From a2df4f9bfebea52eeb02db4b2c080dabc97fb01e Mon Sep 17 00:00:00 2001
From: Esben Sparre Andreasen <esben@semmle.com>
Date: Wed, 7 Nov 2018 12:10:54 +0100
Subject: [PATCH] JS: mark Koa params as user-controlled objects

---
 .../src/semmle/javascript/frameworks/Koa.qll   | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
index 6bf4979aff0..33d8e95d52b 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
@@ -167,12 +167,8 @@ module Koa {
         kind = "body" and
         this.asExpr().(PropAccess).accesses(request, "body")
         or
-        exists (PropAccess query |
-          kind = "parameter" and
-          // `ctx.request.query.name`
-          query.accesses(request, "query")  and
-          this.asExpr().(PropAccess).accesses(query, _)
-        )
+        kind = "parameter" and
+        this = getAQueryParameterAccess(rh)
         or
         exists (string propName |
           // `ctx.request.url`, `ctx.request.originalUrl`, or `ctx.request.href`
@@ -203,6 +199,16 @@ module Koa {
     override string getKind() {
       result = kind
     }
+
+    override predicate isUserControlledObject() {
+      this = getAQueryParameterAccess(rh)
+    }
+
+  }
+
+  private DataFlow::Node getAQueryParameterAccess(RouteHandler rh) {
+    // `ctx.request.query.name`
+    result.asExpr().(PropAccess).getBase().(PropAccess).accesses(rh.getARequestExpr(), "query")
   }
 
   /**