refactor the NoSQL model to use API graphs

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

@@ -136,6 +136,8 @@ nodes
 | mongoose.js:94:51:94:55 | query |
 | mongoose.js:96:46:96:50 | query |
 | mongoose.js:96:46:96:50 | query |
+| mongoose.js:111:14:111:18 | query |
+| mongoose.js:111:14:111:18 | query |
 | mongooseJsonParse.js:19:11:19:20 | query |
 | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
@@ -337,6 +339,8 @@ edges
 | mongoose.js:20:11:20:20 | query | mongoose.js:94:51:94:55 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
 | mongoose.js:20:11:20:20 | query | mongoose.js:96:46:96:50 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:111:14:111:18 | query |
+| mongoose.js:20:11:20:20 | query | mongoose.js:111:14:111:18 | query |
 | mongoose.js:20:19:20:20 | {} | mongoose.js:20:11:20:20 | query |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
 | mongoose.js:21:19:21:26 | req.body | mongoose.js:21:19:21:32 | req.body.title |
@@ -403,6 +407,8 @@ edges
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:94:51:94:55 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
 | mongoose.js:21:19:21:32 | req.body.title | mongoose.js:96:46:96:50 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:111:14:111:18 | query |
+| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:111:14:111:18 | query |
 | mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
 | mongoose.js:24:25:24:29 | query | mongoose.js:24:24:24:30 | [query] |
 | mongooseJsonParse.js:19:11:19:20 | query | mongooseJsonParse.js:23:19:23:23 | query |
@@ -490,6 +496,7 @@ edges
 | mongoose.js:92:46:92:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:92:46:92:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:94:51:94:55 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:94:51:94:55 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:96:46:96:50 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:96:46:96:50 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongoose.js:111:14:111:18 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:111:14:111:18 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js

@@ -97,4 +97,16 @@ app.post('/documents/find', (req, res) => {
 	Document.find(X).then(Y, (err) => err.count(query)); // OK
 
 	Document.count(X, (err, res) => res.count(query)); // OK (res is a number)
+    
+	function innocent(X, Y, query) { // To detect if API-graphs were used incorrectly.
+		return new Mongoose.Query("constant", "constant", "constant");
+	}
+	new innocent(X, Y, query);
+
+	function getQueryConstructor() {
+		return Mongoose.Query;
+	}
+
+	var C = getQueryConstructor();
+	new C(X, Y, query); // NOT OK
 });