Merge pull request #20 from esben-semmle/js/more-auth-calls-and-rate-limiters

Approved by xiemaisi
2025-12-16 16:53:25 +01:00 · 2018-08-07 09:42:07 +01:00
parent c06edd3745 fa90c53b43
commit 6533ddfeaf
5 changed files with 7 additions and 2 deletions
--- a/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/src/semmle/javascript/security/SensitiveActions.qll
@@ -143,7 +143,7 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
    exists(string s | s = getCalleeName() |
      // name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
      // also exclude `author`
-      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)).*") and
+      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify).*") and
      // but it does not start with `get` or `set`
      not s.regexpMatch("(?i)(get|set).*")
    )
--- a/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/MissingRateLimiting.qll
@@ -131,7 +131,7 @@ abstract class RateLimiter extends Express::RouteHandlerExpr {
 */
 class ExpressRateLimit extends RateLimiter {
  ExpressRateLimit() {
-    DataFlow::moduleImport("express-rate-limit").getAnInstantiation().flowsToExpr(this)
+    DataFlow::moduleImport("express-rate-limit").getAnInvocation().flowsToExpr(this)
  }
 }

--- a/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected
@@ -6,3 +6,4 @@
 | tst.js:36:20:36:36 | expensiveHandler2 | This route handler performs $@, but is not rate-limited. | tst.js:15:40:15:73 | fs.writ ... quest") | a file system access |
 | tst.js:37:20:37:36 | expensiveHandler3 | This route handler performs $@, but is not rate-limited. | tst.js:16:40:16:70 | child_p ... /true") | a system command |
 | tst.js:38:20:38:36 | expensiveHandler4 | This route handler performs $@, but is not rate-limited. | tst.js:17:40:17:83 | connect ... ution') | a database access |
+| tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
--- a/javascript/ql/test/query-tests/Security/CWE-770/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
@@ -60,3 +60,6 @@ app2.get('/:path', bruteforce.prevent, expensiveHandler1); // OK
 var app3 = express();
 var limiter = require('express-limiter')(app3);
 app3.get('/:path', expensiveHandler1); // OK
+
+express().get('/:path', function(req, res) { verifyUser(req); });  // NOT OK
+express().get('/:path', RateLimit(), function(req, res) { verifyUser(req); });  // OK