Merge pull request #1907 from asger-semmle/mongoose-types

Approved by xiemaisi
2025-12-17 01:03:14 +01:00 · 2019-09-10 12:05:57 +01:00
parent 2f54437c10 194a1c3530
commit df1bf4a95b
22 changed files with 148 additions and 22 deletions
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
@@ -0,0 +1,15 @@
+nodes
+| typedClient.ts:13:7:13:32 | v |
+| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
+| typedClient.ts:13:22:13:29 | req.body |
+| typedClient.ts:13:22:13:31 | req.body.x |
+| typedClient.ts:14:24:14:32 | { id: v } |
+| typedClient.ts:14:30:14:30 | v |
+edges
+| typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v |
+| typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v |
+| typedClient.ts:13:22:13:29 | req.body | typedClient.ts:13:22:13:31 | req.body.x |
+| typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
+| typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
+#select
+| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on $@. | typedClient.ts:13:22:13:29 | req.body | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.qlref
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts
@@ -0,0 +1,5 @@
+declare module "mongodb" {
+  interface Collection {
+    find(query: any): any;
+  }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/tsconfig.json
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/tsconfig.json
@@ -0,0 +1,6 @@
+{
+  "include": ["."],
+  "compilerOptions": {
+    "esModuleInterop": true
+  }
+}
--- a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
@@ -0,0 +1,15 @@
+import * as mongodb from "mongodb";
+
+const express = require('express') as any;
+const bodyParser = require('body-parser') as any;
+
+declare function getCollection(): mongodb.Collection;
+
+let app = express();
+
+app.use(bodyParser.json());
+
+app.post('/find', (req, res) => {
+  let v = JSON.parse(req.body.x);
+  getCollection().find({ id: v }); // NOT OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -41,6 +41,15 @@ nodes
 | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title |
 | mongooseJsonParse.js:20:30:20:43 | req.query.data |
 | mongooseJsonParse.js:23:19:23:23 | query |
+| mongooseModelClient.js:10:7:10:32 | v |
+| mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) |
+| mongooseModelClient.js:10:22:10:29 | req.body |
+| mongooseModelClient.js:10:22:10:31 | req.body.x |
+| mongooseModelClient.js:11:16:11:24 | { id: v } |
+| mongooseModelClient.js:11:22:11:22 | v |
+| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
+| mongooseModelClient.js:12:22:12:29 | req.body |
+| mongooseModelClient.js:12:22:12:32 | req.body.id |
 | socketio.js:10:25:10:30 | handle |
 | socketio.js:11:12:11:53 | `INSERT ... andle}` |
 | socketio.js:11:46:11:51 | handle |
@@ -124,6 +133,13 @@ edges
 | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:19:19:19:20 | {} |
 | mongooseJsonParse.js:20:19:20:50 | JSON.pa ... ).title | mongooseJsonParse.js:23:19:23:23 | query |
 | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:20:19:20:44 | JSON.pa ... y.data) |
+| mongooseModelClient.js:10:7:10:32 | v | mongooseModelClient.js:11:22:11:22 | v |
+| mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) | mongooseModelClient.js:10:7:10:32 | v |
+| mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:10:22:10:31 | req.body.x |
+| mongooseModelClient.js:10:22:10:31 | req.body.x | mongooseModelClient.js:10:11:10:32 | JSON.pa ... body.x) |
+| mongooseModelClient.js:11:22:11:22 | v | mongooseModelClient.js:11:16:11:24 | { id: v } |
+| mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id |
+| mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
 | socketio.js:10:25:10:30 | handle | socketio.js:11:46:11:51 | handle |
 | socketio.js:11:46:11:51 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` |
 | tst2.js:9:27:9:78 | "select ... rams.id | tst2.js:9:27:9:84 | "select ... d + "'" |
@@ -159,6 +175,8 @@ edges
 | mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:63:24:63:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
+| mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
+| mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
 | socketio.js:11:12:11:53 | `INSERT ... andle}` | socketio.js:10:25:10:30 | handle | socketio.js:11:12:11:53 | `INSERT ... andle}` | This query depends on $@. | socketio.js:10:25:10:30 | handle | a user-provided value |
 | tst2.js:9:27:9:84 | "select ... d + "'" | tst2.js:9:66:9:78 | req.params.id | tst2.js:9:27:9:84 | "select ... d + "'" | This query depends on $@. | tst2.js:9:66:9:78 | req.params.id | a user-provided value |
 | tst3.js:10:14:10:19 | query1 | tst3.js:9:16:9:34 | req.params.category | tst3.js:10:14:10:19 | query1 | This query depends on $@. | tst3.js:9:16:9:34 | req.params.category | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.qlref
@@ -0,0 +1 @@
+Security/CWE-089/SqlInjection.ql
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb_bodySafe.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseJsonParse.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModel.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModel.js
@@ -0,0 +1,3 @@
+import mongoose from 'mongoose';
+
+export const MyModel = mongoose.model('MyModel', getSchema());
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongooseModelClient.js
@@ -0,0 +1,14 @@
+import { MyModel } from './mongooseModel';
+import express from 'express';
+import bodyParser from 'body-parser';
+
+let app = express();
+
+app.use(bodyParser.json());
+
+app.post('/find', (req, res) => {
+  let v = JSON.parse(req.body.x);
+  MyModel.find({ id: v }); // NOT OK
+  MyModel.find({ id: req.body.id }); // NOT OK
+  MyModel.find({ id: `${req.body.id}` }); // OK
+});
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/node-postgres-LICENSE
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/node-postgres-LICENSE
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/node-sqlite3-LICENSE
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/node-sqlite3-LICENSE
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/socketio.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst2.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst3.js
--- a/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js
+++ b/javascript/ql/test/query-tests/Security/CWE-089/untyped/tst4.js