diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.expected b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.expected new file mode 100644 index 00000000000..303d04688ff --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.expected @@ -0,0 +1,3 @@ +failures +missingAnnotationOnSink +testFailures diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.ql b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.ql new file mode 100644 index 00000000000..f3709acc913 --- /dev/null +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.ql @@ -0,0 +1,4 @@ +import python +import experimental.dataflow.TestUtil.DataflowQueryTest +import semmle.python.security.dataflow.NoSQLInjectionQuery +import FromTaintTrackingStateConfig diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py index 9fc8aaefc0f..76ac28edf79 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py @@ -19,7 +19,7 @@ def subclass_objects(): unsafe_search = request.args['search'] json_search = json.loads(unsafe_search) - return Movie.objects(__raw__=json_search) + return Movie.objects(__raw__=json_search) #$ result=BAD @app.route("/get_db_find") def get_db_find(): @@ -27,7 +27,7 @@ def get_db_find(): json_search = json.loads(unsafe_search) retrieved_db = db.get_db() - return retrieved_db["Movie"].find({'name': json_search}) + return retrieved_db["Movie"].find({'name': json_search}) #$ result=BAD # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py index 29a2c75d664..1ce065569f2 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py @@ -21,7 +21,7 @@ def subclass_objects(): json_search = json.loads(unsafe_search) safe_search = sanitize(json_search) - return Movie.objects(__raw__=safe_search) + return Movie.objects(__raw__=safe_search) #$ result=OK # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py index 0c1023971da..735fbff9b34 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py @@ -11,7 +11,7 @@ def home_page(): unsafe_search = request.args['search'] json_search = json.loads(unsafe_search) - return mongo.db.user.find({'name': json_search}) + return mongo.db.user.find({'name': json_search}) #$ result=BAD # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py index 6576ba88af8..f2458f91b89 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py @@ -13,7 +13,7 @@ def home_page(): json_search = json.loads(unsafe_search) safe_search = sanitize(json_search) - return mongo.db.user.find({'name': safe_search}) + return mongo.db.user.find({'name': safe_search}) #$ result=OK # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py index 81800425e46..4367f9e1ff7 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py @@ -19,7 +19,7 @@ def connect_find(): json_search = json.loads(unsafe_search) db = me.connect('mydb') - return db.movie.find({'name': json_search}) + return db.movie.find({'name': json_search}) #$ result=BAD @app.route("/connection_connect_find") def connection_connect_find(): @@ -27,7 +27,7 @@ def connection_connect_find(): json_search = json.loads(unsafe_search) db = connect('mydb') - return db.movie.find({'name': json_search}) + return db.movie.find({'name': json_search}) #$ result=BAD @app.route("/get_db_find") def get_db_find(): @@ -35,7 +35,7 @@ def get_db_find(): json_search = json.loads(unsafe_search) db = me.get_db() - return db.movie.find({'name': json_search}) + return db.movie.find({'name': json_search}) #$ result=BAD @app.route("/connection_get_db_find") def connection_get_db_find(): @@ -43,14 +43,14 @@ def connection_get_db_find(): json_search = json.loads(unsafe_search) db = get_db() - return db.movie.find({'name': json_search}) + return db.movie.find({'name': json_search}) #$ result=BAD @app.route("/subclass_objects") def subclass_objects(): unsafe_search = request.args['search'] json_search = json.loads(unsafe_search) - return Movie.objects(__raw__=json_search) + return Movie.objects(__raw__=json_search) #$ result=BAD @app.route("/subscript_find") def subscript_find(): @@ -58,7 +58,7 @@ def subscript_find(): json_search = json.loads(unsafe_search) db = me.connect('mydb') - return db['movie'].find({'name': json_search}) + return db['movie'].find({'name': json_search}) #$ result=BAD # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py index c9b2b8e762f..e8ac68cccba 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py @@ -21,7 +21,7 @@ def connect_find(): safe_search = sanitize(json_search) db = me.connect('mydb') - return db.movie.find({'name': safe_search}) + return db.movie.find({'name': safe_search}) #$ result=OK # if __name__ == "__main__": # app.run(debug=True) diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py index ecf53ec4f9a..3dd667a3f2d 100644 --- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py +++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py @@ -12,7 +12,7 @@ def bad(): unsafe_search = request.args['search'] json_search = json.loads(unsafe_search) - return client.db.collection.find_one({'data': json_search}) + return client.db.collection.find_one({'data': json_search}) #$ result=BAD @app.route("/good") @@ -21,7 +21,7 @@ def good(): json_search = json.loads(unsafe_search) safe_search = sanitize(json_search) - return client.db.collection.find_one({'data': safe_search}) + return client.db.collection.find_one({'data': safe_search}) #$ result=OK @app.route("/bad2") @@ -30,7 +30,7 @@ def bad2(): client = MongoClient("localhost", 27017, maxPoolSize=50) db = client.localhost collection = db['collection'] - cursor = collection.find_one({"$where": f"this._id == '${event_id}'"}) + cursor = collection.find_one({"$where": f"this._id == '${event_id}'"}) #$ result=BAD @app.route("/bad3") @@ -40,7 +40,7 @@ def bad3(): client = MongoClient("localhost", 27017, maxPoolSize=50) db = client.get_database(name="localhost") collection = db.get_collection("collection") - cursor = collection.find_one({"$where": f"this._id == '${event_id}'"}) + cursor = collection.find_one({"$where": f"this._id == '${event_id}'"}) #$ result=BAD if __name__ == "__main__":