Move to experimental

2026-04-26 01:05:15 +02:00 · 2024-01-09 01:11:58 +01:00
parent 7662b2bd24
commit 78e7793e01
3 changed files with 20 additions and 20 deletions
--- a/javascript/ql/src/experimental/Security/CWE-942/Cors.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/Cors.qll
@@ -0,0 +1,24 @@
+/**
+ * Provides classes for working with Cors connectors.
+ */
+
+import javascript
+
+/** Provides classes modeling the [cors](https://npmjs.com/package/cors) library. */
+module Cors {
+  /**
+   * An expression that creates a new CORS configuration.
+   */
+  class Cors extends DataFlow::CallNode {
+    Cors() { this = DataFlow::moduleImport("cors").getAnInvocation() }
+
+    /** Get the options used to configure Cors */
+    DataFlow::Node getOptionsArgument() { result = this.getArgument(0) }
+
+    /** Holds if cors is using default configuration */
+    predicate isDefault() { this.getNumArgument() = 0 }
+
+    /** Gets the value of the `origin` option used to configure this Cors instance. */
+    DataFlow::Node getOrigin() { result = this.getOptionArgument(0, "origin") }
+  }
+}
--- a/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/src/experimental/Security/CWE-942/CorsPermissiveConfigurationCustomizations.qll
@@ -5,6 +5,7 @@
 */

 import javascript
+import Cors

 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
 module CorsPermissiveConfiguration {
@@ -69,7 +70,25 @@ module CorsPermissiveConfiguration {
   */
  class ExpressCors extends Sink, DataFlow::ValueNode {
    ExpressCors() {
-      exists(Express::CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
+      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
    }
  }
+
+  /**
+   * An express route setup configured with the `cors` package.
+   */
+  class CorsConfiguration extends DataFlow::MethodCallNode {
+    Cors::Cors corsConfig;
+
+    CorsConfiguration() {
+      exists(Express::RouteSetup setup | this = setup |
+        if setup.isUseCall()
+        then corsConfig = setup.getArgument(0)
+        else corsConfig = setup.getArgument(any(int i | i > 0))
+      )
+    }
+
+    /** Gets the expression that configures `cors` on this route setup. */
+    Cors::Cors getCorsConfiguration() { result = corsConfig }
+  }
 }