Take back non-trivial tests

Author: jorgectf

python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_bad.py

@@ -21,6 +21,22 @@ def connect_find():
     db = me.connect('mydb')  
     return db.movie.find({'name': json_search})
 
+@app.route("/connection_connect_find")
+def connection_connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = connect('mydb')
+    return db.movie.find({'name': json_search})
+
+@app.route("/get_db_find")
+def get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    db = me.get_db()
+    return db.movie.find({'name': json_search})
+
 @app.route("/connection_get_db_find")
 def connection_get_db_find():
     unsafe_search = request.args['search']

python/ql/test/experimental/query-tests/Security/CWE-943/mongoengine_good.py

@@ -23,6 +23,15 @@ def connect_find():
     db = me.connect('mydb')  
     return db.movie.find({'name': json_search})
 
+@app.route("/connection_connect_find")
+def connection_connect_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    db = connect('mydb')
+    return db.movie.find({'name': json_search})
+
 @app.route("/subclass_objects")
 def subclass_objects():
     unsafe_search = request.args['search']
@@ -31,6 +40,15 @@ def subclass_objects():
 
     return Movie.objects(__raw__=safe_search)
 
+@app.route("/get_db_find")
+def get_db_find():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    db = me.get_db()
+    return db.movie.find({'name': safe_search})
+
 @app.route("/connection_get_db_find")
 def connection_get_db_find():
     unsafe_search = request.args['search']