JavaScript: Add model of http2 compatibility API.

Also deprecated the `httpOrHttps` predicate, which was now only used in one place and seemed a little pointless anyway.
2025-12-21 19:26:31 +01:00 · 2020-02-10 09:42:23 +00:00
parent da566a4484
commit f181111886
5 changed files with 29 additions and 6 deletions
--- a/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll
@@ -119,8 +119,11 @@ module HTTP {
  }

  /**
+   * DEPRECATED: Use `http` or `https` directly as appropriate.
+   *
   * Gets the string `http` or `https`.
   */
+  deprecated
  string httpOrHttps() { result = "http" or result = "https" }

  /**
--- a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -42,7 +42,18 @@ module NodeJSLib {
   * Holds if `call` is an invocation of `http.createServer` or `https.createServer`.
   */
  predicate isCreateServer(CallExpr call) {
-    call = DataFlow::moduleMember(HTTP::httpOrHttps(), "createServer").getAnInvocation().asExpr()
+    exists(string pkg, string fn |
+      pkg = "http" and fn = "createServer"
+      or
+      pkg = "https" and fn = "createServer"
+      or
+      // http2 compatibility API
+      pkg = "http2" and fn = "createServer"
+      or
+      pkg = "http2" and fn = "createSecureServer"
+    |
+      call = DataFlow::moduleMember(pkg, fn).getAnInvocation().asExpr()
+    )
  }

  /**
@@ -356,10 +367,12 @@ module NodeJSLib {
  /** An expression that is passed as `http.request({ auth: <expr> }, ...)`. */
  class Credentials extends CredentialsExpr {
    Credentials() {
-      this = DataFlow::moduleMember(HTTP::httpOrHttps(), "request")
-            .getACall()
-            .getOptionArgument(0, "auth")
-            .asExpr()
+      exists(string http | http = "http" or http = "https" |
+        this = DataFlow::moduleMember(http, "request")
+              .getACall()
+              .getOptionArgument(0, "auth")
+              .asExpr()
+      )
    }

    override string getCredentialsKind() { result = "credentials" }
@@ -881,7 +894,6 @@ module NodeJSLib {
    override string getSourceType() { result = "NodeJSClientRequest error event" }
  }

-
  /**
   * An NodeJS EventEmitter instance.
   * Events dispatched on this EventEmitter will be handled by event handlers registered on this EventEmitter.