Python: add test for $accumulator

yoff · yoff · commit 5611bda7ee7a · 2023-09-19T17:04:28.000+02:00
diff --git a/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/server.py b/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/server.py
@@ -71,6 +71,26 @@ def by_function_arg():
     post = posts.find_one({'$expr': {'$function': search}}) # $ result=OK
     return show_post(post, author)
 
+@app.route('/byGroup', methods=['GET'])
+def by_group():
+    author = request.args['author']
+    accumulator = {
+        "init": 'function() { return "Not found" }',
+        "accumulate": 'function(state, author) { return (author === "'+author+'") ? author : state }',
+        "accumulateArgs": ["$author"],
+        "merge": 'function(state1, state2) { return (state1 === "Not found") ? state2 : state1 }'
+    }
+    group = {
+        "_id": "null",
+        "author": { "$accumulator": accumulator }
+    }
+    # Use `" | "a" === "a` as author
+    # making the query `this.author === "" | "a" === "a"`
+    # Found by http://127.0.0.1:5000/byGroup?author=%22%20|%20%22a%22%20===%20%22a
+    post = posts.aggregate([{ "$group": group }]).next() # $ MISSING: result=BAD
+    app.logger.error("post", post)
+    return show_post(post, author)
+
 @app.route('/', methods=['GET'])
 def show_routes():
     links = []
