JS: Type track mssql model

2026-04-26 17:25:19 +02:00 · 2020-05-15 17:07:29 +01:00
parent 6dcee5a0ef
commit d225715828
3 changed files with 33 additions and 12 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -270,15 +270,27 @@ private module Sqlite {
 */
 private module MsSql {
  /** Gets a reference to the `mssql` module. */
-  DataFlow::ModuleImportNode mssql() { result.getPath() = "mssql" }
+  DataFlow::SourceNode mssql() { result = DataFlow::moduleImport("mssql") }

-  /** Gets an expression that creates a request object. */
-  DataFlow::SourceNode request() {
-    // new require('mssql').Request()
-    result = mssql().getAConstructorInvocation("Request")
+  /** Gets a data flow node referring to a request object. */
+  private DataFlow::SourceNode request(DataFlow::TypeTracker t) {
+    t.start() and
+    (
+      // new require('mssql').Request()
+      result = mssql().getAConstructorInvocation("Request")
+      or
+      // request.input(...)
+      result = request().getAMethodCall("input")
+    )
    or
-    // request.input(...)
-    result = request().getAMethodCall("input")
+    exists(DataFlow::TypeTracker t2 |
+      result = request(t2).track(t2, t)
+    )
+  }
+  
+  /** Gets a data flow node referring to a request object. */
+  DataFlow::SourceNode request() {
+    result = request(DataFlow::TypeTracker::end())
  }

  /** A tagged template evaluated as a query. */
@@ -293,15 +305,13 @@ private module MsSql {
  }

  /** A call to a MsSql query method. */
-  private class QueryCall extends DatabaseAccess, DataFlow::ValueNode {
-    override MethodCallExpr astNode;
-
+  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
    QueryCall() {
-      exists(string meth | this = request().getAMethodCall(meth) | meth = "query" or meth = "batch")
+      this = request().getAMethodCall(["query", "batch"])
    }

    override DataFlow::Node getAQueryArgument() {
-      result = DataFlow::valueNode(astNode.getArgument(0))
+      result = getArgument(0)
    }
  }

--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -2,6 +2,7 @@
 | mssql1.js:7:75:7:79 | value |
 | mssql2.js:5:15:5:34 | 'select 1 as number' |
 | mssql2.js:13:15:13:66 | 'create ...  table' |
+| mssql2.js:22:24:22:43 | 'select 1 as number' |
 | mysql1.js:13:18:13:43 | 'SELECT ... lution' |
 | mysql1.js:18:18:22:1 | {\\n    s ... vid']\\n} |
 | mysql2.js:12:12:12:37 | 'SELECT ... lution' |
--- a/javascript/ql/test/library-tests/frameworks/SQL/mssql2.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/mssql2.js
@@ -13,3 +13,13 @@ request.query('select 1 as number', (err, result) => {
 request.batch('create procedure #temporary as select * from table', (err, result) => {
    // ... error checks
 })
+
+class C {
+    constructor(req) {
+        this.req = req;
+    }
+    send() {
+        this.req.query('select 1 as number', (err, result) => {})
+    }
+}
+new C(new sql.Request());