hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #310 from esben-semmle/js/additional-client-request-data-nodes

Browse Source 
Approved by xiemaisi
This commit is contained in:
semmle-qlci
2018-10-16 12:59:22 +01:00
committed by GitHub
parent e319159a59 870811a509
commit e55eaefded
14 changed files with 139 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
javascript/ql/src/semmle/javascript/dataflow/Sources.qll
View File

@@ -131,6 +131,26 @@ abstract class SourceNode extends DataFlow::Node {
)
}
/**
* Gets a method call that invokes a method on this node.
*
* This includes only calls that have the syntactic shape of a method call,
* that is, `o.m(...)` or `o[p](...)`.
*/
DataFlow::CallNode getAMethodCall() {
result = getAMethodCall(_)
}
/**
* Gets a chained method call that invokes `methodName` last.
*
* The chain steps include only calls that have the syntactic shape of a method call,
* that is, `o.m(...)` or `o[p](...)`.
*/
DataFlow::CallNode getAChainedMethodCall(string methodName) {
result = getAMethodCall*().getAMethodCall(methodName)
}
/**
* Gets a `new` call that invokes constructor `constructorName` on this node.
*/

50
javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
View File

@@ -116,31 +116,36 @@ private class RequestUrlRequest extends CustomClientRequest {
*/
private class AxiosUrlRequest extends CustomClientRequest {
DataFlow::Node url;
string method;
AxiosUrlRequest() {
exists (string moduleName, DataFlow::SourceNode callee |
this = callee.getACall() |
moduleName = "axios" and
(
callee = DataFlow::moduleImport(moduleName) or
callee = DataFlow::moduleMember(moduleName, httpMethodName()) or
callee = DataFlow::moduleMember(moduleName, "request")
) and
(
url = getArgument(0) or
// depends on the method name and the call arity, over-approximating slightly in the name of simplicity
url = getOptionArgument([0..2], urlPropertyName())
callee = DataFlow::moduleImport(moduleName) and method = "request" or
callee = DataFlow::moduleMember(moduleName, method) and (method = httpMethodName() or method = "request")
)
)
}
override DataFlow::Node getUrl() {
result = url
result = getArgument(0) or
// depends on the method name and the call arity, over-approximating slightly in the name of simplicity
result = getOptionArgument([0..2], urlPropertyName())
}
override DataFlow::Node getADataNode() {
none()
method = "request" and
result = getOptionArgument(0, "data")
or
(method = "post" or method = "put" or method = "put") and
(result = getArgument(1) or result = getOptionArgument(2, "data"))
or
exists (string name |
name = "headers" or name = "params"|
result = getOptionArgument([0..2], name)
)
}
}
@@ -175,7 +180,10 @@ private class FetchUrlRequest extends CustomClientRequest {
}
override DataFlow::Node getADataNode() {
none()
exists (string name |
name = "headers" or name = "body" |
result = getOptionArgument(1, name)
)
}
}
@@ -185,8 +193,6 @@ private class FetchUrlRequest extends CustomClientRequest {
*/
private class GotUrlRequest extends CustomClientRequest {
DataFlow::Node url;
GotUrlRequest() {
exists (string moduleName, DataFlow::SourceNode callee |
this = callee.getACall() |
@@ -194,17 +200,20 @@ private class GotUrlRequest extends CustomClientRequest {
(
callee = DataFlow::moduleImport(moduleName) or
callee = DataFlow::moduleMember(moduleName, "stream")
) and
url = getArgument(0) and not exists (getOptionArgument(1, "baseUrl"))
)
)
}
override DataFlow::Node getUrl() {
result = url
result = getArgument(0) and
not exists (getOptionArgument(1, "baseUrl"))
}
override DataFlow::Node getADataNode() {
none()
exists (string name |
name = "headers" or name = "body" or name = "query" |
result = getOptionArgument(1, name)
)
}
}
@@ -230,7 +239,10 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
}
override DataFlow::Node getADataNode() {
none()
exists (string name |
name = "set" or name = "send" or name = "query" |
result = this.getAChainedMethodCall(name).getAnArgument()
)
}
}

29
javascript/ql/src/semmle/javascript/frameworks/Electron.qll
View File

@@ -49,32 +49,14 @@ module Electron {
}
}
/**
* A Node.js-style HTTP or HTTPS request made using `electron.net`, for example `net.request(url)`.
*/
private class NetRequest extends CustomElectronClientRequest {
NetRequest() {
this = DataFlow::moduleMember("electron", "net").getAMemberCall("request")
}
override DataFlow::Node getUrl() {
result = getArgument(0) or
result = getOptionArgument(0, "url")
}
override DataFlow::Node getADataNode() {
none()
}
}
/**
* A Node.js-style HTTP or HTTPS request made using `electron.client`, for example `new client(url)`.
* A Node.js-style HTTP or HTTPS request made using `electron.ClientRequest`.
*/
private class NewClientRequest extends CustomElectronClientRequest {
NewClientRequest() {
this = DataFlow::moduleMember("electron", "ClientRequest").getAnInstantiation()
this = DataFlow::moduleMember("electron", "ClientRequest").getAnInstantiation() or
this = DataFlow::moduleMember("electron", "net").getAMemberCall("request") // alias
}
override DataFlow::Node getUrl() {
@@ -83,7 +65,10 @@ module Electron {
}
override DataFlow::Node getADataNode() {
none()
exists (string name |
name = "write" or name = "end" |
result =this.(DataFlow::SourceNode).getAMethodCall(name).getArgument(0)
)
}
}

5
javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
View File

@@ -740,7 +740,10 @@ module NodeJSLib {
}
override DataFlow::Node getADataNode() {
result = getAMethodCall("write").getArgument(0)
exists (string name |
name = "write" or name = "end" |
result =this.(DataFlow::SourceNode).getAMethodCall(name).getArgument(0)
)
}
}