Merge pull request #5 from RasmusWL/nosql-fixes

Small NoSQL fixes

Author: jorgectf

python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp

@@ -20,14 +20,14 @@
   NoSQL injections can be prevented by escaping user-input's special characters that are passed into the NoSQL query from the user-supplied source.
   Alternatively, using a sanitize library such as MongoSanitizer will ensure that user-supplied sources can not act as a malicious query.
   </p>
-<recommendation>
+</recommendation>
 
 <example>
   <p>In the example below, the user-supplied source is passed to a MongoDB function that queries the MongoDB database.</p>
   <sample src="examples/NoSQLInjection-bad.py" />
   <p> This can be fixed by using a sanitizer library like MongoSanitizer as shown in this annotated code version below.</p>
   <sample src="examples/NoSQLInjection-good.py" />
-<example>
+</example>
 
 <references>
   <li>Mongoengine: <a href="http://mongoengine.org/">Documentation</a>.</li>

python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll

@@ -17,7 +17,7 @@ class RFSToDictConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(Decoding decoding | decoding.getFormat() = "JSON" and sink = decoding)
+    exists(Decoding decoding | decoding.getFormat() = "JSON" and sink = decoding.getOutput())
   }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
@@ -32,7 +32,7 @@ class FromDataDictToSink extends TaintTracking2::Configuration {
   FromDataDictToSink() { this = "FromDataDictToSink" }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(Decoding decoding | decoding.getFormat() = "JSON" and source = decoding)
+    exists(Decoding decoding | decoding.getFormat() = "JSON" and source = decoding.getOutput())
   }
 
   override predicate isSink(DataFlow::Node sink) { sink = any(NoSQLQuery noSQLQuery).getQuery() }