Merge pull request #19108 from asgerf/js/api-graph-spread-rest

JS: Handle spread/rest in API graphs
2026-04-26 17:25:19 +02:00 · 2025-04-01 17:48:36 +02:00
parent aacdc70a73 4746cfddf2
commit 887942e3e9
5 changed files with 107 additions and 2 deletions
--- a/javascript/ql/test/ApiGraphs/spread/tst.js
+++ b/javascript/ql/test/ApiGraphs/spread/tst.js
@@ -9,3 +9,21 @@ function f() {
 lib.m1({
    ...f()
 })
+
+function getArgs() {
+    return [
+        'x', /* def=moduleImport("something").getMember("exports").getMember("m2").getSpreadArgument(0).getArrayElement() */
+        'y', /* def=moduleImport("something").getMember("exports").getMember("m2").getSpreadArgument(0).getArrayElement() */
+    ]
+}
+
+lib.m2(...getArgs());
+
+function f3() {
+    return [
+        'x', /* def=moduleImport("something").getMember("exports").getMember("m3").getSpreadArgument(1).getArrayElement() */
+        'y', /* def=moduleImport("something").getMember("exports").getMember("m3").getSpreadArgument(1).getArrayElement() */
+    ]
+}
+
+lib.m3.bind(undefined, 1)(...f3());
--- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected
@@ -1,5 +1,6 @@
 #select
 | apollo.serverSide.ts:8:39:8:64 | get(fil ...  => {}) | apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:8:43:8:50 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:8:43:8:50 | file.url | URL | apollo.serverSide.ts:7:36:7:44 | { files } | user-provided value |
+| apollo.serverSide.ts:18:37:18:62 | get(fil ...  => {}) | apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:18:41:18:48 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:18:41:18:48 | file.url | URL | apollo.serverSide.ts:17:34:17:42 | { files } | user-provided value |
 | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | The $@ of this request depends on a $@. | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | endpoint | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | user-provided value |
 | serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
@@ -31,6 +32,11 @@ edges
 | apollo.serverSide.ts:8:13:8:17 | files | apollo.serverSide.ts:8:28:8:31 | file | provenance |  |
 | apollo.serverSide.ts:8:28:8:31 | file | apollo.serverSide.ts:8:43:8:46 | file | provenance |  |
 | apollo.serverSide.ts:8:43:8:46 | file | apollo.serverSide.ts:8:43:8:50 | file.url | provenance |  |
+| apollo.serverSide.ts:17:34:17:42 | files | apollo.serverSide.ts:18:11:18:15 | files | provenance |  |
+| apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:17:34:17:42 | files | provenance |  |
+| apollo.serverSide.ts:18:11:18:15 | files | apollo.serverSide.ts:18:26:18:29 | file | provenance |  |
+| apollo.serverSide.ts:18:26:18:29 | file | apollo.serverSide.ts:18:41:18:44 | file | provenance |  |
+| apollo.serverSide.ts:18:41:18:44 | file | apollo.serverSide.ts:18:41:18:48 | file.url | provenance |  |
 | axiosInterceptors.serverSide.js:19:11:19:17 | { url } | axiosInterceptors.serverSide.js:19:11:19:28 | url | provenance |  |
 | axiosInterceptors.serverSide.js:19:11:19:28 | url | axiosInterceptors.serverSide.js:20:23:20:25 | url | provenance |  |
 | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:19:11:19:17 | { url } | provenance |  |
@@ -91,6 +97,12 @@ nodes
 | apollo.serverSide.ts:8:28:8:31 | file | semmle.label | file |
 | apollo.serverSide.ts:8:43:8:46 | file | semmle.label | file |
 | apollo.serverSide.ts:8:43:8:50 | file.url | semmle.label | file.url |
+| apollo.serverSide.ts:17:34:17:42 | files | semmle.label | files |
+| apollo.serverSide.ts:17:34:17:42 | { files } | semmle.label | { files } |
+| apollo.serverSide.ts:18:11:18:15 | files | semmle.label | files |
+| apollo.serverSide.ts:18:26:18:29 | file | semmle.label | file |
+| apollo.serverSide.ts:18:41:18:44 | file | semmle.label | file |
+| apollo.serverSide.ts:18:41:18:48 | file.url | semmle.label | file.url |
 | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | semmle.label | userProvidedUrl |
 | axiosInterceptors.serverSide.js:19:11:19:17 | { url } | semmle.label | { url } |
 | axiosInterceptors.serverSide.js:19:11:19:28 | url | semmle.label | url |
--- a/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-918/apollo.serverSide.ts
@@ -14,8 +14,8 @@ function createApolloServer(typeDefs) {

    const resolvers2 = {
      Mutation: {
-        downloadFiles: async (_, { files }) => { // $ MISSING: Source[js/request-forgery]
-          files.forEach((file) => { get(file.url, (res) => {}); }); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+        downloadFiles: async (_, { files }) => { // $ Source[js/request-forgery]
+          files.forEach((file) => { get(file.url, (res) => {}); }); // $ Alert[js/request-forgery] Sink[js/request-forgery]
          return true;
        },
      },