add consistency-checking for CWE-089

Author: erik-krogh

javascript/ql/src/semmle/javascript/frameworks/NoSQL.qll

@@ -302,6 +302,8 @@ private module Mongoose {
         MongoDB::CollectionMethodSignatures::interpretsArgumentAsQuery(name, n)
         or
         name = "findByIdAndUpdate" and n = 1
+        or
+        name = "where" and n = 0
       }
 
       /**

javascript/ql/test/query-tests/Security/CWE-079/Consistency.ql

@@ -1,6 +1,5 @@
 import javascript
 import testUtilities.ConsistencyChecking
-
 import semmle.javascript.security.dataflow.DomBasedXss as DomXss
 import semmle.javascript.security.dataflow.ReflectedXss as ReflectedXss
 import semmle.javascript.security.dataflow.StoredXss as StoredXss

javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.expected

@@ -0,0 +1,4 @@
+import javascript
+import testUtilities.ConsistencyChecking
+import semmle.javascript.security.dataflow.SqlInjection
+import semmle.javascript.security.dataflow.NosqlInjection

javascript/ql/test/query-tests/Security/CWE-089/untyped/Consistency.ql

@@ -16,24 +16,24 @@
 | mongoose.js:63:2:63:34 | Documen ... then(X) |
 | mongoose.js:65:2:65:51 | Documen ... on(){}) |
 | mongoose.js:67:2:68:27 | new Mon ... on(){}) |
-| mongoose.js:71:2:77:9 | Documen ... .exec() |
-| mongoose.js:84:2:84:52 | Documen ... query)) |
+| mongoose.js:71:5:78:9 | Documen ... .exec() |
 | mongoose.js:85:2:85:52 | Documen ... query)) |
-| mongoose.js:86:2:86:57 | Documen ... query)) |
+| mongoose.js:86:2:86:52 | Documen ... query)) |
 | mongoose.js:87:2:87:57 | Documen ... query)) |
-| mongoose.js:88:2:88:52 | Documen ... query)) |
-| mongoose.js:89:2:89:55 | Documen ... query)) |
-| mongoose.js:91:2:91:52 | Documen ... query)) |
-| mongoose.js:92:2:92:49 | Documen ... query)) |
-| mongoose.js:93:2:93:57 | Documen ... query)) |
-| mongoose.js:94:2:94:54 | Documen ... query)) |
-| mongoose.js:95:2:95:52 | Documen ... query)) |
+| mongoose.js:88:2:88:57 | Documen ... query)) |
+| mongoose.js:89:2:89:52 | Documen ... query)) |
+| mongoose.js:90:2:90:55 | Documen ... query)) |
+| mongoose.js:92:2:92:52 | Documen ... query)) |
+| mongoose.js:93:2:93:49 | Documen ... query)) |
+| mongoose.js:94:2:94:57 | Documen ... query)) |
+| mongoose.js:95:2:95:54 | Documen ... query)) |
 | mongoose.js:96:2:96:52 | Documen ... query)) |
-| mongoose.js:98:2:98:50 | Documen ... query)) |
+| mongoose.js:97:2:97:52 | Documen ... query)) |
+| mongoose.js:99:2:99:50 | Documen ... query)) |
 | socketio.js:11:5:11:54 | db.run( ... ndle}`) |
 | tst2.js:7:3:7:62 | sql.que ... ms.id}` |
 | tst2.js:9:3:9:85 | new sql ...  + "'") |
-| tst3.js:10:3:12:4 | pool.qu ... ts\\n  }) |
-| tst3.js:17:3:19:4 | pool.qu ... ts\\n  }) |
+| tst3.js:9:3:11:4 | pool.qu ... ts\\n  }) |
+| tst3.js:16:3:18:4 | pool.qu ... ts\\n  }) |
 | tst4.js:8:3:8:67 | db.get( ...  + '"') |
 | tst.js:10:3:10:65 | db.get( ...  + '"') |

javascript/ql/test/query-tests/Security/CWE-089/untyped/DatabaseAccesses.expected

@@ -68,7 +68,8 @@ app.post('/documents/find', (req, res) => {
 		.and(query, function(){}) // NOT OK
 	;
 
-	Document.where(query)	// NOT OK
+    Document.where(query)	// NOT OK - `.where()` on a Model. 
+        .where(query)	// NOT OK - `.where()` on a Query. 
 		.and(query) // NOT OK
 		.or(query) // NOT OK
 		.distinct(X, query) // NOT OK

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

@@ -4,10 +4,9 @@ const pg = require('pg');
 const pool = new pg.Pool(config);
 
 function handler(req, res) {
-  // BAD: the category might have SQL special characters in it
   var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
              + req.params.category + "' ORDER BY PRICE";
-  pool.query(query1, [], function(err, results) {
+  pool.query(query1, [], function(err, results) { // BAD: the category might have SQL special characters in it
     // process results
   });