mirror of
https://github.com/github/codeql.git
synced 2025-12-20 02:44:30 +01:00
JS: Refactor RequestInputAccess to use source nodes
This commit is contained in:
Asger Feldthaus
@@ -461,28 +461,21 @@ module Express {
|
|||||||
string kind;
|
string kind;
|
||||||
|
|
||||||
RequestInputAccess() {
|
RequestInputAccess() {
|
||||||
exists(DataFlow::Node request | request = DataFlow::valueNode(rh.getARequestExpr()) |
|
exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
|
||||||
kind = "parameter" and
|
kind = "parameter" and
|
||||||
(
|
(
|
||||||
this.(DataFlow::MethodCallNode).calls(request, "param")
|
this = request.getAMethodCall("param")
|
||||||
or
|
or
|
||||||
exists(DataFlow::PropRead base, string propName |
|
this = request.getAPropertyRead(["params", "query"]).getAPropertyRead()
|
||||||
// `req.params.name` or `req.query.name`
|
|
||||||
base.accesses(request, propName) and
|
|
||||||
this = base.getAPropertyReference(_)
|
|
||||||
|
|
|
||||||
propName = "params" or
|
|
||||||
propName = "query"
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
// `req.originalUrl`
|
// `req.originalUrl`
|
||||||
kind = "url" and
|
kind = "url" and
|
||||||
this.(DataFlow::PropRef).accesses(request, "originalUrl")
|
this = request.getAPropertyRead("originalUrl")
|
||||||
or
|
or
|
||||||
// `req.cookies`
|
// `req.cookies`
|
||||||
kind = "cookie" and
|
kind = "cookie" and
|
||||||
this.(DataFlow::PropRef).accesses(request, "cookies")
|
this = request.getAPropertyRead("cookies")
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
kind = "body" and
|
kind = "body" and
|
||||||
|
|||||||
@@ -204,6 +204,24 @@ module HTTP {
|
|||||||
*/
|
*/
|
||||||
abstract HeaderDefinition getAResponseHeader(string name);
|
abstract HeaderDefinition getAResponseHeader(string name);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a request object originating from this route handler.
|
||||||
|
*
|
||||||
|
* Use `RequestSource.ref()` to get reference to this request object.
|
||||||
|
*/
|
||||||
|
final Servers::RequestSource getARequestSource() {
|
||||||
|
result.getRouteHandler() = this
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a request object originating from this route handler.
|
||||||
|
*
|
||||||
|
* Use `RequestSource.ref()` to get reference to this request object.
|
||||||
|
*/
|
||||||
|
final Servers::ResponseSource getAResponseSource() {
|
||||||
|
result.getRouteHandler() = this
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets an expression that contains a request object handled
|
* Gets an expression that contains a request object handled
|
||||||
* by this handler.
|
* by this handler.
|
||||||
@@ -296,7 +314,9 @@ module HTTP {
|
|||||||
*/
|
*/
|
||||||
abstract RouteHandler getRouteHandler();
|
abstract RouteHandler getRouteHandler();
|
||||||
|
|
||||||
predicate flowsTo(DataFlow::Node nd) { ref(DataFlow::TypeTracker::end()).flowsTo(nd) }
|
/** DEPRECATED. Use `ref().flowsTo()` instead. */
|
||||||
|
deprecated
|
||||||
|
predicate flowsTo(DataFlow::Node nd) { ref().flowsTo(nd) }
|
||||||
|
|
||||||
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
|
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
|
||||||
t.start() and
|
t.start() and
|
||||||
@@ -304,6 +324,11 @@ module HTTP {
|
|||||||
or
|
or
|
||||||
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
|
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Gets a `SourceNode` that refers to this request object. */
|
||||||
|
DataFlow::SourceNode ref() {
|
||||||
|
result = ref(DataFlow::TypeTracker::end())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -317,7 +342,8 @@ module HTTP {
|
|||||||
*/
|
*/
|
||||||
abstract RouteHandler getRouteHandler();
|
abstract RouteHandler getRouteHandler();
|
||||||
|
|
||||||
predicate flowsTo(DataFlow::Node nd) { ref(DataFlow::TypeTracker::end()).flowsTo(nd) }
|
/** DEPRECATED. Use `ref().flowsTo()` instead. */
|
||||||
|
predicate flowsTo(DataFlow::Node nd) { ref().flowsTo(nd) }
|
||||||
|
|
||||||
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
|
private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
|
||||||
t.start() and
|
t.start() and
|
||||||
@@ -325,6 +351,11 @@ module HTTP {
|
|||||||
or
|
or
|
||||||
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
|
exists(DataFlow::TypeTracker t2 | result = ref(t2).track(t2, t))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Gets a `SourceNode` that refers to this response object. */
|
||||||
|
DataFlow::SourceNode ref() {
|
||||||
|
result = ref(DataFlow::TypeTracker::end())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -333,7 +364,7 @@ module HTTP {
|
|||||||
class StandardRequestExpr extends RequestExpr {
|
class StandardRequestExpr extends RequestExpr {
|
||||||
RequestSource src;
|
RequestSource src;
|
||||||
|
|
||||||
StandardRequestExpr() { src.flowsTo(DataFlow::valueNode(this)) }
|
StandardRequestExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
|
||||||
|
|
||||||
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
||||||
}
|
}
|
||||||
@@ -344,7 +375,7 @@ module HTTP {
|
|||||||
class StandardResponseExpr extends ResponseExpr {
|
class StandardResponseExpr extends ResponseExpr {
|
||||||
ResponseSource src;
|
ResponseSource src;
|
||||||
|
|
||||||
StandardResponseExpr() { src.flowsTo(DataFlow::valueNode(this)) }
|
StandardResponseExpr() { src.ref().flowsTo(DataFlow::valueNode(this)) }
|
||||||
|
|
||||||
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
override RouteHandler getRouteHandler() { result = src.getRouteHandler() }
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -279,6 +279,8 @@ test_RequestInputAccess
|
|||||||
| src/express3.js:5:35:5:50 | req.param("val") | parameter | src/express3.js:4:23:7:1 | functio ... al");\\n} |
|
| src/express3.js:5:35:5:50 | req.param("val") | parameter | src/express3.js:4:23:7:1 | functio ... al");\\n} |
|
||||||
| src/express4.js:5:9:5:11 | foo | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
| src/express4.js:5:9:5:11 | foo | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
||||||
| src/express4.js:5:14:5:21 | bar: baz | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
| src/express4.js:5:14:5:21 | bar: baz | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
||||||
|
| src/express4.js:6:18:6:31 | req.query[foo] | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
||||||
|
| src/express4.js:7:18:7:39 | req.que ... hing()] | parameter | src/express4.js:4:23:9:1 | functio ... ic1);\\n} |
|
||||||
| src/express.js:5:16:5:34 | req.param("target") | parameter | src/express.js:4:23:9:1 | functio ... res);\\n} |
|
| src/express.js:5:16:5:34 | req.param("target") | parameter | src/express.js:4:23:9:1 | functio ... res);\\n} |
|
||||||
| src/express.js:6:26:6:44 | req.param("target") | parameter | src/express.js:4:23:9:1 | functio ... res);\\n} |
|
| src/express.js:6:26:6:44 | req.param("target") | parameter | src/express.js:4:23:9:1 | functio ... res);\\n} |
|
||||||
| src/express.js:23:3:23:10 | req.body | body | src/express.js:22:30:32:1 | functio ... ar');\\n} |
|
| src/express.js:23:3:23:10 | req.body | body | src/express.js:22:30:32:1 | functio ... ar');\\n} |
|
||||||
|
|||||||
Reference in New Issue
Block a user