github
diff --git a/‎javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll‎
Lines changed: 280 additions & 19 deletions b/‎javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll‎
Lines changed: 280 additions & 19 deletions
@@ -120,41 +120,69 @@ private module MongoDB {
 
     QueryCall() {
       exists(string m | this = getACollection().getAMethodCall(m) |
-        m = "aggregate" and queryArgIdx = 0
+        CollectionMethodSignatures::interpretsArgumentAsQuery(m, queryArgIdx)
+      )
+    }
+
+    override DataFlow::Node getAQueryArgument() { result = getArgument(queryArgIdx) }
+  }
+
+  /**
+   * Provides signatures for the Collection methods.
+   */
+  module CollectionMethodSignatures {
+    /**
+     * Holds if Collection method `name` interprets parameter `n` as a query.
+     */
+    predicate interpretsArgumentAsQuery(string name, int n) {
+      // FilterQuery
+      (
+        name = "aggregate" and n = 0
+        or
+        name = "count" and n = 0
         or
-        m = "count" and queryArgIdx = 0
+        name = "countDocuments" and n = 0
         or
-        m = "deleteMany" and queryArgIdx = 0
+        name = "deleteMany" and n = 0
         or
-        m = "deleteOne" and queryArgIdx = 0
+        name = "deleteOne" and n = 0
         or
-        m = "distinct" and queryArgIdx = 1
+        name = "distinct" and n = 1
         or
-        m = "find" and queryArgIdx = 0
+        name = "find" and n = 0
         or
-        m = "findOne" and queryArgIdx = 0
+        name = "findOne" and n = 0
         or
-        m = "findOneAndDelete" and queryArgIdx = 0
+        name = "findOneAndDelete" and n = 0
         or
-        m = "findOneAndRemove" and queryArgIdx = 0
+        name = "findOneAndRemove" and n = 0
         or
-        m = "findOneAndDelete" and queryArgIdx = 0
+        name = "findOneAndReplace" and n = 0
         or
-        m = "findOneAndUpdate" and queryArgIdx = 0
+        name = "findOneAndUpdate" and n = 0
         or
-        m = "remove" and queryArgIdx = 0
+        name = "remove" and n = 0
         or
-        m = "replaceOne" and queryArgIdx = 0
+        name = "replaceOne" and n = 0
         or
-        m = "update" and queryArgIdx = 0
+        name = "update" and n = 0
         or
-        m = "updateMany" and queryArgIdx = 0
+        name = "updateMany" and n = 0
         or
-        m = "updateOne" and queryArgIdx = 0
+        name = "updateOne" and n = 0
+      )
+      or
+      // UpdateQuery
+      (
+        name = "findOneAndUpdate" and n = 1
+        or
+        name = "update" and n = 1
+        or
+        name = "updateMany" and n = 1
+        or
+        name = "updateOne" and n = 1
       )
     }
-
-    override DataFlow::Node getAQueryArgument() { result = getArgument(queryArgIdx) }
   }
 
   /**
@@ -184,8 +212,221 @@ private module Mongoose {
   /**
    * A Mongoose collection object.
    */
-  class Model extends MongoDB::Collection {
+  class Model extends DataFlow::SourceNode {
     Model() { this = getAMongooseInstance().getAMemberCall("model") }
+
+    private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
+      result = this and
+      t.start()
+      or
+      exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
+    }
+
+    DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+  }
+
+  /**
+   * Provides signatures for the Model methods.
+   */
+  module ModelMethodSignatures {
+    /**
+     * Holds if Model method `name` interprets parameter `n` as a query.
+     */
+    predicate interpretsArgumentAsQuery(string name, int n) {
+      // implement lots of the MongoDB collection interface
+      MongoDB::CollectionMethodSignatures::interpretsArgumentAsQuery(name, n)
+      or
+      name = "findByIdAndUpdate" and n = 1
+    }
+
+    /**
+     * Holds if Model method `name` returns a Query.
+     */
+    predicate returnsQuery(string name) {
+      name = "$where" or
+      name = "count" or
+      name = "countDocuments" or
+      name = "deleteMany" or
+      name = "deleteOne" or
+      name = "find" or
+      name = "findById" or
+      name = "findByIdAndDelete" or
+      name = "findByIdAndRemove" or
+      name = "findByIdAndUpdate" or
+      name = "findOne" or
+      name = "findOneAndDelete" or
+      name = "findOneAndRemove" or
+      name = "findOneAndReplace" or
+      name = "findOneAndUpdate" or
+      name = "geosearch" or
+      name = "replaceOne" or
+      name = "update" or
+      name = "updateMany" or
+      name = "updateOne" or
+      name = "where"
+    }
+  }
+
+  /**
+   * Provides signatures for the Query methods.
+   */
+  module QueryMethodSignatures {
+    /**
+     * Holds if Query method `name` interprets parameter `n` as a query.
+     */
+    predicate interpretsArgumentAsQuery(string name, int n) {
+      n = 0 and
+      (
+        name = "and" or
+        name = "count" or
+        name = "countDocuments" or
+        name = "deleteMany" or
+        name = "deleteOne" or
+        name = "elemMatch" or
+        name = "find" or
+        name = "findOne" or
+        name = "findOneAndDelete" or
+        name = "findOneAndRemove" or
+        name = "findOneAndReplace" or
+        name = "findOneAndUpdate" or
+        name = "merge" or
+        name = "nor" or
+        name = "or" or
+        name = "remove" or
+        name = "replaceOne" or
+        name = "setQuery" or
+        name = "setUpdate" or
+        name = "update" or
+        name = "updateMany" or
+        name = "updateOne" or
+        name = "where"
+      )
+      or
+      n = 1 and
+      (
+        name = "distinct" or
+        name = "findOneAndUpdate" or
+        name = "update" or
+        name = "updateMany" or
+        name = "updateOne"
+      )
+    }
+
+    /**
+     * Holds if Query method `name` returns a Query.
+     */
+    predicate returnsQuery(string name) {
+      name = "$where" or
+      name = "J" or
+      name = "all" or
+      name = "and" or
+      name = "batchsize" or
+      name = "box" or
+      name = "center" or
+      name = "centerSphere" or
+      name = "circle" or
+      name = "collation" or
+      name = "comment" or
+      name = "count" or
+      name = "countDocuments" or
+      name = "distinct" or
+      name = "elemMatch" or
+      name = "equals" or
+      name = "error" or
+      name = "estimatedDocumentCount" or
+      name = "exists" or
+      name = "explain" or
+      name = "find" or
+      name = "findById" or
+      name = "findOne" or
+      name = "findOneAndRemove" or
+      name = "findOneAndUpdate" or
+      name = "geometry" or
+      name = "get" or
+      name = "gt" or
+      name = "gte" or
+      name = "hint" or
+      name = "in" or
+      name = "intersects" or
+      name = "lean" or
+      name = "limit" or
+      name = "lt" or
+      name = "lte" or
+      name = "map" or
+      name = "map" or
+      name = "maxDistance" or
+      name = "maxTimeMS" or
+      name = "maxscan" or
+      name = "mod" or
+      name = "ne" or
+      name = "near" or
+      name = "nearSphere" or
+      name = "nin" or
+      name = "or" or
+      name = "orFail" or
+      name = "polygon" or
+      name = "populate" or
+      name = "read" or
+      name = "readConcern" or
+      name = "regexp" or
+      name = "remove" or
+      name = "select" or
+      name = "session" or
+      name = "set" or
+      name = "setOptions" or
+      name = "setQuery" or
+      name = "setUpdate" or
+      name = "size" or
+      name = "skip" or
+      name = "slaveOk" or
+      name = "slice" or
+      name = "snapshot" or
+      name = "sort" or
+      name = "update" or
+      name = "w" or
+      name = "where" or
+      name = "within" or
+      name = "wtimeout"
+    }
+  }
+
+  /**
+   * A Mongoose query object as a result of a Model method call.
+   */
+  private class QueryFromModel extends DataFlow::MethodCallNode {
+    QueryFromModel() {
+      exists(string name, Model m |
+        ModelMethodSignatures::returnsQuery(name) and
+        m.ref().getAMethodCall(name) = this
+      )
+    }
+  }
+
+  /**
+   * A Mongoose query object as a result of a Query constructor invocation.
+   */
+  private class QueryFromConstructor extends DataFlow::NewNode {
+    QueryFromConstructor() {
+      this = getAMongooseInstance().getAPropertyRead("Query").getAnInstantiation()
+    }
+  }
+
+  /**
+   * Gets a data flow node referring to a Mongoose query object.
+   */
+  private DataFlow::SourceNode getAQuery(DataFlow::TypeTracker t) {
+    (
+      result instanceof QueryFromConstructor or
+      result instanceof QueryFromModel
+    ) and
+    t.start()
+    or
+    exists(DataFlow::TypeTracker t2, DataFlow::SourceNode succ | succ = getAQuery(t2) |
+      result = succ.track(t2, t)
+      or
+      result = succ.getAMethodCall(any(string name | QueryMethodSignatures::returnsQuery(name))) and
+      t = t2
+    )
   }
 
   /**
@@ -204,4 +445,24 @@ private module Mongoose {
 
     override string getCredentialsKind() { result = kind }
   }
+
+  /**
+   * An expression that is interpreted as a (part of a) MongoDB query.
+   */
+  class MongoDBQueryPart extends NoSQL::Query {
+    MongoDBQueryPart() {
+      exists(Model m, DataFlow::MethodCallNode mcn, string method, int n |
+        ModelMethodSignatures::interpretsArgumentAsQuery(method, n) and
+        mcn = m.ref().getAMethodCall(method) and
+        this = mcn.getArgument(n).asExpr()
+      )
+      or
+      this = any(QueryFromConstructor c).getArgument(2).asExpr()
+      or
+      exists(string method, int n | QueryMethodSignatures::interpretsArgumentAsQuery(method, n) |
+        this =
+          getAQuery(DataFlow::TypeTracker::end()).getAMethodCall(method).getArgument(n).asExpr()
+      )
+    }
+  }
 }