Skip to content

Commit 6b9bd8b

Browse files
esbenaesbena
committed
JS: adjust tests slightly to also support DatabaseAccess testing
1 parent 7a2faa0 commit 6b9bd8b

2 files changed

Lines changed: 12 additions & 10 deletions

File tree

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -70,8 +70,8 @@ nodes
7070
| mongoose.js:57:21:57:25 | query |
7171
| mongoose.js:60:25:60:29 | query |
7272
| mongoose.js:60:25:60:29 | query |
73-
| mongoose.js:63:24:63:28 | query |
74-
| mongoose.js:63:24:63:28 | query |
73+
| mongoose.js:63:21:63:25 | query |
74+
| mongoose.js:63:21:63:25 | query |
7575
| mongoose.js:65:32:65:36 | query |
7676
| mongoose.js:65:32:65:36 | query |
7777
| mongoose.js:67:27:67:31 | query |
@@ -212,8 +212,8 @@ edges
212212
| mongoose.js:20:11:20:20 | query | mongoose.js:57:21:57:25 | query |
213213
| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
214214
| mongoose.js:20:11:20:20 | query | mongoose.js:60:25:60:29 | query |
215-
| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
216-
| mongoose.js:20:11:20:20 | query | mongoose.js:63:24:63:28 | query |
215+
| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
216+
| mongoose.js:20:11:20:20 | query | mongoose.js:63:21:63:25 | query |
217217
| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
218218
| mongoose.js:20:11:20:20 | query | mongoose.js:65:32:65:36 | query |
219219
| mongoose.js:20:11:20:20 | query | mongoose.js:67:27:67:31 | query |
@@ -257,8 +257,8 @@ edges
257257
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:57:21:57:25 | query |
258258
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
259259
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:60:25:60:29 | query |
260-
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
261-
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:24:63:28 | query |
260+
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
261+
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:63:21:63:25 | query |
262262
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
263263
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:65:32:65:36 | query |
264264
| mongoose.js:21:19:21:32 | req.body.title | mongoose.js:67:27:67:31 | query |
@@ -335,7 +335,7 @@ edges
335335
| mongoose.js:54:25:54:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:54:25:54:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
336336
| mongoose.js:57:21:57:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:57:21:57:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
337337
| mongoose.js:60:25:60:29 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:60:25:60:29 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
338-
| mongoose.js:63:24:63:28 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:24:63:28 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
338+
| mongoose.js:63:21:63:25 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:63:21:63:25 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
339339
| mongoose.js:65:32:65:36 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:65:32:65:36 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
340340
| mongoose.js:67:27:67:31 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:67:27:67:31 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
341341
| mongoose.js:68:8:68:12 | query | mongoose.js:21:19:21:26 | req.body | mongoose.js:68:8:68:12 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-089/untyped/mongoose.js

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,12 +60,12 @@ app.post('/documents/find', (req, res) => {
6060
Document.updateMany(query);
6161

6262
// NOT OK: query is tainted by user-provided object value
63-
Document.updateOne(query);
63+
Document.updateOne(query).then(X);
6464

65-
Document.findByIdAndUpdate(X, query); // NOT OK
65+
Document.findByIdAndUpdate(X, query, function(){}); // NOT OK
6666

6767
new Mongoose.Query(X, Y, query) // NOT OK
68-
.and(query) // NOT OK
68+
.and(query, function(){}) // NOT OK
6969
;
7070

7171
Document.where(query) // NOT OK
@@ -74,5 +74,7 @@ app.post('/documents/find', (req, res) => {
7474
.distinct(X, query) // NOT OK
7575
.comment(query) // OK
7676
.count(query) // NOT OK
77+
.exec()
7778
;
79+
7880
});

0 commit comments

Comments
 (0)