hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19439 from Napalys/js/fastify-all

Browse Source 
JS: Modeling of `fastify`
This commit is contained in:
Napalys Klicius
2025-05-01 12:11:52 +02:00
committed by GitHub
parent 1770f568a2 68a9dd9f9e
commit 6ba0dc20a3
5 changed files with 35 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/change-notes/2025-04-30-fastify-all.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Enhanced modeling of the [fastify](https://www.npmjs.com/package/fastify) framework to support the `all` route handler method.

3
javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
View File

@@ -138,7 +138,8 @@ module Fastify {
RouteSetup() {
this = server(server).getAMethodCall(methodName) and
methodName = ["route", "get", "head", "post", "put", "delete", "options", "patch", "addHook"]
methodName =
["route", "get", "head", "post", "put", "delete", "options", "patch", "addHook", "all"]
}
override DataFlow::SourceNode getARouteHandler() {

13
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -57,6 +57,10 @@
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:42 | request ... plyCode | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| fastify.js:107:23:107:31 | userInput | fastify.js:106:21:106:33 | request.query | fastify.js:107:23:107:31 | userInput | This code execution depends on a $@. | fastify.js:106:21:106:33 | request.query | user-provided value |
| fastify.js:107:23:107:31 | userInput | fastify.js:106:21:106:38 | request.query.code | fastify.js:107:23:107:31 | userInput | This code execution depends on a $@. | fastify.js:106:21:106:38 | request.query.code | user-provided value |
| fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -145,6 +149,10 @@ edges
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | provenance | |
| fastify.js:106:9:106:38 | userInput | fastify.js:107:23:107:31 | userInput | provenance | |
| fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:38 | userInput | provenance | |
| fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:38 | userInput | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -268,6 +276,11 @@ nodes
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| fastify.js:106:9:106:38 | userInput | semmle.label | userInput |
| fastify.js:106:21:106:33 | request.query | semmle.label | request.query |
| fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
| fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
| fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

9
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -51,6 +51,10 @@ edges
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | provenance | |
| fastify.js:106:9:106:38 | userInput | fastify.js:107:23:107:31 | userInput | provenance | |
| fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:38 | userInput | provenance | |
| fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:38 | userInput | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -176,6 +180,11 @@ nodes
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| fastify.js:106:9:106:38 | userInput | semmle.label | userInput |
| fastify.js:106:21:106:33 | request.query | semmle.label | request.query |
| fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
| fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
| fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

7
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js
View File

@@ -101,3 +101,10 @@ fastify.get('/flow-through-reply', async (request, reply) => {
}
return { result: null };
});
fastify.all('/eval', async (request, reply) => {
const userInput = request.query.code; // $ Source[js/code-injection]
const result = eval(userInput); // $ Alert[js/code-injection]
const replyResult = eval(reply.locals.nestedCode); // $ Alert[js/code-injection]
return { method: request.method, result };
});