Python: Add inline query test

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.expected

@@ -0,0 +1,3 @@
+failures
+missingAnnotationOnSink
+testFailures

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/DataflowQueryTest.ql

@@ -0,0 +1,4 @@
+import python
+import experimental.dataflow.TestUtil.DataflowQueryTest
+import semmle.python.security.dataflow.NoSQLInjectionQuery
+import FromTaintTrackingStateConfig<Config>

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_bad.py

@@ -19,7 +19,7 @@ def subclass_objects():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
 
-    return Movie.objects(__raw__=json_search)
+    return Movie.objects(__raw__=json_search)  #$ result=BAD
 
 @app.route("/get_db_find")
 def get_db_find():
@@ -27,7 +27,7 @@ def get_db_find():
     json_search = json.loads(unsafe_search)
 
     retrieved_db = db.get_db()
-    return retrieved_db["Movie"].find({'name': json_search})
+    return retrieved_db["Movie"].find({'name': json_search})  #$ result=BAD
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_mongoengine_good.py

@@ -21,7 +21,7 @@ def subclass_objects():
     json_search = json.loads(unsafe_search)
     safe_search = sanitize(json_search)
 
-    return Movie.objects(__raw__=safe_search)
+    return Movie.objects(__raw__=safe_search)  #$ result=OK
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_bad.py

@@ -11,7 +11,7 @@ def home_page():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
 
-    return mongo.db.user.find({'name': json_search})
+    return mongo.db.user.find({'name': json_search})  #$ result=BAD
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/flask_pymongo_good.py

@@ -13,7 +13,7 @@ def home_page():
     json_search = json.loads(unsafe_search)
     safe_search = sanitize(json_search)
 
-    return mongo.db.user.find({'name': safe_search})
+    return mongo.db.user.find({'name': safe_search})  #$ result=OK
 
 # if __name__ == "__main__":
 #    app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_bad.py

@@ -19,7 +19,7 @@ def connect_find():
     json_search = json.loads(unsafe_search)
 
     db = me.connect('mydb')  
-    return db.movie.find({'name': json_search})
+    return db.movie.find({'name': json_search})  #$ result=BAD
 
 @app.route("/connection_connect_find")
 def connection_connect_find():
@@ -27,7 +27,7 @@ def connection_connect_find():
     json_search = json.loads(unsafe_search)
 
     db = connect('mydb')
-    return db.movie.find({'name': json_search})
+    return db.movie.find({'name': json_search})  #$ result=BAD
 
 @app.route("/get_db_find")
 def get_db_find():
@@ -35,7 +35,7 @@ def get_db_find():
     json_search = json.loads(unsafe_search)
 
     db = me.get_db()
-    return db.movie.find({'name': json_search})
+    return db.movie.find({'name': json_search})  #$ result=BAD
 
 @app.route("/connection_get_db_find")
 def connection_get_db_find():
@@ -43,14 +43,14 @@ def connection_get_db_find():
     json_search = json.loads(unsafe_search)
 
     db = get_db()
-    return db.movie.find({'name': json_search})
+    return db.movie.find({'name': json_search})  #$ result=BAD
 
 @app.route("/subclass_objects")
 def subclass_objects():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
 
-    return Movie.objects(__raw__=json_search)
+    return Movie.objects(__raw__=json_search)  #$ result=BAD
 
 @app.route("/subscript_find")
 def subscript_find():
@@ -58,7 +58,7 @@ def subscript_find():
     json_search = json.loads(unsafe_search)
 
     db = me.connect('mydb')  
-    return db['movie'].find({'name': json_search})
+    return db['movie'].find({'name': json_search})  #$ result=BAD
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/mongoengine_good.py

@@ -21,7 +21,7 @@ def connect_find():
     safe_search = sanitize(json_search)
 
     db = me.connect('mydb')  
-    return db.movie.find({'name': safe_search})
+    return db.movie.find({'name': safe_search})  #$ result=OK
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/pymongo_test.py

@@ -12,7 +12,7 @@ def bad():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
 
-    return client.db.collection.find_one({'data': json_search})
+    return client.db.collection.find_one({'data': json_search})  #$ result=BAD
 
 
 @app.route("/good")
@@ -21,7 +21,7 @@ def good():
     json_search = json.loads(unsafe_search)
     safe_search = sanitize(json_search)
 
-    return client.db.collection.find_one({'data': safe_search})
+    return client.db.collection.find_one({'data': safe_search})  #$ result=OK
 
 
 @app.route("/bad2")
@@ -30,7 +30,7 @@ def bad2():
     client = MongoClient("localhost", 27017, maxPoolSize=50)
     db = client.localhost
     collection = db['collection']
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  #$ result=BAD
 
 
 @app.route("/bad3")
@@ -40,7 +40,7 @@ def bad3():
     client = MongoClient("localhost", 27017, maxPoolSize=50)
     db = client.get_database(name="localhost")
     collection = db.get_collection("collection")
-    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})  #$ result=BAD
 
 
 if __name__ == "__main__":