From 59711424bd88abf2caf7fb7459f471ea778baf9e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 28 Jun 2021 11:48:28 +0200
Subject: [PATCH 1/2] Python: Fix qhelp for NoSQL injection

---
 .../ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp b/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp
index 9771f8fd0d98..2bfd56820103 100644
--- a/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-943/NoSQLInjection.qhelp
@@ -20,14 +20,14 @@
   NoSQL injections can be prevented by escaping user-input's special characters that are passed into the NoSQL query from the user-supplied source.
   Alternatively, using a sanitize library such as MongoSanitizer will ensure that user-supplied sources can not act as a malicious query.
   </p>
-<recommendation>
+</recommendation>
 
 <example>
   <p>In the example below, the user-supplied source is passed to a MongoDB function that queries the MongoDB database.</p>
   <sample src="examples/NoSQLInjection-bad.py" />
   <p> This can be fixed by using a sanitizer library like MongoSanitizer as shown in this annotated code version below.</p>
   <sample src="examples/NoSQLInjection-good.py" />
-<example>
+</example>
 
 <references>
   <li>Mongoengine: <a href="http://mongoengine.org/">Documentation</a>.</li>

From 318694ccc86bc2251493e06b4b0e1a7dac6e206e Mon Sep 17 00:00:00 2001
From: Rasmus Wriedt Larsen <rasmuswl@github.com>
Date: Mon, 28 Jun 2021 13:17:45 +0200
Subject: [PATCH 2/2] Python: Don't rely on `d = d.getOutput()` for `Decoding`

Although it is for `json.loads` and the like.
---
 .../semmle/python/security/injection/NoSQLInjection.qll       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll b/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
index b15a844605c1..fb3890d2f7e9 100644
--- a/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/injection/NoSQLInjection.qll
@@ -17,7 +17,7 @@ class RFSToDictConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(Decoding decoding | decoding.getFormat() = "JSON" and sink = decoding)
+    exists(Decoding decoding | decoding.getFormat() = "JSON" and sink = decoding.getOutput())
   }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
@@ -32,7 +32,7 @@ class FromDataDictToSink extends TaintTracking2::Configuration {
   FromDataDictToSink() { this = "FromDataDictToSink" }
 
   override predicate isSource(DataFlow::Node source) {
-    exists(Decoding decoding | decoding.getFormat() = "JSON" and source = decoding)
+    exists(Decoding decoding | decoding.getFormat() = "JSON" and source = decoding.getOutput())
   }
 
   override predicate isSink(DataFlow::Node sink) { sink = any(NoSQLQuery noSQLQuery).getQuery() }