Merge tests and update .expected

Author: jorgectf

python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected

@@ -14,13 +14,20 @@ class Movie(db.Document):
 Movie(title='test').save()
 
 
-@app.route("/")
-def home_page():
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return Movie.objects(__raw__=json_search)
+
+@app.route("/get_db_find")
+def get_db_find():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
 
     retrieved_db = db.get_db()
-    data = retrieved_db["Movie"].find({'name': json_search})
+    return retrieved_db["Movie"].find({'name': json_search})
 
 # if __name__ == "__main__":
 #     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_get_db_bad.py renamed to python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_bad.py

@@ -15,8 +15,16 @@ class Movie(db.Document):
 Movie(title='test').save()
 
 
-@app.route("/")
-def home_page():
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    return Movie.objects(__raw__=safe_search)
+
+@app.route("/get_db_find")
+def get_db_find():
     unsafe_search = request.args['search']
     json_search = json.loads(unsafe_search)
     safe_search = sanitize(json_search)

python/ql/test/experimental/query-tests/Security/CWE-943/flask_mongoengine_db_document_subclass_bad.py

@@ -0,0 +1,64 @@
+from flask import Flask, request
+import mongoengine as me
+from mongoengine.connection import get_db, connect
+import json
+
+app = Flask(__name__)
+
+
+class Movie(me.Document):
+    title = me.StringField(required=True)
+
+
+Movie(title='test').save()
+
+
+@app.route("/connect_find")
+def connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.connect('mydb')  
+    return db.movie.find({'name': json_search})
+
+@app.route("/connection_connect_find")
+def connection_connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = connect('mydb')
+    return db.movie.find({'name': json_search})
+
+@app.route("/get_db_find")
+def get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.get_db()
+    return db.movie.find({'name': json_search})
+
+@app.route("/connection_get_db_find")
+def connection_get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = get_db()
+    return db.movie.find({'name': json_search})
+
+@app.route("/subclass_objects")
+def subclass_objects():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return Movie.objects(__raw__=json_search)
+
+@app.route("/subscript_find")
+def subscript_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.connect('mydb')  
+    return db['movie'].find({'name': json_search})
+
+# if __name__ == "__main__":
+#     app.run(debug=True)