add step from getStaticProps to the component render function

2026-04-28 02:05:14 +02:00 · 2021-02-15 16:16:43 +01:00
parent 9d7bb57d8a
commit d63fcaf7f1
2 changed files with 24 additions and 1 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Next.qll
@@ -23,13 +23,18 @@ private module NextJS {
    result = getAPagesFolder().getAFolder()
  }

+  /**
+   * Gets a module corrosponding to a `Next.js` page.
+   */
+  Module getAPagesModule() { result.getFile().getParentContainer() = getAPagesFolder() }
+
  /**
   * Gets a module inside a "pages" folder where `fallback` from `getStaticPaths` is not set to false.
   * In such a module the `getStaticProps` method can be called with user-defined parameters.
   * If `fallback` is set to false, then only values defined by `getStaticPaths` are allowed.
   */
  Module getAModuleWithFallbackPaths() {
-    result.getFile().getParentContainer() = getAPagesFolder() and
+    result = getAPagesModule() and
    exists(DataFlow::FunctionNode staticPaths, Expr fallback |
      staticPaths = result.getAnExportedValue("getStaticPaths").getAFunctionValue() and
      fallback =
@@ -53,4 +58,21 @@ private module NextJS {

    override string getSourceType() { result = "Next request parameter" }
  }
+
+  /**
+   * A step modelling the flow from the server-computed `getStaticProps` to the server/client rendering of the page.
+   */
+  class NextJSStaticPropsStep extends DataFlow::AdditionalFlowStep, DataFlow::FunctionNode {
+    Module pageModule;
+
+    NextJSStaticPropsStep() {
+      pageModule = getAPagesModule() and
+      this = pageModule.getAnExportedValue("getStaticProps").getAFunctionValue()
+    }
+
+    override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      pred = this.getAReturn().getALocalSource().getAPropertyWrite("props").getRhs() and
+      succ = pageModule.getAnExportedValue("default").getAFunctionValue().getParameter(0)
+    }
+  }
 }