JS: Introduce TemplateInstantiation

2026-04-30 03:05:15 +02:00 · 2021-07-15 15:33:50 +02:00
parent 8fe2d84d53
commit 1474c0788b
2 changed files with 63 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -972,4 +972,29 @@ module Express {
            .getParameter(0)
    }
  }
+
+  /**
+   * A call to the Express `res.render()` method, seen as a template instantiation.
+   */
+  private class RenderCallAsTemplateInstantiation extends Templating::TemplateInstantiaton::Range, DataFlow::CallNode {
+    RenderCallAsTemplateInstantiation() {
+      this = any(ResponseSource res).ref().getAMethodCall("render")
+    }
+
+    override DataFlow::Node getTemplateFileNode() {
+      result = getArgument(0)
+    }
+
+    override DataFlow::Node getTemplateContentNode() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateParamsNode() {
+      result = getArgument(1)
+    }
+
+    override DataFlow::SourceNode getOutput() {
+      result = getCallback(2).getParameter(1)
+    }
+  }
 }
--- a/javascript/ql/src/semmle/javascript/frameworks/Templating.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Templating.qll
@@ -117,4 +117,42 @@ module Templating {
      result = getScope().getVariable(name).getAnAccess().flow()
    }
  }
+
+  /**
+   * A place where a template is instantiated or rendered.
+   */
+  class TemplateInstantiaton extends DataFlow::Node {
+    TemplateInstantiaton::Range range;
+  
+    TemplateInstantiaton() { this = range }
+
+    /** Gets a data flow node that refers to the instantiated template string, if any. */
+    DataFlow::SourceNode getOutput() { result = range.getOutput() }
+
+    /** Gets a data flow node that refers a template file to be instantiated, if any. */
+    DataFlow::Node getTemplateFileNode() { result = range.getTemplateFileNode() }
+
+    /** Gets a data flow node that refers to the contents of the template to be instantiated, if any. */
+    DataFlow::Node getTemplateContentNode() { result = range.getTemplateContentNode() }
+
+    /** Gets a data flow node that refers to an object whose properties become variables in the template. */
+    DataFlow::Node getTemplateParamsNode() { result = range.getTemplateParamsNode() }
+  }
+
+  /** Companion module to the `TemplateInstantiation` class. */
+  module TemplateInstantiaton {
+    abstract class Range extends DataFlow::Node {
+      /** Gets a data flow node that refers to the instantiated template, if any. */
+      abstract DataFlow::SourceNode getOutput();
+  
+      /** Gets a data flow node that refers a template file to be instantiated, if any. */
+      abstract DataFlow::Node getTemplateFileNode();
+  
+      /** Gets a data flow node that refers to the contents of the template to be instantiated, if any. */
+      abstract DataFlow::Node getTemplateContentNode();
+  
+      /** Gets a data flow node that refers to an object whose properties become variables in the template. */
+      abstract DataFlow::Node getTemplateParamsNode();
+    }
+  }
 }