hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: mark Koa params as user-controlled objects

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2018-11-07 12:10:54 +01:00
parent 28f3b686a7
commit a2df4f9bfe
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/src/semmle/javascript/frameworks/Koa.qll
View File

@@ -167,12 +167,8 @@ module Koa {
kind = "body" and kind = "body" and
this.asExpr().(PropAccess).accesses(request, "body") this.asExpr().(PropAccess).accesses(request, "body")
or or
exists (PropAccess query | kind = "parameter" and
kind = "parameter" and this = getAQueryParameterAccess(rh)
// `ctx.request.query.name`
query.accesses(request, "query") and
this.asExpr().(PropAccess).accesses(query, _)
)
or or
exists (string propName | exists (string propName |
// `ctx.request.url`, `ctx.request.originalUrl`, or `ctx.request.href` // `ctx.request.url`, `ctx.request.originalUrl`, or `ctx.request.href`
@@ -203,6 +199,16 @@ module Koa {
override string getKind() { override string getKind() {
result = kind result = kind
} }
override predicate isUserControlledObject() {
this = getAQueryParameterAccess(rh)
}
}
private DataFlow::Node getAQueryParameterAccess(RouteHandler rh) {
// `ctx.request.query.name`
result.asExpr().(PropAccess).getBase().(PropAccess).accesses(rh.getARequestExpr(), "query")
} }
/** /**