hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
d91218e2489f15d39fa411b04aebac9c801f8722
codeql/javascript/ql/test/query-tests/Security/CWE-089/mongooseJsonParse.js
Asger F 156b94e436 JavaScript: Add model of JSON parsers
2018-08-03 15:27:35 +01:00

26 lines
586 B
JavaScript
Raw Blame History

'use strict';
const Express = require('express');
const BodyParser = require('body-parser');
const Mongoose = require('mongoose');
Mongoose.Promise = global.Promise;
Mongoose.connect('mongodb://localhost/injectable1');
const app = Express();
const Document = Mongoose.model('Document', {
title: {
type: String,
unique: true
},
type: String
});
app.get('/documents/find', (req, res) => {
const query = {};
query.title = JSON.parse(req.query.data).title;
// NOT OK: query is tainted by user-provided object value
Document.find(query);
});
Reference in New Issue View Git Blame Copy Permalink