hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-02 12:15:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: model firebase-functions/https.onRequest

Browse Source
This commit is contained in:
Esben Sparre Andreasen
2019-04-02 16:04:29 +02:00
parent 54b4e59d12
commit f23a5a5fee
9 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
change-notes/1.21/analysis-javascript.md
View File

@@ -4,6 +4,7 @@
* Support for the following frameworks and libraries has been improved:
- [socket.io](http://socket.io)
- [Firebase](https://firebase.google.com/)
* The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).

34
javascript/ql/src/semmle/javascript/frameworks/Firebase.qll
View File

@@ -215,6 +215,40 @@ module Firebase {
result = getArgument(0)
}
}
/**
* A call to a Firebase method that sets up a route.
*/
private class RouteSetup extends HTTP::Servers::StandardRouteSetup, CallExpr {
RouteSetup() { this = namespace().getAPropertyRead("https").getAMemberCall("onRequest").asExpr() }
override DataFlow::SourceNode getARouteHandler() {
result = getARouteHandler(DataFlow::TypeBackTracker::end())
}
private DataFlow::SourceNode getARouteHandler(DataFlow::TypeBackTracker t) {
t.start() and
result = getArgument(0).flow().getALocalSource()
or
exists(DataFlow::TypeBackTracker t2 | result = getARouteHandler(t2).backtrack(t2, t))
}
override Expr getServer() { none() }
}
/**
* A function used as a route handler.
*/
private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler,
DataFlow::ValueNode {
RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
override SimpleParameter getRouteHandlerParameter(string kind) {
kind = "request" and result = this.(DataFlow::FunctionNode).getParameter(0).getParameter() or
kind = "response" and result = this.(DataFlow::FunctionNode).getParameter(1).getParameter()
}
}
}
/**

1
javascript/ql/test/library-tests/frameworks/Firebase/RequestInputAccess.expected Normal file
View File

@@ -0,0 +1 @@
| tst.js:72:52:72:65 | req.params.foo |

4
javascript/ql/test/library-tests/frameworks/Firebase/RequestInputAccess.ql Normal file
View File

@@ -0,0 +1,4 @@
import javascript
from HTTP::RequestInputAccess ria
select ria

1
javascript/ql/test/library-tests/frameworks/Firebase/ResponseSendArgument.expected Normal file
View File

@@ -0,0 +1 @@
| tst.js:72:52:72:65 | req.params.foo |

4
javascript/ql/test/library-tests/frameworks/Firebase/ResponseSendArgument.ql Normal file
View File

@@ -0,0 +1,4 @@
import javascript
from HTTP::ResponseSendArgument send
select send

1
javascript/ql/test/library-tests/frameworks/Firebase/RouteHandler.expected Normal file
View File

@@ -0,0 +1 @@
| tst.js:72:27:72:69 | (req, r ... foo); } |

4
javascript/ql/test/library-tests/frameworks/Firebase/RouteHandler.ql Normal file
View File

@@ -0,0 +1,4 @@
import javascript
from HTTP::RouteHandler rh
select rh

2
javascript/ql/test/library-tests/frameworks/Firebase/tst.js
View File

@@ -68,3 +68,5 @@ class Box {
let box1 = new Box(fb.database());
let box2 = new Box(whatever());
box2.x.ref(); // not a firebase ref
functions.https.onRequest((req, res) => { res.send(req.params.foo); });