Merge pull request #3542 from porcupineyhairs/mongoJava

Java : add MongoDB injection sinks

java/ql/test/query-tests/security/CWE-089/semmle/examples/Mongo.java

@@ -0,0 +1,25 @@
+import com.mongodb.MongoClient;
+import com.mongodb.DBObject;
+import com.mongodb.util.*;
+import com.mongodb.ServerAddress;
+import com.mongodb.DBCollection;
+import com.mongodb.DBCursor;
+import com.mongodb.*;
+
+public class Mongo {
+    public static void main(String[] args) {
+        MongoClient mongoClient = new MongoClient(new ServerAddress("localhost", 27017));
+        DB db = mongoClient.getDB("mydb");
+        DBCollection collection = db.getCollection("test");
+
+        String name = args[1];
+        String stringQuery = "{ 'name' : '" + name + "'}";
+        DBObject databaseQuery = (DBObject) JSON.parse(stringQuery);
+        DBCursor result = collection.find(databaseQuery);
+
+        String json = args[1];
+        BasicDBObject bdb = BasicDBObject.parse(json);
+        DBCursor result2 = collection.find(bdb);
+
+    }
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected

@@ -1,4 +1,6 @@
 edges
+| Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) |
+| Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json |
 | Test.java:29:30:29:42 | args : String[] | Test.java:36:47:36:52 | query1 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:42:57:42:62 | query2 |
 | Test.java:29:30:29:42 | args : String[] | Test.java:50:62:50:67 | query3 |
@@ -11,6 +13,9 @@ edges
 | Test.java:214:11:214:14 | args : String[] | Test.java:29:30:29:42 | args : String[] |
 | Test.java:218:14:218:17 | args : String[] | Test.java:183:33:183:45 | args : String[] |
 nodes
+| Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] |
+| Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) |
+| Mongo.java:21:49:21:52 | json | semmle.label | json |
 | Test.java:29:30:29:42 | args : String[] | semmle.label | args : String[] |
 | Test.java:36:47:36:52 | query1 | semmle.label | query1 |
 | Test.java:42:57:42:62 | query2 | semmle.label | query2 |
@@ -24,6 +29,8 @@ nodes
 | Test.java:214:11:214:14 | args : String[] | semmle.label | args : String[] |
 | Test.java:218:14:218:17 | args : String[] | semmle.label | args : String[] |
 #select
+| Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | Query might include code from $@. | Mongo.java:10:29:10:41 | args | this user input |
+| Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | Query might include code from $@. | Mongo.java:10:29:10:41 | args | this user input |
 | Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args : String[] | Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
 | Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args : String[] | Test.java:42:57:42:62 | query2 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
 | Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args : String[] | Test.java:50:62:50:67 | query3 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |

java/ql/test/query-tests/security/CWE-089/semmle/examples/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient