JS: Model template instantiation from Fastify, Hapi, and Koa

javascript/ql/src/semmle/javascript/frameworks/Fastify.qll

@@ -288,4 +288,31 @@ module Fastify {
       )
     }
   }
+
+  /**
+   * A call to `rep.view('file', { ... })`, seen as a template instantiation.
+   *
+   * Assumes the presense of a plugin that provides the `view` method, such as the `point-of-view` plugin.
+   */
+  private class ViewCall extends Templating::TemplateInstantiaton::Range, DataFlow::CallNode {
+    ViewCall() {
+      this = any(ReplySource rep).ref().getAMethodCall("view")
+    }
+
+    override DataFlow::SourceNode getOutput() {
+      result = getCallback(2).getParameter(1)
+    }
+
+    override DataFlow::Node getTemplateFileNode() {
+      result = getArgument(0)
+    }
+
+    override DataFlow::Node getTemplateContentNode() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateParamsNode() {
+      result = getArgument(1)
+    }
+  }
 }

javascript/ql/src/semmle/javascript/frameworks/Hapi.qll

@@ -31,6 +31,19 @@ module Hapi {
      * Gets the parameter of the route handler that contains the request object.
      */
     Parameter getRequestParameter() { result = function.getParameter(0) }
+
+    /**
+     * Gets the parameter of the route handler that contains the "request toolkit",
+     * usually named `h`.
+     */
+    Parameter getRequestToolkitParameter() { result = function.getParameter(1) }
+
+    /**
+     * Gets a source node referring to the request toolkit parameter, usually named `h`.
+     */
+    DataFlow::SourceNode getRequestToolkit() {
+      result = getRequestToolkitParameter().flow()
+    }
   }
 
   /**
@@ -237,4 +250,29 @@ module Hapi {
     HTTP::Servers::StandardRouteHandler, DataFlow::FunctionNode {
     TrackedRouteHandlerCandidateWithSetup() { this = any(RouteSetup s).getARouteHandler() }
   }
+
+  /**
+   * A call to `h.view('file', { ... })` seen as a template instantiation.
+   */
+  private class ViewCall extends Templating::TemplateInstantiaton::Range, DataFlow::CallNode {
+    ViewCall() {
+      this = any(RouteHandler rh).getRequestToolkit().getAMethodCall("view")
+    }
+
+    override DataFlow::SourceNode getOutput() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateFileNode() {
+      result = getArgument(0)
+    }
+
+    override DataFlow::Node getTemplateContentNode() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateParamsNode() {
+      result = getArgument(1)
+    }
+  }
 }

javascript/ql/src/semmle/javascript/frameworks/Koa.qll

@@ -112,7 +112,7 @@ module Koa {
      */
     RouteHandler getRouteHandler() { result = rh }
 
-    predicate flowsTo(DataFlow::Node nd) { ref(DataFlow::TypeTracker::end()).flowsTo(nd) }
+    predicate flowsTo(DataFlow::Node nd) { ref().flowsTo(nd) }
 
     private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
       t.start() and
@@ -120,6 +120,11 @@ module Koa {
       or
       exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
     }
+
+    /** Gets a source node that refers to this context object. */
+    DataFlow::SourceNode ref() {
+      result = ref(DataFlow::TypeTracker::end())
+    }
   }
 
   /**
@@ -424,4 +429,33 @@ module Koa {
 
     override RouteHandler getRouteHandler() { result = rh }
   }
+
+  /**
+   * A call to `ctx.render('file', { ... })`, seen as a template instantiation.
+   */
+  private class RenderCall extends Templating::TemplateInstantiaton::Range, DataFlow::CallNode {
+    ContextSource ctx;
+
+    RenderCall() {
+      this = ctx.ref().getAMethodCall("render")
+    }
+
+    override DataFlow::SourceNode getOutput() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateFileNode() {
+      result = getArgument(0)
+    }
+
+    override DataFlow::Node getTemplateContentNode() {
+      none()
+    }
+
+    override DataFlow::Node getTemplateParamsNode() {
+      result = getArgument(1)
+      or
+      result = ctx.ref().getAPropertyReference("state")
+    }
+  }
 }