put string/object in the alert-message for sql-injection

Author: erik-krogh

javascript/ql/src/Security/CWE-089/SqlInjection.ql

@@ -18,12 +18,13 @@ import semmle.javascript.security.dataflow.SqlInjectionQuery as SqlInjection
 import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
 import DataFlow::PathGraph
 
-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
 where
   (
-    cfg instanceof SqlInjection::Configuration or
-    cfg instanceof NosqlInjection::Configuration
+    cfg instanceof SqlInjection::Configuration and type = "string"
+    or
+    cfg instanceof NosqlInjection::Configuration and type = "object"
   ) and
   cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
   "user-provided value"

javascript/ql/src/experimental/heuristics/ql/src/Security/CWE-089/SqlInjection.ql

@@ -20,13 +20,13 @@ import semmle.javascript.security.dataflow.NosqlInjectionQuery as NosqlInjection
 import DataFlow::PathGraph
 import semmle.javascript.heuristics.AdditionalSources
 
-from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+from DataFlow::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink, string type
 where
   (
-    cfg instanceof SqlInjection::Configuration or
-    cfg instanceof NosqlInjection::Configuration
+    cfg instanceof SqlInjection::Configuration and type = "string"
+    or
+    cfg instanceof NosqlInjection::Configuration and type = "object"
   ) and
-  cfg.hasFlowPath(source, sink) and
-  source.getNode() instanceof HeuristicSource
-select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "This query " + type + " depends on a $@.", source.getNode(),
   "user-provided value"

javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected

@@ -37,6 +37,6 @@ edges
 | typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 | typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 #select
-| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value |
-| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
-| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
+| typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query object depends on a $@. | typedClient.ts:13:22:13:29 | req.body | user-provided value |
+| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |
+| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query object depends on a $@. | typedClient.ts:21:22:21:29 | req.body | user-provided value |