Add .qhelp and apply some review changes

2026-04-19 22:14:01 +02:00 · 2023-10-02 18:05:39 +02:00
parent 142ab01b48
commit 816eebbb51
13 changed files with 189 additions and 116 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll
@@ -0,0 +1,36 @@
+/**
+ * Provides classes for working with Apollo GraphQL connectors.
+ */
+
+import javascript
+
+/** Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`) */
+module Apollo {
+  /** Get an instanceof of `Apollo` */
+  private API::Node apollo() {
+    result =
+      API::moduleImport([
+          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
+          "apollo-server", "apollo-server-express"
+        ]).getMember("ApolloServer")
+  }
+
+  /** Get an instanceof of the `gql` function that parses GraphQL strings. */
+  private API::Node gql() {
+    result =
+      API::moduleImport([
+          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
+          "apollo-server", "apollo-server-express"
+        ]).getMember("gql")
+  }
+
+  /** A string that is interpreted as a GraphQL query by a `graphql` package. */
+  class ApolloServer extends API::NewNode {
+    ApolloServer() { this = apollo().getAnInstantiation() }
+  }
+
+  /** A string that is interpreted as a GraphQL query by a `apollo` package. */
+  class ApolloGraphQLString extends GraphQL::GraphQLString {
+    ApolloGraphQLString() { this = gql().getACall().getArgument(0) }
+  }
+}
--- a/javascript/ql/lib/semmle/javascript/frameworks/ApolloGraphQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/ApolloGraphQL.qll
@@ -1,56 +0,0 @@
-/**
- * Provides classes for working with Apollo GraphQL connectors.
- */
-
-import javascript
-
-/** Provides classes modeling concepts of Apollo GraphQL. */
-module ApolloGraphQL {
-  /** A string-valued expression that is interpreted as a Apollo GraphQL query. */
-  abstract class GraphQLString extends DataFlow::Node { }
-
-  /** A string-valued expression that is interpreted as a Apollo GraphQL query. */
-  abstract class ApolloGraphQLServer extends DataFlow::Node { }
-}
-
-/**
- * Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`)
- */
-private module Apollo {
-  /** Get an instanceof of `Apollo` */
-  private API::Node apollo() {
-    result =
-      API::moduleImport([
-          "@apollo/server", "apollo/server", "@apollo/apollo-server-express",
-          "@apollo/apollo-server-core", "apollo-server", "apollo-server-express"
-        ]).getMember("ApolloServer")
-  }
-
-  /** Get an instanceof of `gql` */
-  private API::Node gql() {
-    result =
-      API::moduleImport([
-          "@apollo/server", "apollo/server", "@apollo/apollo-server-express",
-          "@apollo/apollo-server-core", "apollo-server", "apollo-server-express"
-        ]).getMember("gql")
-  }
-
-  /** A string that is interpreted as a GraphQL query by a `octokit` package. */
-  private class ApolloGraphQLString extends GraphQL::GraphQLString {
-    ApolloGraphQLString() { this = gql().getACall() }
-  }
-
-  /** A string that is interpreted as a GraphQL query by a `graphql` package. */
-  private class ApolloServer extends ApolloGraphQL::ApolloGraphQLServer {
-    ApolloServer() { this = apollo().getAnInstantiation() }
-
-    predicate isPermissive() {
-      this.(DataFlow::NewNode)
-          .getOptionArgument(0, "cors")
-          .getALocalSource()
-          .getAPropertyWrite("origin")
-          .getRhs()
-          .mayHaveBooleanValue(true)
-    }
-  }
-}
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll
@@ -27,8 +27,8 @@ module CorsPermissiveConfiguration {
    RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
  }

-  /** true and null are considered bad values */
-  class BadValues extends Source instanceof DataFlow::Node {
+  /** An overfly permissive value for `origin` */
+  class BadValues extends Source {
    BadValues() { this.mayHaveBooleanValue(true) or this.asExpr() instanceof NullLiteral }
  }

@@ -37,13 +37,9 @@ module CorsPermissiveConfiguration {
   */
  class CorsApolloServer extends Sink, DataFlow::ValueNode {
    CorsApolloServer() {
-      exists(ApolloGraphQL::ApolloGraphQLServer agql |
+      exists(Apollo::ApolloServer agql |
        this =
-          agql.(DataFlow::NewNode)
-              .getOptionArgument(0, "cors")
-              .getALocalSource()
-              .getAPropertyWrite("origin")
-              .getRhs()
+          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
      )
    }
  }