hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19300 from Napalys/js/fastify

Browse Source 
JS: Added support for `fastify.addHook`
This commit is contained in:
Napalys Klicius
2025-04-29 18:32:25 +02:00
committed by GitHub
parent abbf753a09 8b53f8f2a6
commit 6de38b1827
6 changed files with 375 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
javascript/ql/lib/change-notes/2025-04-14-fastify-addhook.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added support for the `fastify` `addHook` method.

39
javascript/ql/lib/semmle/javascript/Routing.qll
View File

@@ -139,6 +139,8 @@ module Routing {
predicate mayResumeDispatch() {
this.getLastChild().mayResumeDispatch()
or
isInMiddlewareSetup(this)
or
exists(this.(RouteHandler).getAContinuationInvocation())
or
// Leaf nodes that aren't functions are assumed to invoke their continuation
@@ -155,6 +157,8 @@ module Routing {
predicate definitelyResumesDispatch() {
this.getLastChild().definitelyResumesDispatch()
or
isInMiddlewareSetup(this)
or
exists(this.(RouteHandler).getAContinuationInvocation())
or
this instanceof MkRouter
@@ -325,6 +329,19 @@ module Routing {
DataFlow::Node getValueImplicitlyStoredInAccessPath(int n, string path) { none() }
}
/**
* Holds if `node` is installed at a route handler that is declared to be a middleware setup,
* and is therefore assume to resume dispatch.
*/
private predicate isInMiddlewareSetup(Node node) {
exists(RouteSetup::Range range |
node = getRouteSetupNode(range) and
range.isMiddlewareSetup()
)
or
isInMiddlewareSetup(node.getParent())
}
/** Holds if `pred` and `succ` are adjacent siblings and `succ` is installed after `pred`. */
private predicate areSiblings(Node pred, Node succ) {
exists(ValueNode::Range base, int n |
@@ -612,6 +629,20 @@ module Routing {
* Holds if this route setup targets `router` and occurs at the given `cfgNode`.
*/
abstract predicate isInstalledAt(Router::Range router, ControlFlowNode cfgNode);
/**
* Holds if this is a middleware setup, meaning dispatch will resume after the
* route handlers in this route setup have completed (usually meaning that they have returned a promise, which has resolved).
*
* This should only be overridden when the route setup itself determines whether subsequent
* route handlers are invoked afterwards.
* - For Express-like libraries, the route _handler_ determines whether to resume dispatch,
* based on whether the `next` callback is invoked. For such libraries, do not override `isMiddlewareSetup`.
* - For Fastify-like libraries, the route _setup_ determines whether to resume dispatch.
* For example, `.addHook()` will resume dispatch whereas `.get()` will not. `isMiddlewareSetup()` should thus
* hold for `.addHook()` but not for `.get()` calls.
*/
predicate isMiddlewareSetup() { none() }
}
/**
@@ -892,10 +923,14 @@ module Routing {
* based on `Node::Range::getValueAtAccessPath`.
*/
private DataFlow::Node getAnAccessPathRhs(Node base, int n, string path) {
// Assigned in the body of a route handler function, whi
// Assigned in the body of a route handler function, which is a middleware
exists(RouteHandler handler | base = handler |
result = AccessPath::getAnAssignmentTo(handler.getParameter(n).ref(), path) and
exists(handler.getAContinuationInvocation())
(
exists(handler.getAContinuationInvocation())
or
isInMiddlewareSetup(handler)
)
)
or
// Implicit assignment contributed by framework model

16
javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
View File

@@ -138,7 +138,7 @@ module Fastify {
RouteSetup() {
this = server(server).getAMethodCall(methodName) and
methodName = ["route", "get", "head", "post", "put", "delete", "options", "patch"]
methodName = ["route", "get", "head", "post", "put", "delete", "options", "patch", "addHook"]
}
override DataFlow::SourceNode getARouteHandler() {
@@ -164,13 +164,19 @@ module Fastify {
private class ShorthandRoutingTreeSetup extends Routing::RouteSetup::MethodCall instanceof RouteSetup
{
ShorthandRoutingTreeSetup() { not this.getMethodName() = "route" }
ShorthandRoutingTreeSetup() { not this.getMethodName() = ["route", "addHook"] }
override string getRelativePath() { result = this.getArgument(0).getStringValue() }
override Http::RequestMethodName getHttpMethod() { result = this.getMethodName().toUpperCase() }
}
private class AddHookRouteSetup extends Routing::RouteSetup::MethodCall instanceof RouteSetup {
AddHookRouteSetup() { this.getMethodName() = "addHook" }
override predicate isMiddlewareSetup() { any() }
}
/** Gets the name of the `n`th handler function that can be installed a route setup, in order of execution. */
private string getNthHandlerName(int n) {
result =
@@ -322,7 +328,11 @@ module Fastify {
ResponseSendArgument() {
this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0)
or
this = rh.(DataFlow::FunctionNode).getAReturn()
exists(RouteSetup setup |
rh = setup.getARouteHandler() and
this = rh.(DataFlow::FunctionNode).getAReturn() and
setup.getMethodName() != "addHook"
)
}
override RouteHandler getRouteHandler() { result = rh }

124
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View File

@@ -27,6 +27,36 @@
| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value |
| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value |
| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value |
| fastify.js:5:44:5:52 | userInput | fastify.js:4:21:4:33 | request.query | fastify.js:5:44:5:52 | userInput | This code execution depends on a $@. | fastify.js:4:21:4:33 | request.query | user-provided value |
| fastify.js:5:44:5:52 | userInput | fastify.js:4:21:4:43 | request ... Request | fastify.js:5:44:5:52 | userInput | This code execution depends on a $@. | fastify.js:4:21:4:43 | request ... Request | user-provided value |
| fastify.js:10:44:10:52 | userInput | fastify.js:9:21:9:33 | request.query | fastify.js:10:44:10:52 | userInput | This code execution depends on a $@. | fastify.js:9:21:9:33 | request.query | user-provided value |
| fastify.js:10:44:10:52 | userInput | fastify.js:9:21:9:40 | request.query.onSend | fastify.js:10:44:10:52 | userInput | This code execution depends on a $@. | fastify.js:9:21:9:40 | request.query.onSend | user-provided value |
| fastify.js:16:44:16:52 | userInput | fastify.js:15:21:15:33 | request.query | fastify.js:16:44:16:52 | userInput | This code execution depends on a $@. | fastify.js:15:21:15:33 | request.query | user-provided value |
| fastify.js:16:44:16:52 | userInput | fastify.js:15:21:15:44 | request ... Parsing | fastify.js:16:44:16:52 | userInput | This code execution depends on a $@. | fastify.js:15:21:15:44 | request ... Parsing | user-provided value |
| fastify.js:22:44:22:52 | userInput | fastify.js:21:21:21:33 | request.query | fastify.js:22:44:22:52 | userInput | This code execution depends on a $@. | fastify.js:21:21:21:33 | request.query | user-provided value |
| fastify.js:22:44:22:52 | userInput | fastify.js:21:21:21:47 | request ... idation | fastify.js:22:44:22:52 | userInput | This code execution depends on a $@. | fastify.js:21:21:21:47 | request ... idation | user-provided value |
| fastify.js:27:44:27:52 | userInput | fastify.js:26:21:26:33 | request.query | fastify.js:27:44:27:52 | userInput | This code execution depends on a $@. | fastify.js:26:21:26:33 | request.query | user-provided value |
| fastify.js:27:44:27:52 | userInput | fastify.js:26:21:26:44 | request ... Handler | fastify.js:27:44:27:52 | userInput | This code execution depends on a $@. | fastify.js:26:21:26:44 | request ... Handler | user-provided value |
| fastify.js:32:44:32:52 | userInput | fastify.js:31:21:31:33 | request.query | fastify.js:32:44:32:52 | userInput | This code execution depends on a $@. | fastify.js:31:21:31:33 | request.query | user-provided value |
| fastify.js:32:44:32:52 | userInput | fastify.js:31:21:31:50 | request ... ization | fastify.js:32:44:32:52 | userInput | This code execution depends on a $@. | fastify.js:31:21:31:50 | request ... ization | user-provided value |
| fastify.js:38:44:38:52 | userInput | fastify.js:37:21:37:33 | request.query | fastify.js:38:44:38:52 | userInput | This code execution depends on a $@. | fastify.js:37:21:37:33 | request.query | user-provided value |
| fastify.js:38:44:38:52 | userInput | fastify.js:37:21:37:44 | request ... esponse | fastify.js:38:44:38:52 | userInput | This code execution depends on a $@. | fastify.js:37:21:37:44 | request ... esponse | user-provided value |
| fastify.js:43:44:43:52 | userInput | fastify.js:42:21:42:33 | request.query | fastify.js:43:44:43:52 | userInput | This code execution depends on a $@. | fastify.js:42:21:42:33 | request.query | user-provided value |
| fastify.js:43:44:43:52 | userInput | fastify.js:42:21:42:41 | request ... onError | fastify.js:43:44:43:52 | userInput | This code execution depends on a $@. | fastify.js:42:21:42:41 | request ... onError | user-provided value |
| fastify.js:48:44:48:52 | userInput | fastify.js:47:21:47:33 | request.query | fastify.js:48:44:48:52 | userInput | This code execution depends on a $@. | fastify.js:47:21:47:33 | request.query | user-provided value |
| fastify.js:48:44:48:52 | userInput | fastify.js:47:21:47:43 | request ... Timeout | fastify.js:48:44:48:52 | userInput | This code execution depends on a $@. | fastify.js:47:21:47:43 | request ... Timeout | user-provided value |
| fastify.js:53:46:53:54 | userInput | fastify.js:52:23:52:35 | request.query | fastify.js:53:46:53:54 | userInput | This code execution depends on a $@. | fastify.js:52:23:52:35 | request.query | user-provided value |
| fastify.js:53:46:53:54 | userInput | fastify.js:52:23:52:50 | request ... stAbort | fastify.js:53:46:53:54 | userInput | This code execution depends on a $@. | fastify.js:52:23:52:50 | request ... stAbort | user-provided value |
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
| fastify.js:71:34:71:51 | request.storedCode | fastify.js:66:24:66:36 | request.query | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:66:24:66:36 | request.query | user-provided value |
| fastify.js:71:34:71:51 | request.storedCode | fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:66:24:66:47 | request ... redCode | user-provided value |
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:32 | request.query | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:32 | request.query | user-provided value |
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:42 | request ... plyCode | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -75,6 +105,46 @@ edges
| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | |
| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | |
| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | |
| fastify.js:4:9:4:43 | userInput | fastify.js:5:44:5:52 | userInput | provenance | |
| fastify.js:4:21:4:33 | request.query | fastify.js:4:9:4:43 | userInput | provenance | |
| fastify.js:4:21:4:43 | request ... Request | fastify.js:4:9:4:43 | userInput | provenance | |
| fastify.js:9:9:9:40 | userInput | fastify.js:10:44:10:52 | userInput | provenance | |
| fastify.js:9:21:9:33 | request.query | fastify.js:9:9:9:40 | userInput | provenance | |
| fastify.js:9:21:9:40 | request.query.onSend | fastify.js:9:9:9:40 | userInput | provenance | |
| fastify.js:15:9:15:44 | userInput | fastify.js:16:44:16:52 | userInput | provenance | |
| fastify.js:15:21:15:33 | request.query | fastify.js:15:9:15:44 | userInput | provenance | |
| fastify.js:15:21:15:44 | request ... Parsing | fastify.js:15:9:15:44 | userInput | provenance | |
| fastify.js:21:9:21:47 | userInput | fastify.js:22:44:22:52 | userInput | provenance | |
| fastify.js:21:21:21:33 | request.query | fastify.js:21:9:21:47 | userInput | provenance | |
| fastify.js:21:21:21:47 | request ... idation | fastify.js:21:9:21:47 | userInput | provenance | |
| fastify.js:26:9:26:44 | userInput | fastify.js:27:44:27:52 | userInput | provenance | |
| fastify.js:26:21:26:33 | request.query | fastify.js:26:9:26:44 | userInput | provenance | |
| fastify.js:26:21:26:44 | request ... Handler | fastify.js:26:9:26:44 | userInput | provenance | |
| fastify.js:31:9:31:50 | userInput | fastify.js:32:44:32:52 | userInput | provenance | |
| fastify.js:31:21:31:33 | request.query | fastify.js:31:9:31:50 | userInput | provenance | |
| fastify.js:31:21:31:50 | request ... ization | fastify.js:31:9:31:50 | userInput | provenance | |
| fastify.js:37:9:37:44 | userInput | fastify.js:38:44:38:52 | userInput | provenance | |
| fastify.js:37:21:37:33 | request.query | fastify.js:37:9:37:44 | userInput | provenance | |
| fastify.js:37:21:37:44 | request ... esponse | fastify.js:37:9:37:44 | userInput | provenance | |
| fastify.js:42:9:42:41 | userInput | fastify.js:43:44:43:52 | userInput | provenance | |
| fastify.js:42:21:42:33 | request.query | fastify.js:42:9:42:41 | userInput | provenance | |
| fastify.js:42:21:42:41 | request ... onError | fastify.js:42:9:42:41 | userInput | provenance | |
| fastify.js:47:9:47:43 | userInput | fastify.js:48:44:48:52 | userInput | provenance | |
| fastify.js:47:21:47:33 | request.query | fastify.js:47:9:47:43 | userInput | provenance | |
| fastify.js:47:21:47:43 | request ... Timeout | fastify.js:47:9:47:43 | userInput | provenance | |
| fastify.js:52:11:52:50 | userInput | fastify.js:53:46:53:54 | userInput | provenance | |
| fastify.js:52:23:52:35 | request.query | fastify.js:52:11:52:50 | userInput | provenance | |
| fastify.js:52:23:52:50 | request ... stAbort | fastify.js:52:11:52:50 | userInput | provenance | |
| fastify.js:57:9:57:39 | userInput | fastify.js:58:44:58:52 | userInput | provenance | |
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:66:24:66:36 | request.query | fastify.js:66:24:66:47 | request ... redCode | provenance | |
| fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | provenance | |
| fastify.js:79:20:79:32 | request.query | fastify.js:79:20:79:42 | request ... plyCode | provenance | |
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -144,6 +214,60 @@ nodes
| express.js:36:15:36:19 | taint | semmle.label | taint |
| express.js:42:30:42:32 | msg | semmle.label | msg |
| express.js:43:10:43:12 | msg | semmle.label | msg |
| fastify.js:4:9:4:43 | userInput | semmle.label | userInput |
| fastify.js:4:21:4:33 | request.query | semmle.label | request.query |
| fastify.js:4:21:4:43 | request ... Request | semmle.label | request ... Request |
| fastify.js:5:44:5:52 | userInput | semmle.label | userInput |
| fastify.js:9:9:9:40 | userInput | semmle.label | userInput |
| fastify.js:9:21:9:33 | request.query | semmle.label | request.query |
| fastify.js:9:21:9:40 | request.query.onSend | semmle.label | request.query.onSend |
| fastify.js:10:44:10:52 | userInput | semmle.label | userInput |
| fastify.js:15:9:15:44 | userInput | semmle.label | userInput |
| fastify.js:15:21:15:33 | request.query | semmle.label | request.query |
| fastify.js:15:21:15:44 | request ... Parsing | semmle.label | request ... Parsing |
| fastify.js:16:44:16:52 | userInput | semmle.label | userInput |
| fastify.js:21:9:21:47 | userInput | semmle.label | userInput |
| fastify.js:21:21:21:33 | request.query | semmle.label | request.query |
| fastify.js:21:21:21:47 | request ... idation | semmle.label | request ... idation |
| fastify.js:22:44:22:52 | userInput | semmle.label | userInput |
| fastify.js:26:9:26:44 | userInput | semmle.label | userInput |
| fastify.js:26:21:26:33 | request.query | semmle.label | request.query |
| fastify.js:26:21:26:44 | request ... Handler | semmle.label | request ... Handler |
| fastify.js:27:44:27:52 | userInput | semmle.label | userInput |
| fastify.js:31:9:31:50 | userInput | semmle.label | userInput |
| fastify.js:31:21:31:33 | request.query | semmle.label | request.query |
| fastify.js:31:21:31:50 | request ... ization | semmle.label | request ... ization |
| fastify.js:32:44:32:52 | userInput | semmle.label | userInput |
| fastify.js:37:9:37:44 | userInput | semmle.label | userInput |
| fastify.js:37:21:37:33 | request.query | semmle.label | request.query |
| fastify.js:37:21:37:44 | request ... esponse | semmle.label | request ... esponse |
| fastify.js:38:44:38:52 | userInput | semmle.label | userInput |
| fastify.js:42:9:42:41 | userInput | semmle.label | userInput |
| fastify.js:42:21:42:33 | request.query | semmle.label | request.query |
| fastify.js:42:21:42:41 | request ... onError | semmle.label | request ... onError |
| fastify.js:43:44:43:52 | userInput | semmle.label | userInput |
| fastify.js:47:9:47:43 | userInput | semmle.label | userInput |
| fastify.js:47:21:47:33 | request.query | semmle.label | request.query |
| fastify.js:47:21:47:43 | request ... Timeout | semmle.label | request ... Timeout |
| fastify.js:48:44:48:52 | userInput | semmle.label | userInput |
| fastify.js:52:11:52:50 | userInput | semmle.label | userInput |
| fastify.js:52:23:52:35 | request.query | semmle.label | request.query |
| fastify.js:52:23:52:50 | request ... stAbort | semmle.label | request ... stAbort |
| fastify.js:53:46:53:54 | userInput | semmle.label | userInput |
| fastify.js:57:9:57:39 | userInput | semmle.label | userInput |
| fastify.js:57:21:57:33 | request.query | semmle.label | request.query |
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
| fastify.js:66:24:66:36 | request.query | semmle.label | request.query |
| fastify.js:66:24:66:47 | request ... redCode | semmle.label | request ... redCode |
| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
| fastify.js:79:20:79:32 | request.query | semmle.label | request.query |
| fastify.js:79:20:79:42 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

94
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View File

@@ -11,6 +11,46 @@ edges
| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | |
| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | |
| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | |
| fastify.js:4:9:4:43 | userInput | fastify.js:5:44:5:52 | userInput | provenance | |
| fastify.js:4:21:4:33 | request.query | fastify.js:4:9:4:43 | userInput | provenance | |
| fastify.js:4:21:4:43 | request ... Request | fastify.js:4:9:4:43 | userInput | provenance | |
| fastify.js:9:9:9:40 | userInput | fastify.js:10:44:10:52 | userInput | provenance | |
| fastify.js:9:21:9:33 | request.query | fastify.js:9:9:9:40 | userInput | provenance | |
| fastify.js:9:21:9:40 | request.query.onSend | fastify.js:9:9:9:40 | userInput | provenance | |
| fastify.js:15:9:15:44 | userInput | fastify.js:16:44:16:52 | userInput | provenance | |
| fastify.js:15:21:15:33 | request.query | fastify.js:15:9:15:44 | userInput | provenance | |
| fastify.js:15:21:15:44 | request ... Parsing | fastify.js:15:9:15:44 | userInput | provenance | |
| fastify.js:21:9:21:47 | userInput | fastify.js:22:44:22:52 | userInput | provenance | |
| fastify.js:21:21:21:33 | request.query | fastify.js:21:9:21:47 | userInput | provenance | |
| fastify.js:21:21:21:47 | request ... idation | fastify.js:21:9:21:47 | userInput | provenance | |
| fastify.js:26:9:26:44 | userInput | fastify.js:27:44:27:52 | userInput | provenance | |
| fastify.js:26:21:26:33 | request.query | fastify.js:26:9:26:44 | userInput | provenance | |
| fastify.js:26:21:26:44 | request ... Handler | fastify.js:26:9:26:44 | userInput | provenance | |
| fastify.js:31:9:31:50 | userInput | fastify.js:32:44:32:52 | userInput | provenance | |
| fastify.js:31:21:31:33 | request.query | fastify.js:31:9:31:50 | userInput | provenance | |
| fastify.js:31:21:31:50 | request ... ization | fastify.js:31:9:31:50 | userInput | provenance | |
| fastify.js:37:9:37:44 | userInput | fastify.js:38:44:38:52 | userInput | provenance | |
| fastify.js:37:21:37:33 | request.query | fastify.js:37:9:37:44 | userInput | provenance | |
| fastify.js:37:21:37:44 | request ... esponse | fastify.js:37:9:37:44 | userInput | provenance | |
| fastify.js:42:9:42:41 | userInput | fastify.js:43:44:43:52 | userInput | provenance | |
| fastify.js:42:21:42:33 | request.query | fastify.js:42:9:42:41 | userInput | provenance | |
| fastify.js:42:21:42:41 | request ... onError | fastify.js:42:9:42:41 | userInput | provenance | |
| fastify.js:47:9:47:43 | userInput | fastify.js:48:44:48:52 | userInput | provenance | |
| fastify.js:47:21:47:33 | request.query | fastify.js:47:9:47:43 | userInput | provenance | |
| fastify.js:47:21:47:43 | request ... Timeout | fastify.js:47:9:47:43 | userInput | provenance | |
| fastify.js:52:11:52:50 | userInput | fastify.js:53:46:53:54 | userInput | provenance | |
| fastify.js:52:23:52:35 | request.query | fastify.js:52:11:52:50 | userInput | provenance | |
| fastify.js:52:23:52:50 | request ... stAbort | fastify.js:52:11:52:50 | userInput | provenance | |
| fastify.js:57:9:57:39 | userInput | fastify.js:58:44:58:52 | userInput | provenance | |
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
| fastify.js:66:24:66:36 | request.query | fastify.js:66:24:66:47 | request ... redCode | provenance | |
| fastify.js:66:24:66:47 | request ... redCode | fastify.js:71:34:71:51 | request.storedCode | provenance | |
| fastify.js:79:20:79:32 | request.query | fastify.js:79:20:79:42 | request ... plyCode | provenance | |
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -82,6 +122,60 @@ nodes
| express.js:36:15:36:19 | taint | semmle.label | taint |
| express.js:42:30:42:32 | msg | semmle.label | msg |
| express.js:43:10:43:12 | msg | semmle.label | msg |
| fastify.js:4:9:4:43 | userInput | semmle.label | userInput |
| fastify.js:4:21:4:33 | request.query | semmle.label | request.query |
| fastify.js:4:21:4:43 | request ... Request | semmle.label | request ... Request |
| fastify.js:5:44:5:52 | userInput | semmle.label | userInput |
| fastify.js:9:9:9:40 | userInput | semmle.label | userInput |
| fastify.js:9:21:9:33 | request.query | semmle.label | request.query |
| fastify.js:9:21:9:40 | request.query.onSend | semmle.label | request.query.onSend |
| fastify.js:10:44:10:52 | userInput | semmle.label | userInput |
| fastify.js:15:9:15:44 | userInput | semmle.label | userInput |
| fastify.js:15:21:15:33 | request.query | semmle.label | request.query |
| fastify.js:15:21:15:44 | request ... Parsing | semmle.label | request ... Parsing |
| fastify.js:16:44:16:52 | userInput | semmle.label | userInput |
| fastify.js:21:9:21:47 | userInput | semmle.label | userInput |
| fastify.js:21:21:21:33 | request.query | semmle.label | request.query |
| fastify.js:21:21:21:47 | request ... idation | semmle.label | request ... idation |
| fastify.js:22:44:22:52 | userInput | semmle.label | userInput |
| fastify.js:26:9:26:44 | userInput | semmle.label | userInput |
| fastify.js:26:21:26:33 | request.query | semmle.label | request.query |
| fastify.js:26:21:26:44 | request ... Handler | semmle.label | request ... Handler |
| fastify.js:27:44:27:52 | userInput | semmle.label | userInput |
| fastify.js:31:9:31:50 | userInput | semmle.label | userInput |
| fastify.js:31:21:31:33 | request.query | semmle.label | request.query |
| fastify.js:31:21:31:50 | request ... ization | semmle.label | request ... ization |
| fastify.js:32:44:32:52 | userInput | semmle.label | userInput |
| fastify.js:37:9:37:44 | userInput | semmle.label | userInput |
| fastify.js:37:21:37:33 | request.query | semmle.label | request.query |
| fastify.js:37:21:37:44 | request ... esponse | semmle.label | request ... esponse |
| fastify.js:38:44:38:52 | userInput | semmle.label | userInput |
| fastify.js:42:9:42:41 | userInput | semmle.label | userInput |
| fastify.js:42:21:42:33 | request.query | semmle.label | request.query |
| fastify.js:42:21:42:41 | request ... onError | semmle.label | request ... onError |
| fastify.js:43:44:43:52 | userInput | semmle.label | userInput |
| fastify.js:47:9:47:43 | userInput | semmle.label | userInput |
| fastify.js:47:21:47:33 | request.query | semmle.label | request.query |
| fastify.js:47:21:47:43 | request ... Timeout | semmle.label | request ... Timeout |
| fastify.js:48:44:48:52 | userInput | semmle.label | userInput |
| fastify.js:52:11:52:50 | userInput | semmle.label | userInput |
| fastify.js:52:23:52:35 | request.query | semmle.label | request.query |
| fastify.js:52:23:52:50 | request ... stAbort | semmle.label | request ... stAbort |
| fastify.js:53:46:53:54 | userInput | semmle.label | userInput |
| fastify.js:57:9:57:39 | userInput | semmle.label | userInput |
| fastify.js:57:21:57:33 | request.query | semmle.label | request.query |
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
| fastify.js:66:24:66:36 | request.query | semmle.label | request.query |
| fastify.js:66:24:66:47 | request ... redCode | semmle.label | request ... redCode |
| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
| fastify.js:79:20:79:32 | request.query | semmle.label | request.query |
| fastify.js:79:20:79:42 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

103
javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js Normal file
View File

@@ -0,0 +1,103 @@
const fastify = require('fastify')({ logger: true });
fastify.addHook('onRequest', async (request, reply) => {
const userInput = request.query.onRequest; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('onSend', async (request, reply, payload) => {
const userInput = request.query.onSend; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
return JSON.stringify({ ...JSON.parse(payload), onSend: request.evalResult });
});
fastify.addHook('preParsing', async (request, reply, payload) => {
const userInput = request.query.preParsing; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
return payload;
});
fastify.addHook('preValidation', async (request, reply) => {
const userInput = request.query.preValidation; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('preHandler', async (request, reply) => {
const userInput = request.query.preHandler; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('preSerialization', async (request, reply, payload) => {
const userInput = request.query.preSerialization; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
return payload;
});
fastify.addHook('onResponse', async (request, reply) => {
const userInput = request.query.onResponse; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('onError', async (request, reply, error) => {
const userInput = request.query.onError; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('onTimeout', async (request, reply) => {
const userInput = request.query.onTimeout; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.addHook('onRequestAbort', (request, done) => {
const userInput = request.query.onRequestAbort; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
});
fastify.get('/dangerous', async (request, reply) => {
const userInput = request.query.input; // $ Source[js/code-injection]
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
const result = eval(userInput); // $ Alert[js/code-injection]
return { result };
});
// Store user input in request object
fastify.addHook('preHandler', async (request, reply) => {
request.storedCode = request.query.storedCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-request', async (request, reply) => {
// Use the stored code from previous hook
if (request.storedCode) {
const evaluatedResult = eval(request.storedCode); // $ Alert[js/code-injection]
return { result: evaluatedResult };
}
return { result: null };
});
// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
reply.userCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
// Use the code stored in reply object
if (reply.userCode) {
const replyResult = eval(reply.userCode); // $ Alert[js/code-injection]
return { result: replyResult };
}
return { result: null };
});
// Store user input in reply object
fastify.addHook('onRequest', async (request, reply) => {
reply.locals = reply.locals || {};
reply.locals.nestedCode = request.query.replyCode; // $ Source[js/code-injection]
});
fastify.get('/flow-through-reply', async (request, reply) => {
// Use the code stored in reply object
if (reply.locals && reply.locals.nestedCode) {
const replyResult = eval(reply.locals.nestedCode); // $ Alert[js/code-injection]
return { result: replyResult };
}
return { result: null };
});