add noSQL tests for type-tracking req.query

erik-krogh · erik-krogh · commit 3157cd724d75 · 2020-07-01T11:45:09.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected
@@ -11,6 +11,8 @@
 | mongodb.js:65:3:65:17 | doc.find(query) |
 | mongodb.js:73:5:77:27 | client\\n ...  tag }) |
 | mongodb.js:81:3:85:25 | importe ...  tag }) |
+| mongodb.js:98:5:98:19 | doc.find(query) |
+| mongodb.js:112:5:112:19 | doc.find(query) |
 | mongodb_bodySafe.js:18:7:18:21 | doc.find(query) |
 | mongodb_bodySafe.js:29:7:29:21 | doc.find(query) |
 | mongoose.js:63:2:63:34 | Documen ... then(X) |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -56,6 +56,12 @@ nodes
 | mongodb.js:85:12:85:24 | { tags: tag } |
 | mongodb.js:85:12:85:24 | { tags: tag } |
 | mongodb.js:85:20:85:22 | tag |
+| mongodb.js:106:9:106:18 | query |
+| mongodb.js:106:17:106:18 | {} |
+| mongodb.js:107:17:107:29 | queries.title |
+| mongodb.js:107:17:107:29 | queries.title |
+| mongodb.js:112:14:112:18 | query |
+| mongodb.js:112:14:112:18 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} |
 | mongodb_bodySafe.js:24:19:24:33 | req.query.title |
@@ -244,6 +250,17 @@ edges
 | mongodb.js:77:22:77:24 | tag | mongodb.js:77:14:77:26 | { tags: tag } |
 | mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
 | mongodb.js:85:20:85:22 | tag | mongodb.js:85:12:85:24 | { tags: tag } |
+| mongodb.js:106:9:106:18 | query | mongodb.js:112:14:112:18 | query |
+| mongodb.js:106:9:106:18 | query | mongodb.js:112:14:112:18 | query |
+| mongodb.js:106:17:106:18 | {} | mongodb.js:106:9:106:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:9:106:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:9:106:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:17:106:18 | {} |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:106:17:106:18 | {} |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query |
+| mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:11:23:20 | query | mongodb_bodySafe.js:29:16:29:20 | query |
 | mongodb_bodySafe.js:23:19:23:20 | {} | mongodb_bodySafe.js:23:11:23:20 | query |
@@ -428,6 +445,7 @@ edges
 | mongodb.js:65:12:65:16 | query | mongodb.js:60:16:60:30 | req.query.title | mongodb.js:65:12:65:16 | query | This query depends on $@. | mongodb.js:60:16:60:30 | req.query.title | a user-provided value |
 | mongodb.js:77:14:77:26 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:77:14:77:26 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
 | mongodb.js:85:12:85:24 | { tags: tag } | mongodb.js:70:13:70:25 | req.query.tag | mongodb.js:85:12:85:24 | { tags: tag } | This query depends on $@. | mongodb.js:70:13:70:25 | req.query.tag | a user-provided value |
+| mongodb.js:112:14:112:18 | query | mongodb.js:107:17:107:29 | queries.title | mongodb.js:112:14:112:18 | query | This query depends on $@. | mongodb.js:107:17:107:29 | queries.title | a user-provided value |
 | mongodb_bodySafe.js:29:16:29:20 | query | mongodb_bodySafe.js:24:19:24:33 | req.query.title | mongodb_bodySafe.js:29:16:29:20 | query | This query depends on $@. | mongodb_bodySafe.js:24:19:24:33 | req.query.title | a user-provided value |
 | mongoose.js:24:24:24:30 | [query] | mongoose.js:21:19:21:26 | req.body | mongoose.js:24:24:24:30 | [query] | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
 | mongoose.js:27:20:27:24 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:27:20:27:24 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/mongodb.js
@@ -84,3 +84,31 @@ app.post("/logs/count-by-tag", (req, res) => {
     // NOT OK: query is tainted by user-provided object value
     .count({ tags: tag });
 });
+
+
+app.get('/:id', (req, res) => {
+  useParams(req.param);
+});
+function useParams(params) {
+  let query = { id: params.id };
+  MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
+    let doc = db.collection('doc');
+
+    // OK: query is tainted, but only by string value
+    doc.find(query);
+  });
+}
+
+app.post('/documents/find', (req, res) => {
+  useQuery(req.query);
+});
+function useQuery(queries) {
+  const query = {};
+  query.title = queries.title;
+  MongoClient.connect('mongodb://localhost:27017/test', (err, db) => {
+    let doc = db.collection('doc');
+
+    // NOT OK: query is tainted by user-provided object value
+    doc.find(query);
+  });
+}
