Merge pull request #19762 from trailofbits/VF/type-orm-model-improvements

asgerf · web-flow · commit 3247babfa5e8 · 2025-06-30T10:40:38.000+02:00
Improve TypeORM model
diff --git a/javascript/ql/src/experimental/semmle/javascript/SQL.qll b/javascript/ql/src/experimental/semmle/javascript/SQL.qll
@@ -146,11 +146,42 @@ module ExperimentalSql {
       override DataFlow::Node getAQueryArgument() { result = this.getArgument(0) }
     }
 
+    /**
+     * A call to a TypeORM `Repository` (https://orkhan.gitbook.io/typeorm/docs/repository-api)
+     */
+    private class RepositoryCall extends DatabaseAccess {
+      API::Node repository;
+
+      RepositoryCall() {
+        (
+          repository = API::moduleImport("typeorm").getMember("Repository").getInstance() or
+          repository = dataSource().getMember("getRepository").getReturn()
+        ) and
+        this = repository.getMember(_).asSource()
+      }
+
+      override DataFlow::Node getAResult() {
+        result =
+          repository
+              .getMember([
+                  "find", "findBy", "findOne", "findOneBy", "findOneOrFail", "findOneByOrFail",
+                  "findAndCount", "findAndCountBy"
+                ])
+              .getReturn()
+              .asSource()
+      }
+
+      override DataFlow::Node getAQueryArgument() {
+        result = repository.getMember("query").getParameter(0).asSink()
+      }
+    }
+
     /** An expression that is passed to the `query` function and hence interpreted as SQL. */
     class QueryString extends SQL::SqlString {
       QueryString() {
         this = any(QueryRunner qr).getAQueryArgument() or
-        this = any(QueryBuilderCall qb).getAQueryArgument()
+        this = any(QueryBuilderCall qb).getAQueryArgument() or
+        this = any(RepositoryCall rc).getAQueryArgument()
       }
     }
   }
diff --git a/javascript/ql/test/experimental/TypeOrm/test.ts b/javascript/ql/test/experimental/TypeOrm/test.ts
@@ -217,4 +217,9 @@ AppDataSource.initialize().then(async () => {
                 qb.where(BadInput).orWhere(BadInput)   // test: SQLInjectionPoint
             }),
         ).getMany()
+
+    // Repository.query sink
+    await AppDataSource.getRepository(User2)
+        .query(BadInput)    // test: SQLInjectionPoint
+
 }).catch(error => console.log(error))
diff --git a/javascript/ql/test/experimental/TypeOrm/tests.expected b/javascript/ql/test/experimental/TypeOrm/tests.expected
@@ -29,4 +29,5 @@ passingPositiveTests
 | PASSED | SQLInjectionPoint | test.ts:210:28:210:53 | // test ... onPoint |
 | PASSED | SQLInjectionPoint | test.ts:213:56:213:81 | // test ... onPoint |
 | PASSED | SQLInjectionPoint | test.ts:217:56:217:81 | // test ... onPoint |
+| PASSED | SQLInjectionPoint | test.ts:223:29:223:54 | // test ... onPoint |
 failingPositiveTests
