codeql/HeaderDefinition.qll at cff07342f5cbd5a3658be054e764b79ddac21bd4 - codeql - Gitea: Git with a cup of tea

hohn/codeql

mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00

Files

murderteeth dfe05599d3 JS: Add support for @vercel/node serverless functions

This adds a framework model for Vercel serverless functions so that
CodeQL's existing JavaScript security queries can detect vulnerabilities
in handlers of the form

    export default function handler(req: VercelRequest, res: VercelResponse) { ... }

Handlers are identified as the default export of a module whose first
two parameters are typed as `VercelRequest`/`VercelResponse` from
`@vercel/node`. The default-export constraint excludes private helpers
that share the same signature. Type-based detection follows the same
pattern already used by `NextReqResHandler` in `Next.qll`.

The framework model covers:
- Route handler recognition (default-exported typed handlers only)
- Request input sources: `query`, `body`, `cookies`, and `url`
  (the last inherited from Node's `IncomingMessage`)
- Named header accesses like `req.headers.host` and `req.headers.referer`,
  modelled as `Http::RequestHeaderAccess` so header-specific queries fire
- Response sinks: `res.send`, `res.status(...).send`, `res.redirect`
- Header definitions via `res.setHeader`

Includes a library test exercising each model predicate (including a
negative case for private helpers) and query consistency fixtures
demonstrating end-to-end detection for js/reflected-xss,
js/request-forgery, js/sql-injection, and js/command-line-injection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-12 19:17:18 +00:00

8 lines

193 B

Plaintext

Raw Blame History

 import javascript
 query predicate test_HeaderDefinition(
   Http::HeaderDefinition hd, string name, VercelNode::RouteHandler rh
 ) {
   hd.getRouteHandler() = rh and name = hd.getAHeaderName()
 }