Closed plbbowden1 closed 6 months ago
I'm having the same issue - not sure what's up here.
Hi @plbbowden1,
Thanks for reporting this. I've forwarded this to our JS team, and they'll take a look at this soon 👍
Thanks for the detailed report.
Yes, this is something our analysis doesn't cover.
Covering the specific FN you mention just requires adding the below:
class TypeORMSink extends SQL::SqlString {
TypeORMSink() {
this = API::Node::ofType("typeorm", "Repository").getMember("query").getParameter(0).asSink()
}
}
A more complete model for TypeORM will require a lot more work, and I'm not sure when we'll have time for that.
I've added an internal issue about it.
We do have an experimental model for TypeORM, but that model doesn't cover your example.
Thank you for your response, @erik-krogh! I'll go ahead and close out this issue.
Description of the issue I am testing CodeQL on a simple NestJS test repo before bringing it into our enterprise CI/CD pipeline, and I am receiving a false negative from the SQLInjection query (CWE-089) in the javascript library.
Code samples quote.controller.ts
quote.service.ts
quote.entity.ts
dataSourceOptions (for TypeORM configuration)
CodeQL Rule Rule ID: js/sql-injection
Environment typescript (5.1.3) NodeJS (18.17.0) NestJS (10.0.1) TypeORM (10.0.0)
Thank you for your time!