JS: make the Fastify model support isUserControlledObject

2025-12-20 10:46:30 +01:00 · 2020-05-20 14:33:19 +02:00
parent 894033df8a
commit c400b45cd6
4 changed files with 143 additions and 6 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Fastify.qll
@@ -146,6 +146,51 @@ module Fastify {
    override RouteHandler getRouteHandler() { result = rh }

    override string getKind() { result = kind }
+
+    override predicate isUserControlledObject() {
+      kind = "body" and
+      (
+        usesFastifyPlugin(rh, DataFlow::moduleImport(["fastify-xml-body-parser", "fastify-formbody"]))
+        or
+        usesMiddleware(rh,
+          any(ExpressLibraries::BodyParser bodyParser | bodyParser.producesUserControlledObjects()))
+      )
+      or
+      kind = "parameter" and
+      usesFastifyPlugin(rh, DataFlow::moduleImport("fastify-qs"))
+    }
+  }
+
+  /**
+   * Holds if `rh` uses `plugin`.
+   */
+  private predicate usesFastifyPlugin(RouteHandler rh, DataFlow::SourceNode plugin) {
+    exists(RouteSetup setup |
+      plugin
+          .flowsTo(setup
+                .getServer()
+                .flow()
+                .(DataFlow::SourceNode)
+                .getAMethodCall("register")
+                .getArgument(0)) and // only matches the plugins that apply to all routes
+      rh = setup.getARouteHandler()
+    )
+  }
+
+  /**
+   * Holds if `rh` uses `plugin`.
+   */
+  private predicate usesMiddleware(RouteHandler rh, DataFlow::SourceNode middleware) {
+    exists(RouteSetup setup |
+      middleware
+          .flowsTo(setup
+                .getServer()
+                .flow()
+                .(DataFlow::SourceNode)
+                .getAMethodCall("use")
+                .getArgument(0)) and // only matches the middlewares that apply to all routes
+      rh = setup.getARouteHandler()
+    )
  }

  /**
--- a/javascript/ql/test/library-tests/frameworks/fastify/RequestInputAccess.qll
+++ b/javascript/ql/test/library-tests/frameworks/fastify/RequestInputAccess.qll
@@ -1,7 +1,11 @@
 import javascript

 query predicate test_RequestInputAccess(
-  HTTP::RequestInputAccess ria, string res, Fastify::RouteHandler rh
+  HTTP::RequestInputAccess ria, string res, Fastify::RouteHandler rh, boolean isUserControlledObject
 ) {
-  ria.getRouteHandler() = rh and res = ria.getKind()
+  ria.getRouteHandler() = rh and
+  res = ria.getKind() and
+  if ria.isUserControlledObject()
+  then isUserControlledObject = true
+  else isUserControlledObject = false
 }
--- a/javascript/ql/test/library-tests/frameworks/fastify/src/fastify.js
+++ b/javascript/ql/test/library-tests/frameworks/fastify/src/fastify.js
@@ -46,3 +46,47 @@ fastify.post(
  }
 );
 fastify.listen(3000);
+
+var fastifyWithObjects1 = require("fastify")();
+fastifyWithObjects1.register(require("fastify-xml-body-parser"));
+fastifyWithObjects1.post(
+  "/:params",
+  /* handler */ function(request, reply) {
+    request.query;
+    request.body;
+    request.params;
+  }
+);
+
+var fastifyWithObjects2 = require("fastify")();
+fastifyWithObjects2.register(require("fastify-formbody"));
+fastifyWithObjects2.post(
+  "/:params",
+  /* handler */ function(request, reply) {
+    request.query;
+    request.body;
+    request.params;
+  }
+);
+
+var fastifyWithObjects3 = require("fastify")();
+fastifyWithObjects3.register(require("fastify-qs"));
+fastifyWithObjects3.post(
+  "/:params",
+  /* handler */ function(request, reply) {
+    request.query;
+    request.body;
+    request.params;
+  }
+);
+
+var fastifyWithObjects4 = require("fastify")();
+fastifyWithObjects4.use(require("body-parser").urlencoded({ extended: true }));
+fastifyWithObjects4.post(
+  "/:params",
+  /* handler */ function(request, reply) {
+    request.query;
+    request.body;
+    request.params;
+  }
+);
--- a/javascript/ql/test/library-tests/frameworks/fastify/tests.expected
+++ b/javascript/ql/test/library-tests/frameworks/fastify/tests.expected
@@ -3,11 +3,27 @@ test_RouteSetup
 | src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) |
 | src/fastify.js:23:1:29:1 | fastify ... e\\n  }\\n) |
 | src/fastify.js:31:1:47:1 | fastify ... m\\n  }\\n) |
+| src/fastify.js:52:1:59:1 | fastify ... ;\\n  }\\n) |
+| src/fastify.js:63:1:70:1 | fastify ... ;\\n  }\\n) |
+| src/fastify.js:74:1:81:1 | fastify ... ;\\n  }\\n) |
+| src/fastify.js:85:1:92:1 | fastify ... ;\\n  }\\n) |
 test_RequestInputAccess
-| src/fastify.js:36:5:36:17 | request.query | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n  } |
-| src/fastify.js:37:5:37:16 | request.body | body | src/fastify.js:34:17:46:3 | functio ... eam\\n  } |
-| src/fastify.js:38:5:38:18 | request.params | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n  } |
-| src/fastify.js:39:5:39:24 | request.headers.name | header | src/fastify.js:34:17:46:3 | functio ... eam\\n  } |
+| src/fastify.js:36:5:36:17 | request.query | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | false |
+| src/fastify.js:37:5:37:16 | request.body | body | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | false |
+| src/fastify.js:38:5:38:18 | request.params | parameter | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | false |
+| src/fastify.js:39:5:39:24 | request.headers.name | header | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | false |
+| src/fastify.js:55:5:55:17 | request.query | parameter | src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:56:5:56:16 | request.body | body | src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | true |
+| src/fastify.js:57:5:57:18 | request.params | parameter | src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:66:5:66:17 | request.query | parameter | src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:67:5:67:16 | request.body | body | src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | true |
+| src/fastify.js:68:5:68:18 | request.params | parameter | src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:77:5:77:17 | request.query | parameter | src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | true |
+| src/fastify.js:78:5:78:16 | request.body | body | src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:79:5:79:18 | request.params | parameter | src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | true |
+| src/fastify.js:88:5:88:17 | request.query | parameter | src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | false |
+| src/fastify.js:89:5:89:16 | request.body | body | src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | true |
+| src/fastify.js:90:5:90:18 | request.params | parameter | src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | false |
 test_RouteHandler_getAResponseHeader
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | name | src/fastify.js:42:5:42:33 | reply.h ... value") |
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | name | src/fastify.js:43:5:43:36 | reply.h ... lue" }) |
@@ -22,11 +38,19 @@ test_RouteSetup_getServer
 | src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:1:15:1:34 | require("fastify")() |
 | src/fastify.js:23:1:29:1 | fastify ... e\\n  }\\n) | src/fastify.js:1:15:1:34 | require("fastify")() |
 | src/fastify.js:31:1:47:1 | fastify ... m\\n  }\\n) | src/fastify.js:1:15:1:34 | require("fastify")() |
+| src/fastify.js:52:1:59:1 | fastify ... ;\\n  }\\n) | src/fastify.js:50:27:50:46 | require("fastify")() |
+| src/fastify.js:63:1:70:1 | fastify ... ;\\n  }\\n) | src/fastify.js:61:27:61:46 | require("fastify")() |
+| src/fastify.js:74:1:81:1 | fastify ... ;\\n  }\\n) | src/fastify.js:72:27:72:46 | require("fastify")() |
+| src/fastify.js:85:1:92:1 | fastify ... ;\\n  }\\n) | src/fastify.js:83:27:83:46 | require("fastify")() |
 test_HeaderDefinition_getAHeaderName
 | src/fastify.js:42:5:42:33 | reply.h ... value") | name |
 | src/fastify.js:43:5:43:36 | reply.h ... lue" }) | name |
 test_ServerDefinition
 | src/fastify.js:1:15:1:34 | require("fastify")() |
+| src/fastify.js:50:27:50:46 | require("fastify")() |
+| src/fastify.js:61:27:61:46 | require("fastify")() |
+| src/fastify.js:72:27:72:46 | require("fastify")() |
+| src/fastify.js:83:27:83:46 | require("fastify")() |
 test_HeaderAccess
 | src/fastify.js:39:5:39:24 | request.headers.name | name |
 test_RouteSetup_getARouteHandler
@@ -41,6 +65,10 @@ test_RouteSetup_getARouteHandler
 | src/fastify.js:10:1:21:2 | fastify ... > {}\\n}) | src/fastify.js:20:26:20:47 | (reques ... ) => {} |
 | src/fastify.js:23:1:29:1 | fastify ... e\\n  }\\n) | src/fastify.js:26:17:28:3 | (reques ... nse\\n  } |
 | src/fastify.js:31:1:47:1 | fastify ... m\\n  }\\n) | src/fastify.js:34:17:46:3 | functio ... eam\\n  } |
+| src/fastify.js:52:1:59:1 | fastify ... ;\\n  }\\n) | src/fastify.js:54:17:58:3 | functio ... ms;\\n  } |
+| src/fastify.js:63:1:70:1 | fastify ... ;\\n  }\\n) | src/fastify.js:65:17:69:3 | functio ... ms;\\n  } |
+| src/fastify.js:74:1:81:1 | fastify ... ;\\n  }\\n) | src/fastify.js:76:17:80:3 | functio ... ms;\\n  } |
+| src/fastify.js:85:1:92:1 | fastify ... ;\\n  }\\n) | src/fastify.js:87:17:91:3 | functio ... ms;\\n  } |
 test_RouteHandler
 | src/fastify.js:5:17:7:3 | async ( ... nse\\n  } | src/fastify.js:1:15:1:34 | require("fastify")() |
 | src/fastify.js:13:28:13:55 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
@@ -53,11 +81,27 @@ test_RouteHandler
 | src/fastify.js:20:26:20:47 | (reques ... ) => {} | src/fastify.js:1:15:1:34 | require("fastify")() |
 | src/fastify.js:26:17:28:3 | (reques ... nse\\n  } | src/fastify.js:1:15:1:34 | require("fastify")() |
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | src/fastify.js:1:15:1:34 | require("fastify")() |
+| src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | src/fastify.js:50:27:50:46 | require("fastify")() |
+| src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | src/fastify.js:61:27:61:46 | require("fastify")() |
+| src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | src/fastify.js:72:27:72:46 | require("fastify")() |
+| src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | src/fastify.js:83:27:83:46 | require("fastify")() |
 test_RouteHandler_getARequestExpr
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | src/fastify.js:36:5:36:11 | request |
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | src/fastify.js:37:5:37:11 | request |
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | src/fastify.js:38:5:38:11 | request |
 | src/fastify.js:34:17:46:3 | functio ... eam\\n  } | src/fastify.js:39:5:39:11 | request |
+| src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | src/fastify.js:55:5:55:11 | request |
+| src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | src/fastify.js:56:5:56:11 | request |
+| src/fastify.js:54:17:58:3 | functio ... ms;\\n  } | src/fastify.js:57:5:57:11 | request |
+| src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | src/fastify.js:66:5:66:11 | request |
+| src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | src/fastify.js:67:5:67:11 | request |
+| src/fastify.js:65:17:69:3 | functio ... ms;\\n  } | src/fastify.js:68:5:68:11 | request |
+| src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | src/fastify.js:77:5:77:11 | request |
+| src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | src/fastify.js:78:5:78:11 | request |
+| src/fastify.js:76:17:80:3 | functio ... ms;\\n  } | src/fastify.js:79:5:79:11 | request |
+| src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | src/fastify.js:88:5:88:11 | request |
+| src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | src/fastify.js:89:5:89:11 | request |
+| src/fastify.js:87:17:91:3 | functio ... ms;\\n  } | src/fastify.js:90:5:90:11 | request |
 test_ResponseSendArgument
 | src/fastify.js:6:12:6:29 | { hello: "world" } | src/fastify.js:5:17:7:3 | async ( ... nse\\n  } |
 | src/fastify.js:27:16:27:33 | { hello: "world" } | src/fastify.js:26:17:28:3 | (reques ... nse\\n  } |