hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20911 from asgerf/js/next-folders

Browse Source 
JS: Fix project layout detection for Next.js apps
This commit is contained in:
Asger F
2025-11-26 09:09:54 +01:00
committed by GitHub
parent 85cb3e026c 5b4e114955
commit 0245b9d609
5 changed files with 50 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
javascript/ql/lib/semmle/javascript/frameworks/Next.qll
View File

@@ -13,12 +13,31 @@ module NextJS {
*/
PackageJson getANextPackage() { result.getDependencies().getADependency("next", _) }
bindingset[base, name]
pragma[inline_late]
private Folder getOptionalFolder(Folder base, string name) {
result = base.getFolder(name)
or
not exists(base.getFolder(name)) and
result = base
}
private Folder packageRoot() { result = getANextPackage().getFile().getParentContainer() }
private Folder srcRoot() { result = getOptionalFolder(packageRoot(), "src") }
private Folder appRoot() { result = srcRoot().getFolder("app") }
private Folder pagesRoot() { result = [srcRoot(), appRoot()].getFolder("pages") }
private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") }
/**
* Gets a "pages" folder in a `Next.js` application.
* JavaScript files inside these folders are mapped to routes.
*/
Folder getAPagesFolder() {
result = getANextPackage().getFile().getParentContainer().getFolder("pages")
result = pagesRoot()
or
result = getAPagesFolder().getAFolder()
}
@@ -217,8 +236,7 @@ module NextJS {
* the App Router (`app/api/`) Next.js 13+ structures.
*/
Folder apiFolder() {
result =
getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or
result = apiRoot() or
result = apiFolder().getAFolder()
}

4
javascript/ql/src/change-notes/2025-11-25-nextjs-project-layout.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in the `app/pages` folder.

4
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
View File

@@ -35,6 +35,8 @@
| app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
| app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
@@ -365,6 +367,8 @@ nodes
| app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body |
| app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body |
| app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body |
| app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url |
| app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url |
| etherpad.js:9:5:9:12 | response | semmle.label | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp |
| etherpad.js:11:12:11:19 | response | semmle.label | response |

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
View File

@@ -34,6 +34,8 @@
| app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
| app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| live-server.js:6:13:6:50 | `<html> ... /html>` | Cross-site scripting vulnerability due to $@. | live-server.js:4:21:4:27 | req.url | user-provided value |

19
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/pages/Next2.jsx Normal file
View File

@@ -0,0 +1,19 @@
export default function Post() {
return <span />;
}
Post.getInitialProps = async (ctx) => {
const req = ctx.req;
const res = ctx.res;
res.end(req.url); // $ Alert
return {}
}
export async function getServerSideProps(ctx) {
const req = ctx.req;
const res = ctx.res;
res.end(req.url); // $ Alert
return {
props: {}
}
}