Python: Enrich the NoSql concept

This allows us to make more precise modelling The query tests now pass. I do wonder, if there is a cleaner approach, similar to `TaintedObject` in JavaScript. I want the option to get this query in the hands of the custumors before such an investigation, though.
2026-04-26 01:05:15 +02:00 · 2023-08-31 20:30:03 +02:00
parent 114984bd8c
commit c0b3245a53
5 changed files with 80 additions and 12 deletions
--- a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/server.py
+++ b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/server.py
@@ -34,7 +34,7 @@ def as_dict():
 def as_dict_hardened():
    author_string = request.args['author']
    author = json.loads(author_string)
-    post = posts.find_one({'author': {"$eq": author}}) # $ SPURIOUS: result=BAD
+    post = posts.find_one({'author': {"$eq": author}}) # $ result=OK
    return show_post(post, author)

@app.route('/byWhere', methods=['GET'])
@@ -43,7 +43,7 @@ def by_where():
    # Use `" | "a" === "a` as author
    # making the query `this.author === "" | "a" === "a"`
    # Found by http://127.0.0.1:5000/byWhere?author=%22%20|%20%22a%22%20===%20%22a
-    post = posts.find_one({'$where': 'this.author === "'+author+'"'}) # $ MISSING: result=BAD
+    post = posts.find_one({'$where': 'this.author === "'+author+'"'}) # $ result=BAD
    return show_post(post, author)

@app.route('/', methods=['GET'])