Skip to content

JS: remove the second argument of findByIdAndUpdate as a NoSQL sink #13381

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 13, 2023
Merged

JS: remove the second argument of findByIdAndUpdate as a NoSQL sink #13381

merged 2 commits into from
Jun 13, 2023

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Jun 6, 2023
edited
Loading

2 things:

  1. I was looking at findByIdAndUpdate, and I was surprised we flag the second argument as a NoSQL sink.
    See doc: https://mongoosejs.com/docs/tutorials/findoneandupdate.html. The second argument is the data given to the update function, so I'm unsure how that could be unsafe?

  2. A friend of mine likes to use mongoose.Types.ObjectId.isValid as a sanitizer for NoSQL injection.
    The function checks if an input is a string of a certain length, so it is a nice sanitizer for object-injection in general.
    I therefore decided to put it in TaintedObject.qll, let me know if you want it somewhere else.
    The function is used a decent amount in the wild.

Evaluation looks good.
There is one lost result, where we no longer flag the second argument on a call to update.
(We still flag the first argument to that same call).

@github-actions github-actions bot added the JS label Jun 6, 2023
@erik-krogh erik-krogh marked this pull request as ready for review June 9, 2023 17:57
@erik-krogh erik-krogh requested a review from a team as a code owner June 9, 2023 17:57
@asgerf
Copy link
Contributor

asgerf commented Jun 10, 2023

I was looking at findByIdAndUpdate, and I was surprised we flag the second argument as a NoSQL sink.

I remember also being surprised at this when porting the SQL models to MaD. As far as I understand, Mongoose lets you use MongoDB update operators in updates, so they are sinks for the same reason they are sinks in MongoDB.

@calumgrant calumgrant requested a review from asgerf June 12, 2023 08:41
@erik-krogh
Copy link
Contributor Author

I remember also being surprised at this when porting the SQL models to MaD. As far as I understand, Mongoose lets you use MongoDB update operators in updates, so they are sinks for the same reason they are sinks in MongoDB.

The documentation states: Note that update(), updateMany(), findOneAndUpdate(), etc. do not execute save() middleware. If you need save middleware and full validation, first query for the document and then save() it.

So should the second argument just be removed for those methods?

@asgerf
Copy link
Contributor

asgerf commented Jun 12, 2023

The issue with save() and middlewares is not important. What matters is that these functions treat their second argument as update operators.

@erik-krogh erik-krogh force-pushed the mongooseFindByIdAndUpdate branch from d504c93 to 95c02db Compare June 12, 2023 14:35
@erik-krogh erik-krogh requested a review from a team as a code owner June 12, 2023 14:35
@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Jun 12, 2023
@github-actions
Copy link
Contributor

QHelp previews:

@erik-krogh
Copy link
Contributor Author

I see. I get it now.

I rebased away the part about removing the second argument of findByIdAndUpdate etc. as a sink.

@erik-krogh erik-krogh force-pushed the mongooseFindByIdAndUpdate branch from 95c02db to cd6f738 Compare June 12, 2023 14:38
@erik-krogh erik-krogh removed the request for review from a team June 12, 2023 14:38
@erik-krogh
Copy link
Contributor Author

Sorry for the spurious Python ping. My local main was dirty, and I accidentally pushed that here.

asgerf
asgerf approved these changes Jun 13, 2023
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@erik-krogh erik-krogh merged commit 4dc596f into github:main Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @asgerf