JS: add HTTP::RequestInputAccess.getAHeaderName()

2026-04-29 10:45:15 +02:00 · 2018-09-24 16:49:42 +01:00
parent f7775f36a8
commit 1b4fc93e9d
13 changed files with 71 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -503,6 +503,19 @@ module Express {
    override string getKind() {
      result = kind
    }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      exists (string name |
+        name = this.(DataFlow::PropRead).getPropertyName()
+        or
+        this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name)
+        |
+        if name = "hostname" then
+          result = "host"
+        else
+          result = name.toLowerCase())
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -399,8 +399,17 @@ module HTTP {
     * Note that this predicate is functional.
     */
    abstract string getKind();
+
+    /**
+     * Gets the lower-case name of an HTTP header from which this input is derived,
+     * if this can be determined.
+     *
+     * When the input is not derived from a header, or the header name is
+     * unknown, this has no result.
+     */
+    string getAHeaderName() { none() }
  }
-  
+
  /**
   * A node that looks like a route setup on a server.
   *
--- a/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll
@@ -144,6 +144,11 @@ module Hapi {
    override string getKind() {
      result = kind
    }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
@@ -212,6 +212,17 @@ module Koa {
    override string getKind() {
      result = kind
    }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      (
+        result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+        or
+        exists (string name |
+          this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name) and
+          result = name.toLowerCase())
+      )
+    }
  }

  /**
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -161,6 +161,11 @@ module NodeJSLib {
    override string getKind() {
      result = kind
    }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+    }
  }

  class RouteSetup extends CallExpr, HTTP::Servers::StandardRouteSetup {