hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

split out type-tracking into two predicates, to avoid catastrophic join-order

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-07-02 14:28:28 +02:00
parent 3157cd724d
commit 2b0a091921
1 changed files with 18 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
javascript/ql/src/semmle/javascript/frameworks/Express.qll
View File

@@ -464,16 +464,23 @@ module Express {
}
/**
* Gets a reference to the "query" or "params" object from a request-object originating from route-handler `rh`.
* Gets a reference to the "query" object from a request-object originating from route-handler `rh`.
*/
DataFlow::SourceNode getAQueryObjectReference(
DataFlow::TypeTracker t, RouteHandler rh, string prop
) {
prop = ["params", "query"] and
t.startInProp(prop) and
DataFlow::SourceNode getAQueryObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
t.startInProp("query") and
result = rh.getARequestSource()
or
exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh, prop).track(t2, t))
exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh).track(t2, t))
}
/**
* Gets a reference to the "params" object from a request-object originating from route-handler `rh`.
*/
DataFlow::SourceNode getAParamsObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
t.startInProp("params") and
result = rh.getARequestSource()
or
exists(DataFlow::TypeTracker t2 | result = getAParamsObjectReference(t2, rh).track(t2, t))
}
/**
@@ -485,7 +492,9 @@ module Express {
RequestInputAccess() {
kind = "parameter" and
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh, _).getAPropertyRead()
this =
[getAQueryObjectReference(DataFlow::TypeTracker::end(), rh),
getAParamsObjectReference(DataFlow::TypeTracker::end(), rh)].getAPropertyRead()
or
exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
kind = "parameter" and
@@ -534,7 +543,7 @@ module Express {
or
// `req.query.name`
kind = "parameter" and
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh, "query").getAPropertyRead()
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh).getAPropertyRead()
}
}