diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll index bb83e14c3c3..470b533790b 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll @@ -106,7 +106,7 @@ private class RequestUrlRequest extends CustomClientRequest { } override DataFlow::Node getADataNode() { - none() + result = getArgument(1) } } diff --git a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll index 169e1140206..d0294f1e512 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll @@ -132,11 +132,6 @@ module HTTP { result = "http" or result = "https" } - /** - * An expression whose value is sent as (part of) the body of an HTTP request (POST, PUT). - */ - abstract class RequestBody extends DataFlow::Node {} - /** * An expression whose value is sent as (part of) the body of an HTTP response. */ diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll index 072f5772026..2b43b356660 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll @@ -775,7 +775,7 @@ module NodeJSLib { } override DataFlow::Node getADataNode() { - none() + result = getAMethodCall("write").getArgument(0) } } @@ -811,18 +811,6 @@ module NodeJSLib { result = "http.request data parameter" } } - - /** - * An argument to client request.write () method, can be used to write body to a HTTP or HTTPS POST/PUT request, - * or request option (like headers, cookies, even url) - */ - class HttpRequestWriteArgument extends HTTP::RequestBody, DataFlow::Node { - HttpRequestWriteArgument () { - exists(CustomClientRequest req | - this = req.getAMethodCall("write").getArgument(0) or - this = req.getArgument(0)) - } - } /** * A data flow node that is registered as a callback for an HTTP or HTTPS request made by a Node.js process, for example the function `handler` in `http.request(url).on(message, handler)`. diff --git a/javascript/ql/src/semmle/javascript/frameworks/Request.qll b/javascript/ql/src/semmle/javascript/frameworks/Request.qll index 5416e989997..45406863aba 100644 --- a/javascript/ql/src/semmle/javascript/frameworks/Request.qll +++ b/javascript/ql/src/semmle/javascript/frameworks/Request.qll @@ -44,13 +44,5 @@ module Request { } } - - // using 'request' library to make http 'POST' and 'PUT' requests with message body. - private class RequestPostBody extends HTTP::RequestBody { - RequestPostBody () { - this = DataFlow::moduleMember("request", "post").getACall().getArgument(1) or - this = DataFlow::moduleImport("request").getAnInvocation().getArgument(0) - } - } } \ No newline at end of file diff --git a/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll b/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll index a53175426bf..754fd7ded8b 100644 --- a/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll +++ b/javascript/ql/src/semmle/javascript/security/dataflow/FileAccessToHttp.qll @@ -62,10 +62,15 @@ module FileAccessToHttpDataFlow { } } - /** Sink is any parameter or argument that evaluates to a parameter ot a function or call that sets Http Body on a request */ - private class HttpRequestBodyAsSink extends Sink { - HttpRequestBodyAsSink () { - this instanceof HTTP::RequestBody + /** + * The URL or data of a client request, viewed as a sink. + */ + private class ClientRequestUrlOrDataAsSink extends Sink { + ClientRequestUrlOrDataAsSink () { + exists (ClientRequest req | + this = req.getUrl() or + this = req.getADataNode() + ) } } } \ No newline at end of file