 | client\\n ...  tag }) |
+| mongodb.js:81:3:85:25 | importe ...  tag }) |
+| mongodb_bodySafe.js:18:7:18:21 | doc.find(query) |
+| mongodb_bodySafe.js:29:7:29:21 | doc.find(query) |
+| mongoose.js:63:2:63:34 | Documen ... then(X) |
+| mongoose.js:65:2:65:51 | Documen ... on(){}) |
+| mongoose.js:67:2:68:27 | new Mon ... on(){}) |
+| mongoose.js:71:2:77:9 | Documen ... .exec() |
+| socketio.js:11:5:11:54 | db.run( ... ndle}`) |
+| tst2.js:7:3:7:62 | sql.que ... ms.id}` |
+| tst2.js:9:3:9:85 | new sql ...  + "'") |
+| tst3.js:10:3:12:4 | pool.qu ... ts\\n  }) |
+| tst3.js:17:3:19:4 | pool.qu ... ts\\n  }) |
+| tst4.js:8:3:8:67 | db.get( ...  + '"') |
+| tst.js:10:3:10:65 | db.get( ...  + '"') |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.ql
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.ql
@@ -0,0 +1,3 @@
+import javascript
+
+select any(DatabaseAccess a)