add failing test

erik-krogh · erik-krogh · commit c355a266572e · 2023-02-14T14:12:35.000+01:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -68,6 +68,17 @@ nodes
 | json-schema-validator.js:59:22:59:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
 | json-schema-validator.js:61:22:61:26 | query |
+| koarouter.js:5:11:5:33 | version |
+| koarouter.js:5:13:5:19 | version |
+| koarouter.js:5:13:5:19 | version |
+| koarouter.js:11:11:11:28 | conditions |
+| koarouter.js:11:24:11:28 | ['1'] |
+| koarouter.js:14:25:14:46 | `versio ... rsion}` |
+| koarouter.js:14:38:14:44 | version |
+| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
+| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
+| koarouter.js:17:52:17:61 | conditions |
+| koarouter.js:17:52:17:75 | conditi ...  and ') |
 | ldap.js:20:7:20:34 | q |
 | ldap.js:20:11:20:34 | url.par ... , true) |
 | ldap.js:20:21:20:27 | req.url |
@@ -482,6 +493,16 @@ edges
 | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) | json-schema-validator.js:50:15:50:48 | query |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:50:23:50:48 | JSON.pa ... y.data) |
+| koarouter.js:5:11:5:33 | version | koarouter.js:14:38:14:44 | version |
+| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version |
+| koarouter.js:5:13:5:19 | version | koarouter.js:5:11:5:33 | version |
+| koarouter.js:11:11:11:28 | conditions | koarouter.js:17:52:17:61 | conditions |
+| koarouter.js:11:24:11:28 | ['1'] | koarouter.js:11:11:11:28 | conditions |
+| koarouter.js:14:25:14:46 | `versio ... rsion}` | koarouter.js:11:24:11:28 | ['1'] |
+| koarouter.js:14:38:14:44 | version | koarouter.js:14:25:14:46 | `versio ... rsion}` |
+| koarouter.js:17:52:17:61 | conditions | koarouter.js:17:52:17:75 | conditi ...  and ') |
+| koarouter.js:17:52:17:75 | conditi ...  and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
+| koarouter.js:17:52:17:75 | conditi ...  and ') | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` |
 | ldap.js:20:7:20:34 | q | ldap.js:22:18:22:18 | q |
 | ldap.js:20:11:20:34 | url.par ... , true) | ldap.js:20:7:20:34 | q |
 | ldap.js:20:21:20:27 | req.url | ldap.js:20:11:20:34 | url.par ... , true) |
@@ -929,6 +950,7 @@ edges
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
 | json-schema-validator.js:59:22:59:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:59:22:59:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
 | json-schema-validator.js:61:22:61:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:61:22:61:26 | query | This query depends on a $@. | json-schema-validator.js:50:34:50:47 | req.query.data | user-provided value |
+| koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | koarouter.js:5:13:5:19 | version | koarouter.js:17:27:17:77 | `SELECT ... nd ')}` | This query depends on a $@. | koarouter.js:5:13:5:19 | version | user-provided value |
 | ldap.js:28:30:28:34 | opts1 | ldap.js:20:21:20:27 | req.url | ldap.js:28:30:28:34 | opts1 | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
 | ldap.js:32:5:32:61 | { filte ... e}))` } | ldap.js:20:21:20:27 | req.url | ldap.js:32:5:32:61 | { filte ... e}))` } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
 | ldap.js:66:30:66:53 | { filte ... ilter } | ldap.js:20:21:20:27 | req.url | ldap.js:66:30:66:53 | { filte ... ilter } | This query depends on a $@. | ldap.js:20:21:20:27 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/koarouter.js
@@ -0,0 +1,23 @@
+const Router = require('koa-router')
+const {Sequelize} = require("sequelize");
+
+new Router().get("/hello", (ctx) => {
+    const { version } = ctx.query;
+
+    if (version && validVersion(version) === false) {
+        throw new Error(`invalid version ${version}`);
+    }
+
+    const conditions = ['1'];
+
+    if (version) {
+        conditions.push(`version = ${version}`)
+    }
+
+    new Sequelize().query(`SELECT * FROM t WHERE ${conditions.join(' and ')}`, null); // OK - but still flagged [INCONSISTENCY]
+});
+
+function validVersion(version) {
+    const pattern = /^[a-zA-Z0-9]+$/;
+    return pattern.test(version);
+}
