This adds a framework model for Vercel serverless functions so that
CodeQL's existing JavaScript security queries can detect vulnerabilities
in handlers of the form
export default function handler(req: VercelRequest, res: VercelResponse) { ... }
Handlers are identified as the default export of a module whose first
two parameters are typed as `VercelRequest`/`VercelResponse` from
`@vercel/node`. The default-export constraint excludes private helpers
that share the same signature. Type-based detection follows the same
pattern already used by `NextReqResHandler` in `Next.qll`.
The framework model covers:
- Route handler recognition (default-exported typed handlers only)
- Request input sources: `query`, `body`, `cookies`, and `url`
(the last inherited from Node's `IncomingMessage`)
- Named header accesses like `req.headers.host` and `req.headers.referer`,
modelled as `Http::RequestHeaderAccess` so header-specific queries fire
- Response sinks: `res.send`, `res.status(...).send`, `res.redirect`
- Header definitions via `res.setHeader`
Includes a library test exercising each model predicate (including a
negative case for private helpers) and query consistency fixtures
demonstrating end-to-end detection for js/reflected-xss,
js/request-forgery, js/sql-injection, and js/command-line-injection.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This adds Alert annotations for alerts that seem intentional by the test
but has not been annotated with 'NOT OK', or the comment was in the wrong
place.
In a few cases I included 'Source' expectations to make it easier to see
what happened. Other 'Source' expectations will be added in bulk a later
commit.
One of the diffs look confusing but:
Previously parameter {2,3} where flagged, now parameter {1,2} are flagged.
Note that for command injection, the SystemCommandExecution is flagged
despite the test file claiming otherwise.
Some OK-style comments had to be moved to the following line, shifting line numbers.
In selected range also included the comments themselves.
Lastly, the result sets were reordered by the CLI in some cases.
