JS: make use of TypeScript types for mongoose Model and Query

esbena · esbena · commit dbeb216af05a · 2020-03-10T09:57:45.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll b/javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll
@@ -213,7 +213,10 @@ private module Mongoose {
    * A Mongoose collection object.
    */
   class Model extends DataFlow::SourceNode {
-    Model() { this = getAMongooseInstance().getAMemberCall("model") }
+    Model() {
+      this = getAMongooseInstance().getAMemberCall("model") or
+      this.hasUnderlyingType("mongoose", "Model")
+    }
 
     private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
       result = this and
@@ -417,7 +420,8 @@ private module Mongoose {
   private DataFlow::SourceNode getAQuery(DataFlow::TypeTracker t) {
     (
       result instanceof QueryFromConstructor or
-      result instanceof QueryFromModel
+      result instanceof QueryFromModel or
+      result.hasUnderlyingType("mongoose", "Query")
     ) and
     t.start()
     or
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/typed/SqlInjection.expected
@@ -7,6 +7,17 @@ nodes
 | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:30:14:30 | v |
+| typedClient.ts:21:7:21:32 | v |
+| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
+| typedClient.ts:21:22:21:29 | req.body |
+| typedClient.ts:21:22:21:29 | req.body |
+| typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:33:22:33 | v |
+| typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v |
 edges
 | typedClient.ts:13:7:13:32 | v | typedClient.ts:14:30:14:30 | v |
 | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) | typedClient.ts:13:7:13:32 | v |
@@ -15,5 +26,17 @@ edges
 | typedClient.ts:13:22:13:31 | req.body.x | typedClient.ts:13:11:13:32 | JSON.pa ... body.x) |
 | typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
 | typedClient.ts:14:30:14:30 | v | typedClient.ts:14:24:14:32 | { id: v } |
+| typedClient.ts:21:7:21:32 | v | typedClient.ts:22:33:22:33 | v |
+| typedClient.ts:21:7:21:32 | v | typedClient.ts:23:33:23:33 | v |
+| typedClient.ts:21:11:21:32 | JSON.pa ... body.x) | typedClient.ts:21:7:21:32 | v |
+| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:21:22:21:29 | req.body | typedClient.ts:21:22:21:31 | req.body.x |
+| typedClient.ts:21:22:21:31 | req.body.x | typedClient.ts:21:11:21:32 | JSON.pa ... body.x) |
+| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:22:33:22:33 | v | typedClient.ts:22:27:22:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
+| typedClient.ts:23:33:23:33 | v | typedClient.ts:23:27:23:35 | { id: v } |
 #select
 | typedClient.ts:14:24:14:32 | { id: v } | typedClient.ts:13:22:13:29 | req.body | typedClient.ts:14:24:14:32 | { id: v } | This query depends on $@. | typedClient.ts:13:22:13:29 | req.body | a user-provided value |
+| typedClient.ts:22:27:22:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:22:27:22:35 | { id: v } | This query depends on $@. | typedClient.ts:21:22:21:29 | req.body | a user-provided value |
+| typedClient.ts:23:27:23:35 | { id: v } | typedClient.ts:21:22:21:29 | req.body | typedClient.ts:23:27:23:35 | { id: v } | This query depends on $@. | typedClient.ts:21:22:21:29 | req.body | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts b/javascript/ql/test/query-tests/Security/CWE-089/typed/shim.d.ts
@@ -3,3 +3,11 @@ declare module "mongodb" {
     find(query: any): any;
   }
 }
+declare module "mongoose" {
+  interface Model {
+    find(query: any): any;
+  }
+  interface Query {
+    find(query: any): any;
+  }
+}
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts b/javascript/ql/test/query-tests/Security/CWE-089/typed/typedClient.ts
@@ -1,15 +1,24 @@
 import * as mongodb from "mongodb";
 
-const express = require('express') as any;
-const bodyParser = require('body-parser') as any;
+const express = require("express") as any;
+const bodyParser = require("body-parser") as any;
 
 declare function getCollection(): mongodb.Collection;
 
 let app = express();
 
 app.use(bodyParser.json());
 
-app.post('/find', (req, res) => {
+app.post("/find", (req, res) => {
   let v = JSON.parse(req.body.x);
   getCollection().find({ id: v }); // NOT OK
 });
+
+import * as mongoose from "mongoose";
+declare function getMongooseModel(): mongoose.Model;
+declare function getMongooseQuery(): mongoose.Query;
+app.post("/find", (req, res) => {
+  let v = JSON.parse(req.body.x);
+  getMongooseModel().find({ id: v }); // NOT OK
+  getMongooseQuery().find({ id: v }); // NOT OK
+});

Original file line number	Diff line number	Diff line change
`@@ -3,3 +3,11 @@ declare module "mongodb" {`
`3`	`3`	`find(query: any): any;`
`4`	`4`	`}`
`5`	`5`	`}`
	`6`	`+declare module "mongoose" {`
	`7`	`+ interface Model {`
	`8`	`+ find(query: any): any;`
	`9`	`+ }`
	`10`	`+ interface Query {`
	`11`	`+ find(query: any): any;`
	`12`	`+ }`
	`13`	`+}`