change ResponseBody to a DataFlow::Node

2026-05-02 12:15:17 +02:00 · 2022-03-30 13:09:54 +02:00
parent 19e808186d
commit 24b845589d
10 changed files with 16 additions and 21 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -766,7 +766,7 @@ module Express {
  private class ResponseSendArgument extends HTTP::ResponseSendArgument {
    ResponseSource response;

-    ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0).asExpr() }
+    ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0) }

    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
  }
@@ -794,7 +794,7 @@ module Express {
    TemplateObjectInput obj;

    TemplateInput() {
-      obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this.flow())
+      obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this)
    }

    override RouteHandler getRouteHandler() { result = obj.getRouteHandler() }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
@@ -340,9 +340,9 @@ module Fastify {
    RouteHandler rh;

    ResponseSendArgument() {
-      this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0).asExpr()
+      this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0)
      or
-      this = rh.(DataFlow::FunctionNode).getAReturn().asExpr()
+      this = rh.(DataFlow::FunctionNode).getAReturn()
    }

    override RouteHandler getRouteHandler() { result = rh }
--- a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -117,7 +117,7 @@ module HTTP {
  /**
   * An expression whose value is sent as (part of) the body of an HTTP response.
   */
-  abstract class ResponseBody extends Expr {
+  abstract class ResponseBody extends DataFlow::Node {
    /**
     * Gets the route handler that sends this expression.
     */
--- a/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll
@@ -270,7 +270,7 @@ module Hapi {
  private class HandlerReturn extends HTTP::ResponseSendArgument {
    RouteHandler handler;

-    HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn().asExpr() }
+    HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn() }

    override RouteHandler getRouteHandler() { result = handler }
  }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll
@@ -412,8 +412,7 @@ module Koa {

    ResponseSendArgument() {
      exists(DataFlow::PropWrite pwn |
-        pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body",
-          DataFlow::valueNode(this))
+        pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body", this)
      )
    }

--- a/javascript/ql/lib/semmle/javascript/frameworks/Micro.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Micro.qll
@@ -104,7 +104,7 @@ private module Micro {

    MicroSendArgument() {
      send = moduleMember("micro", ["send", "sendError"]).getACall() and
-      this = send.getLastArgument().asExpr()
+      this = send.getLastArgument()
    }

    override HTTP::RouteHandler getRouteHandler() {
--- a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -349,10 +349,10 @@ module NestJS {

    ReturnValueAsResponseSend() {
      handler.isReturnValueReflected() and
-      this = handler.getAReturn().asExpr() and
+      this = handler.getAReturn() and
      // Only returned strings are sinks
      not exists(Type type |
-        type = getType() and
+        type = this.asExpr().getType() and
        not isStringType(type.unfold())
      )
    }
--- a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -363,9 +363,9 @@ module NodeJSLib {
    HTTP::RouteHandler rh;

    ResponseSendArgument() {
-      exists(MethodCallExpr mce, string m | m = "write" or m = "end" |
-        mce.calls(any(ResponseExpr e | e.getRouteHandler() = rh), m) and
-        this = mce.getArgument(0) and
+      exists(DataFlow::MethodCallNode mcn, string m | m = "write" or m = "end" |
+        mcn.calls(any(ResponseExpr e | e.getRouteHandler() = rh).flow(), m) and
+        this = mcn.getArgument(0) and
        // don't mistake callback functions as data
        not this.analyze().getAValue() instanceof AbstractFunction
      )
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -24,10 +24,8 @@ module ReflectedXss {
   * a content type that does not (case-insensitively) contain the string "html". This
   * is to prevent us from flagging plain-text or JSON responses as vulnerable.
   */
-  class HttpResponseSink extends Sink, DataFlow::ValueNode {
-    override HTTP::ResponseSendArgument astNode;
-
-    HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(astNode)) }
+  class HttpResponseSink extends Sink instanceof HTTP::ResponseSendArgument {
+    HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(this)) }
  }

  /**
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
@@ -32,7 +32,5 @@ module StackTraceExposure {
   * An expression that can become part of an HTTP response body, viewed
   * as a data flow sink for stack trace exposure vulnerabilities.
   */
-  class DefaultSink extends Sink, DataFlow::ValueNode {
-    override HTTP::ResponseBody astNode;
-  }
+  class DefaultSink extends Sink instanceof HTTP::ResponseBody { }
 }