support NextJS API endpoints

2026-05-02 20:25:13 +02:00 · 2021-02-16 15:42:15 +01:00
parent 0e7e3e6178
commit a79c30a818
4 changed files with 39 additions and 0 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Next.qll
@@ -193,4 +193,34 @@ module NextJS {

    override HTTP::RouteHandler getRouteHandler() { result = rh }
  }
+
+  /**
+   * Gets a folder that contains API endpoints for a Next.js application.
+   * These API endpoints act as Express-like route-handlers.
+   */
+  Folder apiFolder() {
+    result = getANextPackage().getFile().getParentContainer().getFolder("pages").getFolder("api")
+    or
+    result = apiFolder().getAFolder()
+  }
+
+  /**
+   * A Next.js route handler for an API endpoint.
+   * The response (res) includes a set of Express.js-like methods,
+   * and we therefore model the routehandler as an Express.js routehandler.
+   */
+  class NextAPIRouteHandler extends DataFlow::FunctionNode, Express::RouteHandler,
+    HTTP::Servers::StandardRouteHandler {
+    NextAPIRouteHandler() {
+      exists(Module mod | mod.getFile().getParentContainer() = apiFolder() |
+        this = mod.getAnExportedValue("default").getAFunctionValue()
+      )
+    }
+
+    override Parameter getRouteHandlerParameter(string kind) {
+      kind = "request" and result = getFunction().getParameter(0)
+      or
+      kind = "response" and result = getFunction().getParameter(1)
+    }
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -109,6 +109,9 @@ nodes
 | pages/Next.jsx:15:13:15:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
 | partial.js:9:25:9:25 | x |
 | partial.js:10:14:10:14 | x |
 | partial.js:10:14:10:18 | x + y |
@@ -245,6 +248,7 @@ edges
 | formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
 | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url |
 | partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
 | partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
 | partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
@@ -313,6 +317,7 @@ edges
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value |
 | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value |
+| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value |
 | partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
 | partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
 | partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -23,6 +23,7 @@
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value |
 | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value |
+| pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value |
 | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
 | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
 | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js
@@ -0,0 +1,3 @@
+export default function handler(req, res) {
+    res.send(req.url);
+}