hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into 20823-globalVarRef-document-defaultView

Browse Source
This commit is contained in:
Eliav2
2025-11-26 23:26:26 +02:00
committed by GitHub
parent 192f254b41 982950ffc6
commit 69ba764e9d
212 changed files with 16554 additions and 3130 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
javascript/ql/lib/semmle/javascript/frameworks/Next.qll
View File

@@ -13,12 +13,31 @@ module NextJS {
*/
PackageJson getANextPackage() { result.getDependencies().getADependency("next", _) }
bindingset[base, name]
pragma[inline_late]
private Folder getOptionalFolder(Folder base, string name) {
result = base.getFolder(name)
or
not exists(base.getFolder(name)) and
result = base
}
private Folder packageRoot() { result = getANextPackage().getFile().getParentContainer() }
private Folder srcRoot() { result = getOptionalFolder(packageRoot(), "src") }
private Folder appRoot() { result = srcRoot().getFolder("app") }
private Folder pagesRoot() { result = [srcRoot(), appRoot()].getFolder("pages") }
private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") }
/**
* Gets a "pages" folder in a `Next.js` application.
* JavaScript files inside these folders are mapped to routes.
*/
Folder getAPagesFolder() {
result = getANextPackage().getFile().getParentContainer().getFolder("pages")
result = pagesRoot()
or
result = getAPagesFolder().getAFolder()
}
@@ -217,8 +236,7 @@ module NextJS {
* the App Router (`app/api/`) Next.js 13+ structures.
*/
Folder apiFolder() {
result =
getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or
result = apiRoot() or
result = apiFolder().getAFolder()
}

4
javascript/ql/src/change-notes/2025-11-25-nextjs-project-layout.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in the `app/pages` folder.

4
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
View File

@@ -35,6 +35,8 @@
| app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
| app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
| etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
@@ -365,6 +367,8 @@ nodes
| app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body |
| app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body |
| app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body |
| app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url |
| app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url |
| etherpad.js:9:5:9:12 | response | semmle.label | response |
| etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp |
| etherpad.js:11:12:11:19 | response | semmle.label | response |

2
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
View File

@@ -34,6 +34,8 @@
| app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
| app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
| app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
| formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
| live-server.js:6:13:6:50 | `<html> ... /html>` | Cross-site scripting vulnerability due to $@. | live-server.js:4:21:4:27 | req.url | user-provided value |

19
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/pages/Next2.jsx Normal file
View File

@@ -0,0 +1,19 @@
export default function Post() {
return <span />;
}
Post.getInitialProps = async (ctx) => {
const req = ctx.req;
const res = ctx.res;
res.end(req.url); // $ Alert
return {}
}
export async function getServerSideProps(ctx) {
const req = ctx.req;
const res = ctx.res;
res.end(req.url); // $ Alert
return {
props: {}
}
}