hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 15:16:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
64dbb88efeb0d6f8fee9aaffc073aee06de78ba6
codeql/javascript/ql/test/query-tests/Security/CWE-089/mongodb.js
Asger F 9b10254cd4 JS: support label-specific sanitizer guards
2018-10-10 18:27:14 +01:00

57 lines
1.6 KiB
JavaScript
Raw Blame History

const express = require('express'),
mongodb = require('mongodb'),
bodyParser = require('body-parser');
const MongoClient = mongodb.MongoClient;
const app = express();
app.use(bodyParser.urlencoded({ extended: true }));
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.body.title;
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
// NOT OK: query is tainted by user-provided object value
doc.find(query);
// OK: user-data is coerced to a string
doc.find({ title: '' + query.body.title });
// OK: throws unless user-data is a string
doc.find({ title: query.body.title.substr(1) });
let title = req.body.title;
if (typeof title === "string") {
// OK: input checked to be a string
doc.find({ title: title });
// NOT OK: input is parsed as JSON after string check
doc.find({ title: JSON.parse(title) });
}
});
});
app.get('/:id', (req, res) => {
let query = { id: req.param.id };
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
// OK: query is tainted, but only by string value
doc.find(query);
});
});
app.post('/documents/find', (req, res) => {
const query = {};
query.title = req.query.title;
MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
let doc = db.collection('doc');
// NOT OK: query is tainted by user-provided object value
doc.find(query);
});
});
Reference in New Issue View Git Blame Copy Permalink