hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 23:35:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Split modelling of query operators

Browse Source 
`$where` and `$function` behave quite differently.
This commit is contained in:
Rasmus Lerchedahl Petersen
2023-09-11 15:54:00 +02:00
parent 154a36934d
commit d9f63e1ed3
2 changed files with 29 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/server.py
View File

@@ -46,30 +46,29 @@ def by_where():
post = posts.find_one({'$where': 'this.author === "'+author+'"'}) # $ result=BAD
return show_post(post, author)
@app.route('/byFunction', methods=['GET'])
def by_function():
author = request.args['author']
search = {
"body": 'function(author) { return(author === "'+author+'") }',
"body": 'function(author) { return(author === "'+author+'") }', # $ result=BAD
"args": [ "$author" ],
"lang": "js"
}
# Use `" | "a" === "a` as author
# making the query `this.author === "" | "a" === "a"`
# Found by http://127.0.0.1:5000/byFunction?author=%22%20|%20%22a%22%20===%20%22a
post = posts.find_one({'$expr': {'$function': search}}) # $ MISING: result=BAD
post = posts.find_one({'$expr': {'$function': search}}) # $ result=BAD
return show_post(post, author)
@app.route('/byFunctionArg', methods=['GET'])
def by_function_arg():
author = request.args['author']
search = {
"body": 'function(author, target) { return(author === target) }',
"body": 'function(author, target) { return(author === target) }', # $ result=OK
"args": [ "$author", author ],
"lang": "js"
}
post = posts.find_one({'$expr': {'$function': search}}) # $ result=OK
post = posts.find_one({'$expr': {'$function': search}}) # $ SPURIOUS: result=BAD
return show_post(post, author)
@app.route('/', methods=['GET'])