JS: mark Koa params as user-controlled objects

2026-03-18 21:46:46 +01:00 · 2018-11-07 12:10:54 +01:00
parent 28f3b686a7
commit a2df4f9bfe
1 changed files with 12 additions and 6 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Koa.qll
@@ -167,12 +167,8 @@ module Koa {
        kind = "body" and
        this.asExpr().(PropAccess).accesses(request, "body")
        or
-        exists (PropAccess query |
-          kind = "parameter" and
-          // `ctx.request.query.name`
-          query.accesses(request, "query")  and
-          this.asExpr().(PropAccess).accesses(query, _)
-        )
+        kind = "parameter" and
+        this = getAQueryParameterAccess(rh)
        or
        exists (string propName |
          // `ctx.request.url`, `ctx.request.originalUrl`, or `ctx.request.href`
@@ -203,6 +199,16 @@ module Koa {
    override string getKind() {
      result = kind
    }
+
+    override predicate isUserControlledObject() {
+      this = getAQueryParameterAccess(rh)
+    }
+
+  }
+
+  private DataFlow::Node getAQueryParameterAccess(RouteHandler rh) {
+    // `ctx.request.query.name`
+    result.asExpr().(PropAccess).getBase().(PropAccess).accesses(rh.getARequestExpr(), "query")
  }

  /**