Merge pull request #3410 from semgrep/merge-develop-to-release

Merge Develop into Release

javascript/express/security/injection/tainted-sql-string.js

@@ -41,6 +41,20 @@ app.get('/test4', (req, res) => {
   res.send(results)
 })
 
+app.get('/test5', (req, res) => {
+  // ruleid: tainted-sql-string
+  const query = util.format("UPDATE User SET name = '' WHERE id = '%s'", req.query.message)
+  const [results, metadata] = await sequelize.query(query);
+  res.send(results)
+})
+
+app.get('/test6', (req, res) => {
+    // ruleid: tainted-sql-string
+    const query = util.format("UPDATE %s SET name = '' WHERE id = 0", req.query.table)
+    const [results, metadata] = await sequelize.query(query);
+    res.send(results)
+  })
+
 app.get('/ok', async (req, res) => {
     // ok: tainted-sql-string
     res.send("message: " + req.query.message);
@@ -64,4 +78,10 @@ app.post('/ok4', async (req, res) => {
     res.send(data);
 })
 
+app.post('/ok5', async (req, res) => {
+    // ok: tainted-sql-string
+    var data = "This is an update message: " + req.query.message
+    res.send(data);
+})
+
 app.listen(port, () => console.log(`Example app listening at http://localhost:${port}`))

javascript/express/security/injection/tainted-sql-string.yaml

@@ -70,5 +70,5 @@ rules:
               `$SQLSTR${$EXPR}...`
         - metavariable-regex:
             metavariable: $SQLSTR
-            regex: .*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
+            regex: .*\b(?i)(select|delete|insert|create|update\s+.+\sset|alter|drop)\b.*
     - focus-metavariable: $EXPR