Merge pull request #434 from esben-semmle/js/type-confusion-with-taint-kinds

Approved by asger-semmle

javascript/ql/src/semmle/javascript/frameworks/Koa.qll

@@ -167,12 +167,8 @@ module Koa {
         kind = "body" and
         this.asExpr().(PropAccess).accesses(request, "body")
         or
-        exists (PropAccess query |
-          kind = "parameter" and
-          // `ctx.request.query.name`
-          query.accesses(request, "query")  and
-          this.asExpr().(PropAccess).accesses(query, _)
-        )
+        kind = "parameter" and
+        this = getAQueryParameterAccess(rh)
         or
         exists (string propName |
           // `ctx.request.url`, `ctx.request.originalUrl`, or `ctx.request.href`
@@ -203,6 +199,16 @@ module Koa {
     override string getKind() {
       result = kind
     }
+
+    override predicate isUserControlledObject() {
+      this = getAQueryParameterAccess(rh)
+    }
+
+  }
+
+  private DataFlow::Node getAQueryParameterAccess(RouteHandler rh) {
+    // `ctx.request.query.name`
+    result.asExpr().(PropAccess).getBase().(PropAccess).accesses(rh.getARequestExpr(), "query")
   }
 
   /**

javascript/ql/src/semmle/javascript/security/dataflow/TypeConfusionThroughParameterTampering.qll

@@ -54,12 +54,7 @@ module TypeConfusionThroughParameterTampering {
   private class TypeTamperableRequestParameter extends Source {
 
     TypeTamperableRequestParameter() {
-      this.(HTTP::RequestInputAccess).getKind() = "parameter" and
-      not exists (Express::RequestExpr request, DataFlow::PropRead base |
-        // Express's `req.params.name` is always a string
-        base.accesses(request.flow(), "params") and
-        this = base.getAPropertyRead(_)
-      )
+      this.(HTTP::RequestInputAccess).isUserControlledObject()
     }
 
   }