JS: Exclude error handling from auth calls

2026-04-30 19:26:02 +02:00 · 2021-10-12 10:23:50 +02:00
parent 400bf10cc3
commit d0e94e655d
2 changed files with 7 additions and 2 deletions
--- a/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
+++ b/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
@@ -147,8 +147,8 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
  AuthorizationCall() {
    exists(string s | s = this.getCalleeName() |
      // name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
-      // also exclude `author`
-      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify).*") and
+      // also exclude `author` and words followed by `err` (as in `error`)
+      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify)(?!err).*") and
      // but it does not start with `get` or `set`
      not s.regexpMatch("(?i)(get|set).*")
    )
--- a/javascript/ql/test/query-tests/Security/CWE-770/tst.js
+++ b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
@@ -77,3 +77,8 @@ express().get('/:path', catchAsync(expensiveHandler1)); // NOT OK
 express().get('/:path', rateLimiterMiddleware, catchAsync(expensiveHandler1)); // OK
 express().get('/:path', catchAsync(rateLimiterMiddleware), expensiveHandler1); // OK
 express().get('/:path', catchAsync(rateLimiterMiddleware), catchAsync(expensiveHandler1)); // OK
+
+function errorHandler(req, res, next) {
+  next(makeOAuthError(req, res));
+}
+express().use(errorHandler); // OK - does not perform authentication