JS: Recognise route.ts outside api folder

2026-02-11 20:51:06 +01:00 · 2025-11-26 10:33:20 +01:00
parent f52f5b63e6
commit e54789d1bd
4 changed files with 22 additions and 4 deletions
--- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -32,6 +32,12 @@ module NextJS {

  private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") }

+  private Folder appFolder() {
+    result = appRoot()
+    or
+    result = appFolder().getAFolder()
+  }
+
  /**
   * Gets a "pages" folder in a `Next.js` application.
   * JavaScript files inside these folders are mapped to routes.
@@ -300,8 +306,13 @@ module NextJS {
  class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler {
    NextAppRouteHandler() {
      exists(Module mod |
-        mod.getFile().getParentContainer() = apiFolder() or
-        mod.getFile().getStem() = "middleware"
+        (
+          mod.getFile().getParentContainer() = apiFolder()
+          or
+          mod.getFile().getStem() = "middleware"
+          or
+          mod.getFile().getStem() = "route" and mod.getFile().getParentContainer() = appFolder()
+        )
      |
        this =
          mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware"]).getAFunctionValue()
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -35,6 +35,7 @@
 | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
+| app/blah/route.ts:3:25:3:27 | url | app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to a $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value |
 | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
 | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
@@ -154,6 +155,8 @@ edges
 | app/api/routeNextRequest.ts:4:9:4:12 | body | app/api/routeNextRequest.ts:31:27:31:30 | body | provenance |  |
 | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:12 | body | provenance |  |
 | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance |  |
+| app/blah/route.ts:2:11:2:13 | url | app/blah/route.ts:3:25:3:27 | url | provenance |  |
+| app/blah/route.ts:2:17:2:23 | req.url | app/blah/route.ts:2:11:2:13 | url | provenance |  |
 | etherpad.js:9:5:9:12 | response | etherpad.js:11:12:11:19 | response | provenance |  |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:12 | response | provenance |  |
 | formatting.js:4:9:4:12 | evil | formatting.js:6:43:6:46 | evil | provenance |  |
@@ -367,6 +370,9 @@ nodes
 | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body |
 | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body |
 | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body |
+| app/blah/route.ts:2:11:2:13 | url | semmle.label | url |
+| app/blah/route.ts:2:17:2:23 | req.url | semmle.label | req.url |
+| app/blah/route.ts:3:25:3:27 | url | semmle.label | url |
 | app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url |
 | app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url |
 | etherpad.js:9:5:9:12 | response | semmle.label | response |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -34,6 +34,7 @@
 | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
+| app/blah/route.ts:3:25:3:27 | url | Cross-site scripting vulnerability due to $@. | app/blah/route.ts:2:17:2:23 | req.url | user-provided value |
 | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value |
 | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts
@@ -1,4 +1,4 @@
 export async function GET(req: Request) {
-    const url = req.url; // $ MISSING: Source
-    return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ MISSING: Alert
+    const url = req.url; // $ Source
+    return new Response(url, { headers: { "Content-Type": "text/html" } }); // $ Alert
 }