hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

recognize access to a query object through function calls

Browse Source
This commit is contained in:
Erik Krogh Kristensen
2020-06-30 15:52:08 +02:00
parent f79299883a
commit ed48efe5b4
1 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
javascript/ql/src/semmle/javascript/frameworks/Express.qll
View File

@@ -463,6 +463,16 @@ module Express {
override RequestSource src; override RequestSource src;
} }
/**
* Gets a reference to the "query" or "params" object from a request-object originating from route-handler `rh`.
*/
DataFlow::SourceNode getAQueryObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
t.startInProp(["params", "query"]) and
result = rh.getARequestSource()
or
exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh).track(t2, t))
}
/** /**
* An access to a user-controlled Express request input. * An access to a user-controlled Express request input.
*/ */
@@ -471,14 +481,13 @@ module Express {
string kind; string kind;
RequestInputAccess() { RequestInputAccess() {
kind = "parameter" and
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh).getAPropertyRead()
or
exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() | exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
kind = "parameter" and kind = "parameter" and
(
this = request.getAMethodCall("param") this = request.getAMethodCall("param")
or or
this = request.getAPropertyRead(["params", "query"]).getAPropertyRead()
)
or
// `req.originalUrl` // `req.originalUrl`
kind = "url" and kind = "url" and
this = request.getAPropertyRead("originalUrl") this = request.getAPropertyRead("originalUrl")