Moved apollo modeling to MaD

2025-12-16 16:53:25 +01:00 · 2025-07-31 10:53:03 +02:00
parent 84ffbbec33
commit fd4233e30e
3 changed files with 14 additions and 38 deletions
--- a/javascript/ql/lib/ext/apollo-server.model.yml
+++ b/javascript/ql/lib/ext/apollo-server.model.yml
@@ -5,6 +5,12 @@ extensions:
    data:
      - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].AnyMember.AnyMember.AnyMember.Parameter[1]", "remote"]

+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+
  - addsTo:
      pack: codeql/javascript-all
      extensible: typeModel
@@ -13,3 +19,9 @@ extensions:
      - ["@apollo/server", "apollo-server-express", ""]
      - ["@apollo/server", "apollo-server-core", ""]
      - ["@apollo/server", "apollo-server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-express", ""]
+      - ["@apollo/server", "apollo-server-express", ""]
+      - ["@apollo/server", "@apollo/server", ""]
+      - ["@apollo/server", "@apollo/apollo-server-core", ""]
+      - ["ApolloServer", "@apollo/server", "Member[ApolloServer]"]
+      - ["GraphQLApollo", "@apollo/server", "Member[gql]"]
--- a/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Apollo.qll
@@ -1,36 +0,0 @@
-/**
- * Provides classes for working with Apollo GraphQL connectors.
- */
-
-import javascript
-
-/** Provides classes modeling the apollo packages [@apollo/server](https://npmjs.com/package/@apollo/server`) */
-module Apollo {
-  /** Get a reference to the `ApolloServer` class. */
-  private API::Node apollo() {
-    result =
-      API::moduleImport([
-          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
-          "apollo-server", "apollo-server-express"
-        ]).getMember("ApolloServer")
-  }
-
-  /** Gets a reference to the `gql` function that parses GraphQL strings. */
-  private API::Node gql() {
-    result =
-      API::moduleImport([
-          "@apollo/server", "@apollo/apollo-server-express", "@apollo/apollo-server-core",
-          "apollo-server", "apollo-server-express"
-        ]).getMember("gql")
-  }
-
-  /** An instantiation of an `ApolloServer`. */
-  class ApolloServer extends API::NewNode {
-    ApolloServer() { this = apollo().getAnInstantiation() }
-  }
-
-  /** A string that is interpreted as a GraphQL query by a `apollo` package. */
-  private class ApolloGraphQLString extends GraphQL::GraphQLString {
-    ApolloGraphQLString() { this = gql().getACall().getArgument(0) }
-  }
-}
--- a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -5,7 +5,6 @@
 */

 import javascript
-private import semmle.javascript.frameworks.Apollo
 private import semmle.javascript.frameworks.Cors

 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
@@ -109,7 +108,8 @@ module CorsPermissiveConfiguration {
   */
  class CorsApolloServer extends Sink, DataFlow::ValueNode {
    CorsApolloServer() {
-      exists(Apollo::ApolloServer agql |
+      exists(API::NewNode agql |
+        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
        this =
          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
      )