model method calls in the needle library

2025-12-17 01:03:14 +01:00 · 2020-09-25 14:13:31 +02:00
parent a22ddb145b
commit 6b9aea82ca
3 changed files with 67 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -355,6 +355,55 @@ module ClientRequest {
        result = this
      }
    }
+
+    /**
+     * A model of a URL request made using `require("needle")[method](...)`.
+     * E.g. `needle.get("http://example.org", (err, resp, body) => {})`.
+     *
+     * As opposed to the calls modeled in `PromisedNeedleRequest` these calls do not return promises.
+     * Instead they take an optional callback as their last argument.
+     */
+    class NeedleMethodRequest extends ClientRequest::Range {
+      boolean hasData;
+
+      NeedleMethodRequest() {
+        exists(string method |
+          method = ["get", "head"] and hasData = false
+          or
+          method = ["post", "put", "patch", "delete"] and hasData = true
+          or
+          method = "request" and hasData = [true, false]
+        |
+          this = DataFlow::moduleMember("needle", method).getACall()
+        )
+      }
+
+      override DataFlow::Node getUrl() { result = getArgument(0) }
+
+      override DataFlow::Node getHost() { none() }
+
+      override DataFlow::Node getADataNode() {
+        hasData = true and
+        (
+          result = getArgument(1)
+          or
+          result = getOptionArgument(2, "headers")
+        )
+        or
+        hasData = false and
+        result = getOptionArgument(1, "headers")
+      }
+
+      override DataFlow::Node getAResponseDataNode(string responseType, boolean promise) {
+        promise = false and
+        result = this.getCallback(this.getNumArgument() - 1).getParameter(1) and
+        responseType = "fetch.response"
+        or
+        promise = false and
+        result = this.getCallback(this.getNumArgument() - 1).getParameter(2) and
+        responseType = "json"
+      }
+    }
  }

  /**
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -68,6 +68,8 @@ test_ClientRequest
 | tst.js:210:2:210:21 | $.get("example.php") |
 | tst.js:219:5:219:41 | data.so ... Host"}) |
 | tst.js:229:5:229:67 | needle( ... ptions) |
+| tst.js:231:5:233:6 | needle. ... \\n    }) |
+| tst.js:235:5:237:6 | needle. ... \\n    }) |
 test_getADataNode
 | tst.js:53:5:53:23 | axios({data: data}) | tst.js:53:18:53:21 | data |
 | tst.js:57:5:57:39 | axios.p ... data2}) | tst.js:57:19:57:23 | data1 |
@@ -100,6 +102,8 @@ test_getADataNode
 | tst.js:219:5:219:41 | data.so ... Host"}) | tst.js:223:23:223:30 | "foobar" |
 | tst.js:229:5:229:67 | needle( ... ptions) | tst.js:228:32:228:70 | { 'X-Cu ... tuna' } |
 | tst.js:229:5:229:67 | needle( ... ptions) | tst.js:229:50:229:57 | "MyData" |
+| tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:228:32:228:70 | { 'X-Cu ... tuna' } |
+| tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:44:235:49 | "data" |
 test_getHost
 | tst.js:87:5:87:39 | http.ge ...  host}) | tst.js:87:34:87:37 | host |
 | tst.js:89:5:89:23 | axios({host: host}) | tst.js:89:18:89:21 | host |
@@ -181,6 +185,8 @@ test_getUrl
 | tst.js:210:2:210:21 | $.get("example.php") | tst.js:210:8:210:20 | "example.php" |
 | tst.js:219:5:219:41 | data.so ... Host"}) | tst.js:219:25:219:40 | {host: "myHost"} |
 | tst.js:229:5:229:67 | needle( ... ptions) | tst.js:229:20:229:47 | "http:/ ... oo/bar" |
+| tst.js:231:5:233:6 | needle. ... \\n    }) | tst.js:231:16:231:35 | "http://example.org" |
+| tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:17:235:41 | "http:/ ... g/post" |
 test_getAResponseDataNode
 | tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:5:19:23 | requestPromise(url) | text | true |
 | tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:5:21:23 | superagent.get(url) | stream | true |
@@ -243,3 +249,7 @@ test_getAResponseDataNode
 | tst.js:210:2:210:21 | $.get("example.php") | tst.js:210:55:210:70 | xhr.responseText |  | false |
 | tst.js:219:5:219:41 | data.so ... Host"}) | tst.js:221:29:221:32 | data | text | false |
 | tst.js:229:5:229:67 | needle( ... ptions) | tst.js:229:5:229:67 | needle( ... ptions) | fetch.response | true |
+| tst.js:231:5:233:6 | needle. ... \\n    }) | tst.js:231:44:231:47 | resp | fetch.response | false |
+| tst.js:231:5:233:6 | needle. ... \\n    }) | tst.js:231:50:231:53 | body | json | false |
+| tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:67:235:70 | resp | fetch.response | false |
+| tst.js:235:5:237:6 | needle. ... \\n    }) | tst.js:235:73:235:76 | body | json | false |
--- a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
+++ b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -227,4 +227,12 @@ const needle = require("needle");
 (function () {
    const options = { headers: { 'X-Custom-Header': 'Bumbaway atuna' } };
    needle("POST", "http://example.org/foo/bar", "MyData", options).then(function(resp) { console.log(resp.body) });
+
+    needle.get("http://example.org", (err, resp, body) => {
+
+    });
+
+    needle.post("http://example.org/post", "data", options, (err, resp, body) => {
+
+    });
 })();