Replace complex wrapper classes with MaD

2025-12-16 16:53:25 +01:00 · 2025-09-04 12:19:22 +00:00
parent 021aa13ee2
commit 4dac80a998
7 changed files with 27 additions and 71 deletions
--- a/javascript/ql/lib/ext/apollo-server.model.yml
+++ b/javascript/ql/lib/ext/apollo-server.model.yml
@@ -10,6 +10,7 @@ extensions:
      extensible: sinkModel
    data:
      - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+      - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].Member[cors].Member[origin]", "cors-misconfiguration"]

  - addsTo:
      pack: codeql/javascript-all
--- a/javascript/ql/lib/ext/cors.model.yml
+++ b/javascript/ql/lib/ext/cors.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["cors", "Argument[0].Member[origin]", "cors-misconfiguration"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll
@@ -1,24 +0,0 @@
-/**
- * Provides classes for working with Cors connectors.
- */
-
-import javascript
-
-/** Provides classes modeling the [cors](https://npmjs.com/package/cors) library. */
-module Cors {
-  /**
-   * An expression that creates a new CORS configuration.
-   */
-  class Cors extends DataFlow::CallNode {
-    Cors() { this = DataFlow::moduleImport("cors").getAnInvocation() }
-
-    /** Get the options used to configure Cors */
-    DataFlow::Node getOptionsArgument() { result = this.getArgument(0) }
-
-    /** Holds if cors is using default configuration */
-    predicate isDefault() { this.getNumArgument() = 0 }
-
-    /** Gets the value of the `origin` option used to configure this Cors instance. */
-    DataFlow::Node getOrigin() { result = this.getOptionArgument(0, "origin") }
-  }
-}
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -5,7 +5,6 @@
 */

 import javascript
-private import semmle.javascript.frameworks.Cors

 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
 module CorsPermissiveConfiguration {
@@ -73,40 +72,7 @@ module CorsPermissiveConfiguration {
  /**
   * The value of cors origin when initializing the application.
   */
-  class CorsApolloServer extends Sink, DataFlow::ValueNode {
-    CorsApolloServer() {
-      exists(API::NewNode agql |
-        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
-        this =
-          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
-      )
-    }
-  }
-
-  /**
-   * The value of cors origin when initializing the application.
-   */
-  class ExpressCors extends Sink, DataFlow::ValueNode {
-    ExpressCors() {
-      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
-    }
-  }
-
-  /**
-   * An express route setup configured with the `cors` package.
-   */
-  class CorsConfiguration extends DataFlow::MethodCallNode {
-    Cors::Cors corsConfig;
-
-    CorsConfiguration() {
-      exists(Express::RouteSetup setup | this = setup |
-        if setup.isUseCall()
-        then corsConfig = setup.getArgument(0)
-        else corsConfig = setup.getArgument(any(int i | i > 0))
-      )
-    }
-
-    /** Gets the expression that configures `cors` on this route setup. */
-    Cors::Cors getCorsConfiguration() { result = corsConfig }
+  class CorsOriginSink extends Sink, DataFlow::ValueNode {
+    CorsOriginSink() { this = ModelOutput::getASinkNode("cors-misconfiguration").asSink() }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll
@@ -27,9 +27,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
  }

  predicate isSink(DataFlow::Node sink, FlowState state) {
-    sink instanceof CorsApolloServer and state = [FlowState::taint(), FlowState::trueOrNull()]
-    or
-    sink instanceof ExpressCors and state = [FlowState::taint(), FlowState::wildcard()]
+    sink instanceof CorsOriginSink and
+    state = [FlowState::taint(), FlowState::trueOrNull(), FlowState::wildcard()]
  }

  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
--- a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -1,3 +1,11 @@
+#select
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:42:10:45 | true | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:42:10:45 | true | too permissive or user controlled value |
 edges
 | apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
 | apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
@@ -6,8 +14,11 @@ edges
 | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | apollo-test.js:8:42:8:45 | true | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
 | express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
 | express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:42:10:45 | true | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
 nodes
 | apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
 | apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
@@ -20,15 +31,12 @@ nodes
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:33:10:39 | req.url | semmle.label | req.url |
+| express-test.js:10:42:10:45 | true | semmle.label | true |
 | express-test.js:26:17:26:19 | '*' | semmle.label | '*' |
 | express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
+| express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
 subpaths
-#select
-| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
-| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
-| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
-| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |