From e54789d1bdf33d3200b380d373ce60a910d317c5 Mon Sep 17 00:00:00 2001 From: Asger F Date: Wed, 26 Nov 2025 10:33:20 +0100 Subject: [PATCH] JS: Recognise route.ts outside api folder --- .../ql/lib/semmle/javascript/frameworks/Next.qll | 15 +++++++++++++-- .../CWE-079/ReflectedXss/ReflectedXss.expected | 6 ++++++ .../ReflectedXssWithCustomSanitizer.expected | 1 + .../CWE-079/ReflectedXss/app/blah/route.ts | 4 ++-- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index a65fcdce44d..bdbc18d30f3 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -32,6 +32,12 @@ module NextJS { private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") } + private Folder appFolder() { + result = appRoot() + or + result = appFolder().getAFolder() + } + /** * Gets a "pages" folder in a `Next.js` application. * JavaScript files inside these folders are mapped to routes. @@ -300,8 +306,13 @@ module NextJS { class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler { NextAppRouteHandler() { exists(Module mod | - mod.getFile().getParentContainer() = apiFolder() or - mod.getFile().getStem() = "middleware" + ( + mod.getFile().getParentContainer() = apiFolder() + or + mod.getFile().getStem() = "middleware" + or + mod.getFile().getStem() = "route" and mod.getFile().getParentContainer() = appFolder() + ) | this = mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware"]).getAFunctionValue() diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index b488018d09d..123ceaecf79 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -35,6 +35,7 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/route.ts:3:25:3:27 | url | app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to a $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | @@ -154,6 +155,8 @@ edges | app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:31:27:31:30 | body | provenance | | | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:12 | body | provenance | | | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance | | +| app/blah/route.ts:2:11:2:13 | url | app/blah/route.ts:3:25:3:27 | url | provenance | | +| app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:2:11:2:13 | url | provenance | | | etherpad.js:9:5:9:12 | response | etherpad.js:11:12:11:19 | response | provenance | | | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:12 | response | provenance | | | formatting.js:4:9:4:12 | evil | formatting.js:6:43:6:46 | evil | provenance | | @@ -367,6 +370,9 @@ nodes | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body | +| app/blah/route.ts:2:11:2:13 | url | semmle.label | url | +| app/blah/route.ts:2:17:2:23 | req.url | semmle.label | req.url | +| app/blah/route.ts:3:25:3:27 | url | semmle.label | url | | app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url | | app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url | | etherpad.js:9:5:9:12 | response | semmle.label | response | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index 2dceb5fa807..b130f70a22f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -34,6 +34,7 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value | | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts index 292accde9d7..0410915513f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts @@ -1,4 +1,4 @@ export async function GET(req: Request) { - const url = req.url; // $ MISSING: Source - return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert + const url = req.url; // $ Source + return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ Alert }