Tutorials:

- [pymongo](https://pymongo.readthedocs.io/en/stable/tutorial.html)

- [install mongodb](https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-os-x/#std-label-install-mdb-community-macos)

I recommend creating a virtual environment with venv and then installing dependencies via

Start mongodb:

run flask app:

Navigate to the root to see routes. For each route try to get the system to reveal the person in the database. If you know the name, you can just input it, but in some cases you can get to the person without knowing the name!

from flask import Flask, request

from pymongo import MongoClient

import json

client = MongoClient()

db = client.test_database

posts = db.posts

app = Flask(__name__)

def show_post(post, query):

if post:

return "You found " + post['author'] + "!"

else:

return "You did not find " + query

def plain():

author = request.args['author']

post = posts.find_one({'author': author}) # $ result=OK

return show_post(post, author)

def as_dict():

author_string = request.args['author']

author = json.loads(author_string)

# Use {"$ne": 1} as author

# Found by http://127.0.0.1:5000/dict?author={%22$ne%22:1}

post = posts.find_one({'author': author}) # $ result=BAD

return show_post(post, author)

def as_dict_hardened():

author_string = request.args['author']

author = json.loads(author_string)

post = posts.find_one({'author': {"$eq": author}}) # $ SPURIOUS: result=BAD

return show_post(post, author)

def by_where():

author = request.args['author']

# Use `" | "a" === "a` as author

# making the query `this.author === "" | "a" === "a"`

# Found by http://127.0.0.1:5000/byWhere?author=%22%20|%20%22a%22%20===%20%22a

post = posts.find_one({'$where': 'this.author === "'+author+'"'}) # $ MISSING: result=BAD

return show_post(post, author)

def show_routes():

links = []

for rule in app.url_map.iter_rules():

if "GET" in rule.methods:

links.append((rule.rule, rule.endpoint))

return links

semmle-extractor-options: --max-import-depth=1 -r PoC