Python: List NoSQL injection sinks

2023-09-29 13:16:50 +02:00 · 2023-09-29 13:16:50 +02:00 · d7ad5a0f23
--- a/python/ql/src/meta/alerts/TaintSinks.ql
+++ b/python/ql/src/meta/alerts/TaintSinks.ql
@ -58,6 +58,10 @@ DataFlow::Node relevantTaintSink(string kind) {
    or
    kind = "RegexInjection" and result instanceof RegexInjection::Sink
    or
+    kind = "NoSqlInjection (string sink)" and result instanceof NoSqlInjection::StringSink
+    or
+    kind = "NoSqlInjection (dict sink)" and result instanceof NoSqlInjection::DictSink
+    or
    kind = "ServerSideRequestForgery" and result instanceof ServerSideRequestForgery::Sink
    or
    kind = "SqlInjection" and result instanceof SqlInjection::Sink