mirror of
https://github.com/github/codeql.git
synced 2026-01-13 14:34:45 +01:00
53 lines
1.7 KiB
Plaintext
53 lines
1.7 KiB
Plaintext
/**
|
|
* Provides classes and predicates for working with serverless handlers.
|
|
* E.g. [AWS](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-handler.html) or [serverless](https://npmjs.com/package/serverless)
|
|
* In particular a `RemoteFlowSource` is added for AWS, Alibaba, and serverless.
|
|
*/
|
|
|
|
import javascript
|
|
import codeql.serverless.ServerLess
|
|
|
|
private module YamlImpl implements Input {
|
|
import semmle.javascript.Files
|
|
import semmle.javascript.YAML
|
|
}
|
|
|
|
module SL = ServerLess<YamlImpl>;
|
|
|
|
/**
|
|
* Gets a function that is a serverless request handler.
|
|
*
|
|
* For example: if an AWS serverless resource contains the following properties (in the "template.yml" file):
|
|
* ```yaml
|
|
* Handler: mylibrary.handler
|
|
* Runtime: nodejs12.x
|
|
* CodeUri: backend/src/
|
|
* ```
|
|
*
|
|
* And a file "mylibrary.js" exists in the folder "backend/src" (relative to the "template.yml" file).
|
|
* Then the result of this predicate is a function exported as "handler" from "mylibrary.js".
|
|
* The "mylibrary.js" file could for example look like:
|
|
*
|
|
* ```JavaScript
|
|
* module.exports.handler = function (event) { ... }
|
|
* ```
|
|
*/
|
|
private DataFlow::FunctionNode getAServerlessHandler() {
|
|
exists(File file, string stem, string handler, Module mod |
|
|
SL::hasServerlessHandler(stem, handler, _, _) and
|
|
file.getAbsolutePath() = stem + ".js"
|
|
|
|
|
mod.getFile() = file and
|
|
result = mod.getAnExportedValue(handler).getAFunctionValue()
|
|
)
|
|
}
|
|
|
|
/**
|
|
* A serverless request handler event, seen as a RemoteFlowSource.
|
|
*/
|
|
private class ServerlessHandlerEventAsRemoteFlow extends RemoteFlowSource {
|
|
ServerlessHandlerEventAsRemoteFlow() { this = getAServerlessHandler().getParameter(0) }
|
|
|
|
override string getSourceType() { result = "Serverless event" }
|
|
}
|