File tree Expand file tree Collapse file tree
python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -46,6 +46,32 @@ def by_where():
4646 post = posts .find_one ({'$where' : 'this.author === "' + author + '"' }) # $ result=BAD
4747 return show_post (post , author )
4848
49+
50+ @app .route ('/byFunction' , methods = ['GET' ])
51+ def by_function ():
52+ author = request .args ['author' ]
53+ search = {
54+ "body" : 'function(author) { return(author === "' + author + '") }' ,
55+ "args" : [ "$author" ],
56+ "lang" : "js"
57+ }
58+ # Use `" | "a" === "a` as author
59+ # making the query `this.author === "" | "a" === "a"`
60+ # Found by http://127.0.0.1:5000/byFunction?author=%22%20|%20%22a%22%20===%20%22a
61+ post = posts .find_one ({'$expr' : {'$function' : search }}) # $ MISING: result=BAD
62+ return show_post (post , author )
63+
64+ @app .route ('/byFunctionArg' , methods = ['GET' ])
65+ def by_function_arg ():
66+ author = request .args ['author' ]
67+ search = {
68+ "body" : 'function(author, target) { return(author === target) }' ,
69+ "args" : [ "$author" , author ],
70+ "lang" : "js"
71+ }
72+ post = posts .find_one ({'$expr' : {'$function' : search }}) # $ result=OK
73+ return show_post (post , author )
74+
4975@app .route ('/' , methods = ['GET' ])
5076def show_routes ():
5177 links = []
You can’t perform that action at this time.
0 commit comments