mirror of
https://github.com/github/codeql.git
synced 2026-04-28 18:25:24 +02:00
deprecate RequestExpr and ResponseExpr and use ResponseNode and RequestNode instead
This commit is contained in:
Erik Krogh Kristensen
committed by
erik-krogh
erik-krogh
parent
9cb7522bc1
commit
30d929909c
@@ -42,10 +42,10 @@ module SinkEndpointFilter {
|
||||
result = "modeled database access"
|
||||
or
|
||||
// Remove calls to APIs that aren't relevant to NoSQL injection
|
||||
call.getReceiver().asExpr() instanceof HTTP::RequestExpr and
|
||||
call.getReceiver() instanceof HTTP::RequestNode and
|
||||
result = "receiver is a HTTP request expression"
|
||||
or
|
||||
call.getReceiver().asExpr() instanceof HTTP::ResponseExpr and
|
||||
call.getReceiver() instanceof HTTP::ResponseNode and
|
||||
result = "receiver is a HTTP response expression"
|
||||
)
|
||||
or
|
||||
|
||||
@@ -108,22 +108,24 @@ module Connect {
|
||||
override string getCredentialsKind() { result = kind }
|
||||
}
|
||||
|
||||
class RequestExpr = NodeJSLib::RequestExpr;
|
||||
deprecated class RequestExpr = NodeJSLib::RequestExpr;
|
||||
|
||||
class RequestNode = NodeJSLib::RequestNode;
|
||||
|
||||
/**
|
||||
* An access to a user-controlled Connect request input.
|
||||
*/
|
||||
private class RequestInputAccess extends HTTP::RequestInputAccess {
|
||||
RequestExpr request;
|
||||
private class RequestInputAccess extends HTTP::RequestInputAccess instanceof DataFlow::MethodCallNode {
|
||||
RequestNode request;
|
||||
string kind;
|
||||
|
||||
RequestInputAccess() {
|
||||
request.getRouteHandler() instanceof StandardRouteHandler and
|
||||
exists(PropAccess cookies |
|
||||
exists(DataFlow::PropRead cookies |
|
||||
// `req.cookies.get(<name>)`
|
||||
kind = "cookie" and
|
||||
cookies.accesses(request, "cookies") and
|
||||
this.asExpr().(MethodCallExpr).calls(cookies, "get")
|
||||
super.calls(cookies, "get")
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -409,22 +409,24 @@ module Express {
|
||||
*
|
||||
* `kind` is one of: "error", "request", "response", "next", or "parameter".
|
||||
*/
|
||||
abstract Parameter getRouteHandlerParameter(string kind);
|
||||
abstract Parameter getRouteHandlerParameter(string kind); // TODO: DataFlow::ParameterNode
|
||||
|
||||
/**
|
||||
* Gets the parameter of the route handler that contains the request object.
|
||||
*/
|
||||
Parameter getRequestParameter() { result = this.getRouteHandlerParameter("request") }
|
||||
Parameter getRequestParameter() { result = this.getRouteHandlerParameter("request") } // TODO: DataFlow::ParameterNode
|
||||
|
||||
/**
|
||||
* Gets the parameter of the route handler that contains the response object.
|
||||
*/
|
||||
Parameter getResponseParameter() { result = this.getRouteHandlerParameter("response") }
|
||||
Parameter getResponseParameter() { result = this.getRouteHandlerParameter("response") } // TODO: DataFlow::ParameterNode
|
||||
|
||||
/**
|
||||
* Gets a request body access of this handler.
|
||||
*/
|
||||
Expr getARequestBodyAccess() { result.(PropAccess).accesses(this.getARequestExpr(), "body") }
|
||||
Expr getARequestBodyAccess() {
|
||||
result.(PropAccess).accesses(this.getARequestNode().asExpr(), "body")
|
||||
} // TODO: DataFlow::Node
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -448,7 +450,8 @@ module Express {
|
||||
* Holds if `call` is a chainable method call on the response object of `handler`.
|
||||
*/
|
||||
private predicate isChainableResponseMethodCall(RouteHandler handler, MethodCallExpr call) {
|
||||
exists(string name | call.calls(handler.getAResponseExpr(), name) |
|
||||
// TODO: DataFlow::MethodCallNode
|
||||
exists(string name | call.calls(handler.getAResponseNode().asExpr(), name) |
|
||||
name =
|
||||
[
|
||||
"append", "attachment", "location", "send", "sendStatus", "set", "status", "type", "vary",
|
||||
@@ -516,16 +519,32 @@ module Express {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* An Express response expression.
|
||||
*/
|
||||
class ResponseExpr extends NodeJSLib::ResponseExpr {
|
||||
deprecated class ResponseExpr extends NodeJSLib::ResponseExpr {
|
||||
ResponseExpr() { this.flow() instanceof ResponseNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* An Express response expression.
|
||||
*/
|
||||
class ResponseNode extends NodeJSLib::ResponseNode {
|
||||
override ResponseSource src;
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* An Express request expression.
|
||||
*/
|
||||
deprecated class RequestExpr extends NodeJSLib::RequestExpr {
|
||||
RequestExpr() { this.flow() instanceof RequestNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* An Express request expression.
|
||||
*/
|
||||
class RequestExpr extends NodeJSLib::RequestExpr {
|
||||
class RequestNode extends NodeJSLib::RequestNode {
|
||||
override RequestSource src;
|
||||
}
|
||||
|
||||
@@ -679,12 +698,12 @@ module Express {
|
||||
/**
|
||||
* Holds if `e` is an HTTP request object.
|
||||
*/
|
||||
predicate isRequest(Expr e) { any(RouteHandler rh).getARequestExpr() = e } // TODO: DataFlow::Node
|
||||
predicate isRequest(Expr e) { any(RouteHandler rh).getARequestNode().asExpr() = e } // TODO: DataFlow::Node
|
||||
|
||||
/**
|
||||
* Holds if `e` is an HTTP response object.
|
||||
*/
|
||||
predicate isResponse(Expr e) { any(RouteHandler rh).getAResponseExpr() = e } // TODO: DataFlow::Node
|
||||
predicate isResponse(Expr e) { any(RouteHandler rh).getAResponseNode().asExpr() = e } // TODO: DataFlow::Node
|
||||
|
||||
/**
|
||||
* An access to the HTTP request body.
|
||||
@@ -696,9 +715,7 @@ module Express {
|
||||
abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
|
||||
HeaderDefinition() { isResponse(this.getReceiver().asExpr()) }
|
||||
|
||||
override RouteHandler getRouteHandler() {
|
||||
this.getReceiver().asExpr() = result.getAResponseExpr()
|
||||
}
|
||||
override RouteHandler getRouteHandler() { this.getReceiver() = result.getAResponseNode() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -876,9 +893,7 @@ module Express {
|
||||
*
|
||||
* Example: `router2` for `router1.use(router2)` or `router1.use("/route2", router2)`
|
||||
*/
|
||||
RouterDefinition getASubRouter() {
|
||||
result.ref().flowsTo(this.getARouteSetup().getAnArgument())
|
||||
}
|
||||
RouterDefinition getASubRouter() { result.ref().flowsTo(this.getARouteSetup().getAnArgument()) }
|
||||
|
||||
/**
|
||||
* Gets a route handler registered on this router.
|
||||
@@ -948,7 +963,7 @@ module Express {
|
||||
DataFlow::MethodCallNode {
|
||||
ResponseSendFileAsFileSystemAccess() {
|
||||
exists(string name | name = "sendFile" or name = "sendfile" |
|
||||
this.calls(any(ResponseExpr res).flow(), name)
|
||||
this.calls(any(ResponseNode res), name)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -208,16 +208,30 @@ module HTTP {
|
||||
final Servers::ResponseSource getAResponseSource() { result.getRouteHandler() = this }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getARequestNode()` instead.
|
||||
* Gets an expression that contains a request object handled
|
||||
* by this handler.
|
||||
*/
|
||||
RequestExpr getARequestExpr() { result.getRouteHandler() = this } // TODO: DataFlow::Node
|
||||
deprecated RequestExpr getARequestExpr() { result.flow() = this.getARequestNode() }
|
||||
|
||||
/**
|
||||
* Gets an expression that contains a request object handled
|
||||
* by this handler.
|
||||
*/
|
||||
RequestNode getARequestNode() { result.getRouteHandler() = this }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `getAResponseNode()` instead.
|
||||
* Gets an expression that contains a response object provided
|
||||
* by this handler.
|
||||
*/
|
||||
deprecated ResponseExpr getAResponseExpr() { result.flow() = this.getAResponseNode() }
|
||||
|
||||
/**
|
||||
* Gets an expression that contains a response object provided
|
||||
* by this handler.
|
||||
*/
|
||||
ResponseExpr getAResponseExpr() { result.getRouteHandler() = this } // TODO: DataFlow::Node
|
||||
ResponseNode getAResponseNode() { result.getRouteHandler() = this }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -244,26 +258,40 @@ module HTTP {
|
||||
*/
|
||||
abstract class RouteSetup extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* An expression that may contain a request object.
|
||||
*/
|
||||
abstract class RequestExpr extends Expr {
|
||||
// TODO: DataFlow::Node
|
||||
/**
|
||||
* Gets the route handler that handles this request.
|
||||
*/
|
||||
/** A dataflow node that may contain a request object. */
|
||||
abstract class RequestNode extends DataFlow::Node {
|
||||
/** Gets the route handler that handles this request. */
|
||||
abstract RouteHandler getRouteHandler();
|
||||
}
|
||||
|
||||
/** An dataflow node that may contain a response object. */
|
||||
abstract class ResponseNode extends DataFlow::Node {
|
||||
/** Gets the route handler that handles this request. */
|
||||
abstract RouteHandler getRouteHandler();
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression that may contain a response object.
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* An expression that may contain a request object.
|
||||
*/
|
||||
abstract class ResponseExpr extends Expr {
|
||||
// TODO: DataFlow::Node
|
||||
deprecated class RequestExpr extends Expr {
|
||||
RequestExpr() { this.flow() instanceof ResponseNode }
|
||||
|
||||
/**
|
||||
* Gets the route handler that handles this request.
|
||||
*/
|
||||
abstract RouteHandler getRouteHandler();
|
||||
RouteHandler getRouteHandler() { result = this.flow().(ResponseNode).getRouteHandler() }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* An expression that may contain a response object.
|
||||
*/
|
||||
deprecated class ResponseExpr extends Expr {
|
||||
/**
|
||||
* Gets the route handler that handles this request.
|
||||
*/
|
||||
RouteHandler getRouteHandler() { result = this.flow().(ResponseNode).getRouteHandler() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -366,10 +394,10 @@ module HTTP {
|
||||
/**
|
||||
* A request expression arising from a request source.
|
||||
*/
|
||||
class StandardRequestExpr extends RequestExpr {
|
||||
class StandardRequestNode extends RequestNode {
|
||||
RequestSource src;
|
||||
|
||||
StandardRequestExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
|
||||
StandardRequestNode() { src.ref().flowsTo(this) }
|
||||
|
||||
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
||||
}
|
||||
@@ -377,14 +405,38 @@ module HTTP {
|
||||
/**
|
||||
* A response expression arising from a response source.
|
||||
*/
|
||||
class StandardResponseExpr extends ResponseExpr {
|
||||
class StandardResponseNode extends ResponseNode {
|
||||
ResponseSource src;
|
||||
|
||||
StandardResponseExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
|
||||
StandardResponseNode() { src.ref().flowsTo(this) }
|
||||
|
||||
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A request expression arising from a request source.
|
||||
*/
|
||||
deprecated class StandardRequestExpr extends RequestExpr {
|
||||
RequestSource src;
|
||||
|
||||
StandardRequestExpr() { src.ref().flowsToExpr(this) }
|
||||
|
||||
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A response expression arising from a response source.
|
||||
*/
|
||||
deprecated class StandardResponseExpr extends ResponseExpr {
|
||||
ResponseSource src;
|
||||
|
||||
StandardResponseExpr() { src.ref().flowsToExpr(this) }
|
||||
|
||||
override RouteHandler getRouteHandler() {
|
||||
result = this.flow().(StandardResponseNode).getRouteHandler()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A standard header definition.
|
||||
*/
|
||||
|
||||
@@ -49,9 +49,9 @@ module Hapi {
|
||||
* of a request object.
|
||||
*/
|
||||
private class ResponseSource extends HTTP::Servers::ResponseSource {
|
||||
RequestExpr req;
|
||||
RequestNode req;
|
||||
|
||||
ResponseSource() { asExpr().(PropAccess).accesses(req, "response") }
|
||||
ResponseSource() { this.(DataFlow::PropRead).accesses(req, "response") }
|
||||
|
||||
/**
|
||||
* Gets the route handler that provides this response.
|
||||
@@ -74,19 +74,33 @@ module Hapi {
|
||||
override RouteHandler getRouteHandler() { result = rh }
|
||||
}
|
||||
|
||||
// TODO: DataFlow::Node
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* A Hapi response expression.
|
||||
*/
|
||||
class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
|
||||
deprecated class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
|
||||
ResponseExpr() { this.flow() instanceof ResponseNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Hapi response node.
|
||||
*/
|
||||
class ResponseNode extends HTTP::Servers::StandardResponseNode {
|
||||
override ResponseSource src;
|
||||
}
|
||||
|
||||
// TODO: DataFlow::Node
|
||||
/**
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* An Hapi request expression.
|
||||
*/
|
||||
class RequestExpr extends HTTP::Servers::StandardRequestExpr {
|
||||
deprecated class RequestExpr extends HTTP::Servers::StandardRequestExpr {
|
||||
RequestExpr() { this.flow() instanceof RequestNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Hapi request node.
|
||||
*/
|
||||
class RequestNode extends HTTP::Servers::StandardRequestNode {
|
||||
override RequestSource src;
|
||||
}
|
||||
|
||||
@@ -98,38 +112,38 @@ module Hapi {
|
||||
string kind;
|
||||
|
||||
RequestInputAccess() {
|
||||
exists(Expr request | request = rh.getARequestExpr() |
|
||||
exists(DataFlow::Node request | request = rh.getARequestNode() |
|
||||
kind = "body" and
|
||||
(
|
||||
// `request.rawPayload`
|
||||
this.asExpr().(PropAccess).accesses(request, "rawPayload")
|
||||
this.(DataFlow::PropRead).accesses(request, "rawPayload")
|
||||
or
|
||||
exists(PropAccess payload |
|
||||
exists(DataFlow::PropRead payload |
|
||||
// `request.payload.name`
|
||||
payload.accesses(request, "payload") and
|
||||
this.asExpr().(PropAccess).accesses(payload, _)
|
||||
this.(DataFlow::PropRead).accesses(payload, _)
|
||||
)
|
||||
)
|
||||
or
|
||||
kind = "parameter" and
|
||||
exists(PropAccess query |
|
||||
exists(DataFlow::PropRead query |
|
||||
// `request.query.name`
|
||||
query.accesses(request, "query") and
|
||||
this.asExpr().(PropAccess).accesses(query, _)
|
||||
this.(DataFlow::PropRead).accesses(query, _)
|
||||
)
|
||||
or
|
||||
exists(PropAccess url |
|
||||
exists(DataFlow::PropRead url |
|
||||
// `request.url.path`
|
||||
kind = "url" and
|
||||
url.accesses(request, "url") and
|
||||
this.asExpr().(PropAccess).accesses(url, "path")
|
||||
this.(DataFlow::PropRead).accesses(url, "path")
|
||||
)
|
||||
or
|
||||
exists(PropAccess state |
|
||||
exists(DataFlow::PropRead state |
|
||||
// `request.state.<name>`
|
||||
kind = "cookie" and
|
||||
state.accesses(request, "state") and
|
||||
this.asExpr().(PropAccess).accesses(state, _)
|
||||
this.(DataFlow::PropRead).accesses(state, _)
|
||||
)
|
||||
)
|
||||
or
|
||||
@@ -151,11 +165,11 @@ module Hapi {
|
||||
RouteHandler rh;
|
||||
|
||||
RequestHeaderAccess() {
|
||||
exists(Expr request | request = rh.getARequestExpr() |
|
||||
exists(PropAccess headers |
|
||||
exists(DataFlow::Node request | request = rh.getARequestNode() |
|
||||
exists(DataFlow::PropRead headers |
|
||||
// `request.headers.<name>`
|
||||
headers.accesses(request, "headers") and
|
||||
this.asExpr().(PropAccess).accesses(headers, _)
|
||||
this.(DataFlow::PropRead).accesses(headers, _)
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -173,11 +187,11 @@ module Hapi {
|
||||
* An HTTP header defined in a Hapi server.
|
||||
*/
|
||||
private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
|
||||
ResponseExpr res;
|
||||
ResponseNode res;
|
||||
|
||||
HeaderDefinition() {
|
||||
// request.response.header('Cache-Control', 'no-cache')
|
||||
this.calls(res.flow(), "header")
|
||||
this.calls(res, "header")
|
||||
}
|
||||
|
||||
override RouteHandler getRouteHandler() { result = res.getRouteHandler() }
|
||||
|
||||
@@ -27,7 +27,7 @@ module Koa {
|
||||
this.calls(rh.getAResponseOrContextExpr().flow(), "set")
|
||||
or
|
||||
// ctx.response.header('Cache-Control', 'no-cache')
|
||||
this.calls(rh.getAResponseExpr().flow(), "header")
|
||||
this.calls(rh.getAResponseNode(), "header")
|
||||
}
|
||||
|
||||
override RouteHandler getRouteHandler() { result = rh }
|
||||
@@ -60,7 +60,7 @@ module Koa {
|
||||
*/
|
||||
Expr getAResponseOrContextExpr() {
|
||||
// TODO: DataFlow::Node
|
||||
result = this.getAResponseExpr() or result = this.getAContextExpr()
|
||||
result = this.getAResponseNode().asExpr() or result = this.getAContextExpr()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -68,7 +68,8 @@ module Koa {
|
||||
* object of a route handler invocation.
|
||||
*/
|
||||
Expr getARequestOrContextExpr() {
|
||||
result = this.getARequestExpr() or result = this.getAContextExpr()
|
||||
// TODO: DataFlow::Node
|
||||
result = this.getARequestNode().asExpr() or result = this.getAContextExpr()
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -266,16 +267,32 @@ module Koa {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* An expression that may hold a Koa request object.
|
||||
*/
|
||||
class RequestExpr extends HTTP::Servers::StandardRequestExpr {
|
||||
deprecated class RequestExpr extends HTTP::Servers::StandardRequestExpr {
|
||||
RequestExpr() { this.flow() instanceof RequestNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression that may hold a Koa request object.
|
||||
*/
|
||||
class RequestNode extends HTTP::Servers::StandardRequestNode {
|
||||
override RequestSource src;
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* An expression that may hold a Koa response object.
|
||||
*/
|
||||
deprecated class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
|
||||
ResponseExpr() { this.flow() instanceof ResponseNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression that may hold a Koa response object.
|
||||
*/
|
||||
class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
|
||||
class ResponseNode extends HTTP::Servers::StandardResponseNode {
|
||||
override ResponseSource src;
|
||||
}
|
||||
|
||||
@@ -311,7 +328,7 @@ module Koa {
|
||||
this.asExpr().(PropAccess).accesses(e, "params")
|
||||
or
|
||||
// `ctx.request.body`
|
||||
e instanceof RequestExpr and
|
||||
e.flow() instanceof RequestNode and
|
||||
kind = "body" and
|
||||
this.asExpr().(PropAccess).accesses(e, "body")
|
||||
or
|
||||
|
||||
@@ -349,8 +349,8 @@ private module Pino {
|
||||
or
|
||||
// `pino` is installed as the "log" property on the request object in `Express` and similar libraries.
|
||||
// in `Hapi` the property is "logger".
|
||||
exists(HTTP::RequestExpr req, API::Node reqNode |
|
||||
reqNode.asSource() = req.flow().getALocalSource() and
|
||||
exists(HTTP::RequestNode req, API::Node reqNode |
|
||||
reqNode.asSource() = req.getALocalSource() and
|
||||
result = reqNode.getMember(["log", "logger"])
|
||||
)
|
||||
}
|
||||
|
||||
@@ -62,11 +62,19 @@ private module Micro {
|
||||
override HTTP::RouteHandler getRouteHandler() { result = h }
|
||||
}
|
||||
|
||||
class MicroRequestExpr extends NodeJSLib::RequestExpr {
|
||||
deprecated class MicroRequestExpr extends NodeJSLib::RequestExpr {
|
||||
override MicroRequestSource src;
|
||||
}
|
||||
|
||||
class MicroReseponseExpr extends NodeJSLib::ResponseExpr {
|
||||
class MicroRequestNode extends NodeJSLib::RequestNode {
|
||||
override MicroRequestSource src;
|
||||
}
|
||||
|
||||
deprecated class MicroReseponseExpr extends NodeJSLib::ResponseExpr {
|
||||
override MicroResponseSource src;
|
||||
}
|
||||
|
||||
class MicroResponseNode extends NodeJSLib::ResponseNode {
|
||||
override MicroResponseSource src;
|
||||
}
|
||||
|
||||
|
||||
@@ -66,12 +66,34 @@ module NodeJSLib {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* A Node.js HTTP response.
|
||||
*
|
||||
* A server library that provides an (enhanced) NodesJS HTTP response
|
||||
* object should implement a library specific subclass of this class.
|
||||
*/
|
||||
abstract class ResponseExpr extends HTTP::Servers::StandardResponseExpr { }
|
||||
deprecated class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
|
||||
ResponseExpr() { this.flow() instanceof ResponseNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Node.js HTTP response.
|
||||
*
|
||||
* A server library that provides an (enhanced) NodesJS HTTP response
|
||||
* object should implement a library specific subclass of this class.
|
||||
*/
|
||||
abstract class ResponseNode extends HTTP::Servers::StandardResponseNode { }
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* A Node.js HTTP request.
|
||||
*
|
||||
* A server library that provides an (enhanced) NodesJS HTTP request
|
||||
* object should implement a library specific subclass of this class.
|
||||
*/
|
||||
deprecated class RequestExpr extends HTTP::Servers::StandardRequestExpr {
|
||||
RequestExpr() { this.flow() instanceof RequestNode }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Node.js HTTP request.
|
||||
@@ -79,7 +101,7 @@ module NodeJSLib {
|
||||
* A server library that provides an (enhanced) NodesJS HTTP request
|
||||
* object should implement a library specific subclass of this class.
|
||||
*/
|
||||
abstract class RequestExpr extends HTTP::Servers::StandardRequestExpr { }
|
||||
abstract class RequestNode extends HTTP::Servers::StandardRequestNode { }
|
||||
|
||||
/**
|
||||
* A function used as an Node.js server route handler.
|
||||
@@ -148,36 +170,52 @@ module NodeJSLib {
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BuiltinRouteHandlerResponseNode` instead.
|
||||
* A builtin Node.js HTTP response.
|
||||
*/
|
||||
private class BuiltinRouteHandlerResponseExpr extends ResponseExpr {
|
||||
deprecated private class BuiltinRouteHandlerResponseExpr extends ResponseExpr {
|
||||
BuiltinRouteHandlerResponseExpr() { src instanceof ResponseSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* A builtin Node.js HTTP response.
|
||||
*/
|
||||
private class BuiltinRouteHandlerResponseNode extends ResponseNode {
|
||||
BuiltinRouteHandlerResponseNode() { src instanceof ResponseSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `BuiltinRouteHandlerRequestNode` instead.
|
||||
* A builtin Node.js HTTP request.
|
||||
*/
|
||||
deprecated private class BuiltinRouteHandlerRequestExpr extends RequestExpr {
|
||||
BuiltinRouteHandlerRequestExpr() { src instanceof RequestSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* A builtin Node.js HTTP request.
|
||||
*/
|
||||
private class BuiltinRouteHandlerRequestExpr extends RequestExpr {
|
||||
BuiltinRouteHandlerRequestExpr() { src instanceof RequestSource }
|
||||
private class BuiltinRouteHandlerRequestNode extends RequestNode {
|
||||
BuiltinRouteHandlerRequestNode() { src instanceof RequestSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* An access to a user-controlled Node.js request input.
|
||||
*/
|
||||
private class RequestInputAccess extends HTTP::RequestInputAccess {
|
||||
RequestExpr request;
|
||||
RequestNode request;
|
||||
string kind;
|
||||
|
||||
RequestInputAccess() {
|
||||
// `req.url` / `req.body`
|
||||
kind = ["url", "body"] and
|
||||
this.asExpr().(PropAccess).accesses(request, kind)
|
||||
this.(DataFlow::PropRead).accesses(request, kind)
|
||||
or
|
||||
exists(PropAccess headers |
|
||||
exists(DataFlow::PropRead headers |
|
||||
// `req.headers.cookie`
|
||||
kind = "cookie" and
|
||||
headers.accesses(request, "headers") and
|
||||
this.asExpr().(PropAccess).accesses(headers, "cookie")
|
||||
this.(DataFlow::PropRead).accesses(headers, "cookie")
|
||||
)
|
||||
or
|
||||
exists(RequestHeaderAccess access | this = access |
|
||||
@@ -195,14 +233,14 @@ module NodeJSLib {
|
||||
* An access to an HTTP header (other than "Cookie") on an incoming Node.js request object.
|
||||
*/
|
||||
private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
|
||||
RequestExpr request;
|
||||
RequestNode request;
|
||||
|
||||
RequestHeaderAccess() {
|
||||
exists(PropAccess headers, string name |
|
||||
exists(DataFlow::PropRead headers, string name |
|
||||
// `req.headers.<name>`
|
||||
name != "cookie" and
|
||||
headers.accesses(request, "headers") and
|
||||
this.asExpr().(PropAccess).accesses(headers, name)
|
||||
this.(DataFlow::PropRead).accesses(headers, name)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -214,7 +252,7 @@ module NodeJSLib {
|
||||
|
||||
override string getKind() { result = "header" }
|
||||
|
||||
RequestExpr getRequest() { result = request }
|
||||
RequestNode getRequest() { result = request }
|
||||
}
|
||||
|
||||
class RouteSetup extends DataFlow::CallNode, HTTP::Servers::StandardRouteSetup {
|
||||
@@ -258,9 +296,9 @@ module NodeJSLib {
|
||||
}
|
||||
|
||||
abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
|
||||
ResponseExpr r;
|
||||
ResponseNode r;
|
||||
|
||||
HeaderDefinition() { this.getReceiver().asExpr() = r }
|
||||
HeaderDefinition() { this.getReceiver() = r }
|
||||
|
||||
override HTTP::RouteHandler getRouteHandler() { result = r.getRouteHandler() }
|
||||
}
|
||||
@@ -365,7 +403,7 @@ module NodeJSLib {
|
||||
|
||||
ResponseSendArgument() {
|
||||
exists(DataFlow::MethodCallNode mcn, string m | m = "write" or m = "end" |
|
||||
mcn.calls(any(ResponseExpr e | e.getRouteHandler() = rh).flow(), m) and
|
||||
mcn.calls(any(ResponseNode e | e.getRouteHandler() = rh), m) and
|
||||
this = mcn.getArgument(0) and
|
||||
// don't mistake callback functions as data
|
||||
not this.analyze().getAValue() instanceof AbstractFunction
|
||||
|
||||
@@ -68,41 +68,55 @@ module Restify {
|
||||
override RouteHandler getRouteHandler() { result = rh }
|
||||
}
|
||||
|
||||
// TODO: DataFlow::Node
|
||||
/**
|
||||
* DEPRECATED: Use `ResponseNode` instead.
|
||||
* A Node.js HTTP response provided by Restify.
|
||||
*/
|
||||
class ResponseExpr extends NodeJSLib::ResponseExpr {
|
||||
deprecated class ResponseExpr extends NodeJSLib::ResponseExpr {
|
||||
ResponseExpr() { src instanceof ResponseSource }
|
||||
}
|
||||
|
||||
// TODO: DataFlow::Node
|
||||
/**
|
||||
* A Node.js HTTP response provided by Restify.
|
||||
*/
|
||||
class ResponseNode extends NodeJSLib::ResponseNode {
|
||||
ResponseNode() { src instanceof ResponseSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `RequestNode` instead.
|
||||
* A Node.js HTTP request provided by Restify.
|
||||
*/
|
||||
deprecated class RequestExpr extends NodeJSLib::RequestExpr {
|
||||
RequestExpr() { src instanceof RequestSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* A Node.js HTTP request provided by Restify.
|
||||
*/
|
||||
class RequestExpr extends NodeJSLib::RequestExpr {
|
||||
RequestExpr() { src instanceof RequestSource }
|
||||
class RequestNode extends NodeJSLib::RequestNode {
|
||||
RequestNode() { src instanceof RequestSource }
|
||||
}
|
||||
|
||||
/**
|
||||
* An access to a user-controlled Restify request input.
|
||||
*/
|
||||
private class RequestInputAccess extends HTTP::RequestInputAccess {
|
||||
RequestExpr request;
|
||||
RequestNode request;
|
||||
string kind;
|
||||
|
||||
RequestInputAccess() {
|
||||
exists(MethodCallExpr query |
|
||||
exists(DataFlow::MethodCallNode query |
|
||||
// `request.getQuery().<name>`
|
||||
kind = "parameter" and
|
||||
query.calls(request, "getQuery") and
|
||||
this.asExpr().(PropAccess).accesses(query, _)
|
||||
this.(DataFlow::PropRead).accesses(query, _)
|
||||
)
|
||||
or
|
||||
exists(string methodName |
|
||||
// `request.href()` or `request.getPath()`
|
||||
kind = "url" and
|
||||
this.asExpr().(MethodCallExpr).calls(request, methodName)
|
||||
this.(DataFlow::MethodCallNode).calls(request, methodName)
|
||||
|
|
||||
methodName = "href" or
|
||||
methodName = "getPath"
|
||||
@@ -110,13 +124,12 @@ module Restify {
|
||||
or
|
||||
// `request.getContentType()`, `request.userAgent()`, `request.trailer(...)`, `request.header(...)`
|
||||
kind = "header" and
|
||||
this.asExpr()
|
||||
.(MethodCallExpr)
|
||||
this.(DataFlow::MethodCallNode)
|
||||
.calls(request, ["getContentType", "userAgent", "trailer", "header"])
|
||||
or
|
||||
// `req.cookies
|
||||
kind = "cookie" and
|
||||
this.asExpr().(PropAccess).accesses(request, "cookies")
|
||||
this.(DataFlow::PropRead).accesses(request, "cookies")
|
||||
}
|
||||
|
||||
override RouteHandler getRouteHandler() { result = request.getRouteHandler() }
|
||||
@@ -130,13 +143,11 @@ module Restify {
|
||||
private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
|
||||
HeaderDefinition() {
|
||||
// response.header('Cache-Control', 'no-cache')
|
||||
this.getReceiver().asExpr() instanceof ResponseExpr and
|
||||
this.getReceiver() instanceof ResponseNode and
|
||||
this.getMethodName() = "header"
|
||||
}
|
||||
|
||||
override RouteHandler getRouteHandler() {
|
||||
this.getReceiver().asExpr() = result.getAResponseExpr()
|
||||
}
|
||||
override RouteHandler getRouteHandler() { this.getReceiver() = result.getAResponseNode() }
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,9 +1,9 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RequestExpr(Express::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(Express::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
query predicate test_RequestExprStandalone(Express::RequestExpr e) {
|
||||
query predicate test_RequestExprStandalone(Express::RequestNode e) {
|
||||
not exists(e.getRouteHandler())
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_ResponseExpr(Express::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(Express::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Express::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Express::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RouteHandler_getAResponseExpr(Express::RouteHandler rh, HTTP::ResponseExpr res) {
|
||||
res = rh.getAResponseExpr()
|
||||
query predicate test_RouteHandler_getAResponseExpr(Express::RouteHandler rh, HTTP::ResponseNode res) {
|
||||
res = rh.getAResponseNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RequestExpr(NodeJSLib::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(NodeJSLib::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_ResponseExpr(NodeJSLib::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(NodeJSLib::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(NodeJSLib::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(NodeJSLib::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RouteHandler_getAResponseExpr(
|
||||
NodeJSLib::RouteHandler rh, HTTP::ResponseExpr res
|
||||
NodeJSLib::RouteHandler rh, HTTP::ResponseNode res
|
||||
) {
|
||||
res = rh.getAResponseExpr()
|
||||
res = rh.getAResponseNode()
|
||||
}
|
||||
|
||||
@@ -18,7 +18,7 @@ query predicate test_HeaderDefinition_defines(HTTP::HeaderDefinition hd, string
|
||||
hd.defines(name, value) and hd.getRouteHandler() instanceof Connect::RouteHandler
|
||||
}
|
||||
|
||||
query predicate test_ResponseExpr(HTTP::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(HTTP::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -36,8 +36,8 @@ query predicate test_HeaderDefinition_getAHeaderName(HTTP::HeaderDefinition hd,
|
||||
|
||||
query predicate test_ServerDefinition(Connect::ServerDefinition s) { any() }
|
||||
|
||||
query predicate test_RouteHandler_getAResponseExpr(Connect::RouteHandler rh, HTTP::ResponseExpr res) {
|
||||
res = rh.getAResponseExpr()
|
||||
query predicate test_RouteHandler_getAResponseExpr(Connect::RouteHandler rh, HTTP::ResponseNode res) {
|
||||
res = rh.getAResponseNode()
|
||||
}
|
||||
|
||||
query predicate test_RouteSetup_getARouteHandler(Connect::RouteSetup r, DataFlow::SourceNode res) {
|
||||
@@ -48,7 +48,7 @@ query predicate test_RouteHandler(Connect::RouteHandler rh, DataFlow::Node res)
|
||||
res = rh.getServer()
|
||||
}
|
||||
|
||||
query predicate test_RequestExpr(HTTP::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(HTTP::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -56,6 +56,6 @@ query predicate test_Credentials(Connect::Credentials cr, string res) {
|
||||
res = cr.getCredentialsKind()
|
||||
}
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Connect::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Connect::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Fastify::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Fastify::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RequestExpr(Hapi::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(Hapi::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_ResponseExpr(Hapi::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(Hapi::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Hapi::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Hapi::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RequestExpr(Koa::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(Koa::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_ResponseExpr(Koa::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(Koa::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Koa::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Koa::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getAResponseExpr(Koa::RouteHandler rh, HTTP::ResponseExpr res) {
|
||||
res = rh.getAResponseExpr()
|
||||
query predicate test_RouteHandler_getAResponseExpr(Koa::RouteHandler rh, HTTP::ResponseNode res) {
|
||||
res = rh.getAResponseNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_RequestExpr(Restify::RequestExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_RequestExpr(Restify::RequestNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import javascript
|
||||
|
||||
query predicate test_ResponseExpr(Restify::ResponseExpr e, HTTP::RouteHandler res) {
|
||||
query predicate test_ResponseExpr(Restify::ResponseNode e, HTTP::RouteHandler res) {
|
||||
res = e.getRouteHandler()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getARequestExpr(Restify::RouteHandler rh, HTTP::RequestExpr res) {
|
||||
res = rh.getARequestExpr()
|
||||
query predicate test_RouteHandler_getARequestExpr(Restify::RouteHandler rh, HTTP::RequestNode res) {
|
||||
res = rh.getARequestNode()
|
||||
}
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
import semmle.javascript.frameworks.Express
|
||||
|
||||
query predicate test_RouteHandler_getAResponseExpr(Restify::RouteHandler rh, HTTP::ResponseExpr res) {
|
||||
res = rh.getAResponseExpr()
|
||||
query predicate test_RouteHandler_getAResponseExpr(Restify::RouteHandler rh, HTTP::ResponseNode res) {
|
||||
res = rh.getAResponseNode()
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user