JS: Add template steps for res.locals.x

2026-04-30 19:26:02 +02:00 · 2021-10-07 12:19:21 +02:00
parent 5269933461
commit cfb9265f0a
2 changed files with 33 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -1038,6 +1038,10 @@ module Express {

    override DataFlow::Node getTemplateParamsNode() { result = this.getArgument(1) }

+    override DataFlow::Node getTemplateParamForValue(string accessPath) {
+      result = res.(Routing::RouteHandlerInput).getValueFromAccessPath("locals." + accessPath)
+    }
+
    override DataFlow::SourceNode getOutput() { result = this.getCallback(2).getParameter(1) }
  }
 }
--- a/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
@@ -158,6 +158,17 @@ module Templating {
    DataFlow::SourceNode getAVariableUse(string name) {
      result = this.getScope().getVariable(name).getAnAccess().flow()
    }
+
+    /** Gets a data flow node corresponding to a use of the given template variable within this top-level. */
+    DataFlow::SourceNode getAnAccessPathUse(string accessPath) {
+      result = getAVariableUse(accessPath)
+      or
+      exists(string varName, string suffix |
+        accessPath = varName + "." + suffix and
+        suffix != "" and
+        result = AccessPath::getAReferenceTo(getAVariableUse(varName), suffix)
+      )
+    }
  }

  /**
@@ -177,6 +188,11 @@ module Templating {
    /** Gets a data flow node that refers to an object whose properties become variables in the template. */
    DataFlow::Node getTemplateParamsNode() { result = range.getTemplateParamsNode() }

+    /** Gets a data flow node that provides the value for the template variable at the given access path. */
+    DataFlow::Node getTemplateParamForValue(string accessPath) {
+      result = range.getTemplateParamForValue(accessPath)
+    }
+
    /** Gets the template file instantiated here, if any. */
    TemplateFile getTemplateFile() {
      result = this.getTemplateFileNode().(TemplateFileReference).getTemplateFile()
@@ -202,6 +218,9 @@ module Templating {
      /** Gets a data flow node that refers to an object whose properties become variables in the template. */
      abstract DataFlow::Node getTemplateParamsNode();

+      /** Gets a data flow node that provides the value for the template variable at the given access path. */
+      DataFlow::Node getTemplateParamForValue(string accessPath) { none() }
+
      /**
       * Gets the template syntax used by this template instantiation, if known.
       *
@@ -224,6 +243,16 @@ module Templating {
            .getAVariableUse(name)
    )
    or
+    exists(TemplateInstantiation inst, string accessPath |
+      result.getARhs() = inst.getTemplateParamForValue(accessPath) and
+      succ =
+        inst.getTemplateFile()
+            .getAnImportedFile*()
+            .getAPlaceholder()
+            .getInnerTopLevel()
+            .getAnAccessPathUse(accessPath)
+    )
+    or
    exists(string prop, DataFlow::SourceNode prev |
      result = getTemplateInput(prev).getMember(prop) and
      succ = prev.getAPropertyRead(prop)