JS: Improve pg model

2026-05-02 12:15:17 +02:00 · 2021-03-29 16:41:42 +01:00
parent 937a620f4d
commit 0b21b273ed
4 changed files with 37 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -134,7 +134,20 @@ private module Postgres {
    // pool.connect(function(err, client) { ... })
    result = pool().getMember("connect").getParameter(0).getParameter(1)
    or
+    // await pool.connect()
+    result = pool().getMember("connect").getReturn().getPromised()
+    or
    result = pgpConnection().getMember("client")
+    or
+    exists(API::CallNode call |
+      call = pool().getMember("on").getACall() and
+      call.getArgument(0).getStringValue() = ["connect", "acquire"] and
+      result = call.getParameter(1).getParameter(0)
+    )
+    or
+    result = client().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", ["Client", "PoolClient"])
  }

  /** Gets a constructor that when invoked constructs a new connection pool. */
@@ -151,6 +164,10 @@ private module Postgres {
    result = newPool().getInstance()
    or
    result = pgpDatabase().getMember("$pool")
+    or
+    result = pool().getMember("on").getReturn()
+    or
+    result = API::Node::ofType("pg", "Pool")
  }

  /** A call to the Postgres `query` method. */
@@ -162,7 +179,11 @@ private module Postgres {

  /** An expression that is passed to the `query` method and hence interpreted as SQL. */
  class QueryString extends SQL::SqlString {
-    QueryString() { this = any(QueryCall qc).getAQueryArgument().asExpr() }
+    QueryString() {
+      this = any(QueryCall qc).getAQueryArgument().asExpr()
+      or
+      this = API::moduleImport("pg-cursor").getParameter(0).getARhs().asExpr()
+    }
  }

  /** An expression that is passed as user name or password when creating a client or a pool. */
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -23,8 +23,12 @@
 | mysqlImport.js:3:18:5:1 | {\\n    s ... = ?',\\n} |
 | postgres1.js:37:21:37:24 | text |
 | postgres2.js:30:16:30:41 | 'SELECT ... number' |
+| postgres2.js:43:15:43:26 | 'SELECT 123' |
+| postgres2.js:46:15:46:47 | new Cur ... users') |
+| postgres2.js:46:26:46:46 | 'SELECT ...  users' |
 | postgres3.js:15:16:15:40 | 'SELECT ... s name' |
 | postgres5.js:8:21:8:25 | query |
+| postgres-types.ts:4:18:4:29 | 'SELECT 123' |
 | postgresImport.js:4:18:4:43 | 'SELECT ... number' |
 | sequelize2.js:10:17:10:118 | 'SELECT ... Y name' |
 | sequelize.js:8:17:8:118 | 'SELECT ... Y name' |
--- a/javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts
+++ b/javascript/ql/test/library-tests/frameworks/SQL/postgres-types.ts
@@ -0,0 +1,5 @@
+import { Client } from "pg";
+
+function submitSomething(client: Client) {
+    client.query('SELECT 123');
+}
--- a/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/postgres2.js
@@ -38,3 +38,9 @@ pool.connect(function(err, client, done) {
    //output: 1 
  });
 });
+
+let client2 = await pool.connect();
+client2.query('SELECT 123');
+
+const Cursor = require('pg-cursor');
+client2.query(new Cursor('SELECT * from users'));