Python: Split modelling of query operators

`$where` and `$function` behave quite differently.
2025-12-31 16:16:34 +01:00 · 2023-09-11 15:54:00 +02:00
parent 154a36934d
commit d9f63e1ed3
2 changed files with 29 additions and 11 deletions
--- a/python/ql/lib/semmle/python/frameworks/NoSQL.qll
+++ b/python/ql/lib/semmle/python/frameworks/NoSQL.qll
@@ -99,9 +99,6 @@ private module NoSql {
      ]
  }

-  /** Gets the name of a mongo query operator that will interpret JavaScript. */
-  private string mongoQueryOperator() { result in ["$where", "$function"] }
-
  /**
   * Gets a reference to a `Mongo` collection method call
   *
@@ -125,12 +122,34 @@ private module NoSql {
    override predicate vulnerableToStrings() { none() }
  }

-  private class MongoCollectionQueryOperator extends API::CallNode, NoSqlQuery::Range {
+  /** The `$where` query operator executes a string as JavaScript. */
+  private class WhereQueryOperator extends API::CallNode, NoSqlQuery::Range {
    DataFlow::Node query;

-    MongoCollectionQueryOperator() {
+    WhereQueryOperator() {
      this = mongoCollection().getMember(mongoCollectionMethodName()).getACall() and
-      query = this.getParameter(0).getSubscript(mongoQueryOperator()).asSink()
+      query = this.getParameter(0).getSubscript("$where").asSink()
+    }
+
+    override DataFlow::Node getQuery() { result = query }
+
+    override predicate interpretsDict() { none() }
+
+    override predicate vulnerableToStrings() { any() }
+  }
+
+  /** The `$function` query operator executes its `body` string as JavaScript. */
+  private class FunctionQueryOperator extends API::CallNode, NoSqlQuery::Range {
+    DataFlow::Node query;
+
+    FunctionQueryOperator() {
+      this = mongoCollection().getMember(mongoCollectionMethodName()).getACall() and
+      query =
+        this.getParameter(0)
+            .getASubscript*()
+            .getSubscript("$function")
+            .getSubscript("body")
+            .asSink()
    }

    override DataFlow::Node getQuery() { result = query }