Skip to content
Merged
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
6ab62da
Add Restify/Spife support
Oct 3, 2022
b79f7f3
Address code review comments
Oct 18, 2022
31d271b
Fix format errors
Oct 19, 2022
976dd7f
Fix format errors
Oct 19, 2022
2ad5a70
Merge branch 'main' into restify_improvements
Oct 19, 2022
009403b
Add QLDoc for FormatterSetup.getAFormatterHandler
Oct 19, 2022
c10087b
Merge branch 'restify_improvements' of https://github.com/pwntester/c…
Oct 19, 2022
c7ac237
Update test results after merging new XSS improvements
Oct 19, 2022
742e4aa
Apply suggestions from code review
Oct 24, 2022
37ea3f2
Refactored `ReplySource` to `ReplyCall`. Got rid of unnecessary `ref()`
Oct 25, 2022
a80b691
Remove unnecessary TaggedTemplateEntryPoint
Oct 25, 2022
9830d2b
Format Restify.qll
Oct 25, 2022
3e92b4c
Apply suggestions from code review
Dec 7, 2022
407df37
Add feedback from Code review
Dec 7, 2022
af015d3
restoring previous casts to avoid super type ambiguity
Dec 7, 2022
38b2f53
Use ReplyCall.super syntax instead of this.(ReplyCall)
Dec 7, 2022
1410d28
Update javascript/ql/lib/semmle/javascript/frameworks/Spife.qll
Dec 12, 2022
469d7f5
Use fluent API instead of hasPropertyWrite
Dec 12, 2022
4ba3190
Replace API::Node with DataFlow::Node for Spife's RouteSetup
Dec 13, 2022
270a435
format Restify.qll
Dec 13, 2022
701676e
Update javascript/ql/lib/semmle/javascript/frameworks/Spife.qll
Dec 14, 2022
a71fc93
add tests
Dec 14, 2022
e1f05e9
Merge branch 'restify_improvements' of https://github.com/pwntester/c…
Dec 14, 2022
14faff4
fix restify tests
Dec 14, 2022
4cf7299
restore Spife.qll to working status
Dec 14, 2022
818c2da
fix Spife tests (without heuristics)
Dec 14, 2022
f46a8fa
port RouteSetup API-based implementation to DataFlow one
Dec 14, 2022
5555812
add explicit this
erik-krogh Dec 14, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Replace API::Node with DataFlow::Node for Spife's RouteSetup
  • Loading branch information
Alvaro Muñoz committed Dec 13, 2022
commit 4ba3190d29f3b5273c38e8f93b59c42ee36ba480
22 changes: 16 additions & 6 deletions javascript/ql/lib/semmle/javascript/frameworks/Spife.qll
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ module Spife {
/**
* A call to a Spife method that sets up a route.
*/
private class RouteSetup extends API::CallNode, Http::Servers::StandardRouteSetup {
private class RouteSetup extends DataFlow::CallNode, Http::Servers::StandardRouteSetup {
TaggedTemplateExpr template;

RouteSetup() {
Expand Down Expand Up @@ -44,20 +44,22 @@ module Spife {
)
}

API::Node getHandlerByName(string name) { result = this.getParameter(0).getMember(name) }
DataFlow::Node getHandlerByName(string name) {
result = DataFlow::parameterNode(this.getACallee().getParameter(0)).getAPropertyRead(name)
}

API::Node getHandlerByRoute(string method, string path) {
DataFlow::Node getHandlerByRoute(string method, string path) {
exists(string handlerName |
this.hasLine(method, path, handlerName) and
result = this.getHandlerByName(handlerName)
)
}

override DataFlow::SourceNode getARouteHandler() {
result = this.getHandlerByRoute(_, _).getAValueReachingSink().(DataFlow::FunctionNode)
result = this.getHandlerByRoute(_, _).getALocalSource().(DataFlow::FunctionNode)
or
exists(DataFlow::MethodCallNode validation |
validation = this.getHandlerByRoute(_, _).getAValueReachingSink() and
validation = this.getHandlerByRoute(_, _).getALocalSource() and
result = validation.getArgument(1).getAFunctionValue()
)
}
Expand Down Expand Up @@ -90,7 +92,7 @@ module Spife {
/**
* A function that looks like a Spife route handler.
*
* For example, this could be the function `function(req, res, next){...}`.
* For example, this could be the function `function(request, context){...}`.
*/
class RouteHandlerCandidate extends Http::RouteHandlerCandidate {
RouteHandlerCandidate() {
Expand Down Expand Up @@ -139,22 +141,30 @@ module Spife {
string kind;

RequestInputAccess() {
// req.body
this = rh.getARequestSource().ref().getAPropertyRead("body") and
kind = "body"
or
// req.query['foo']
this = rh.getARequestSource().ref().getAPropertyRead("query").getAPropertyRead() and
kind = "parameter"
or
// req.raw
this = rh.getARequestSource().ref().getAPropertyRead("raw") and
kind = "raw"
or
// req.url
// req.urlObject
this = rh.getARequestSource().ref().getAPropertyRead(["url", "urlObject"]) and
kind = "url"
or
// req.cookie('foo')
// req.cookies()
this = rh.getARequestSource().ref().getAMethodCall() and
this.(DataFlow::MethodCallNode).getMethodName() = ["cookie", "cookies"] and
kind = "cookie"
or
// req.validatedBody.get('foo')
exists(DataFlow::PropRead validated, DataFlow::MethodCallNode get |
rh.getARequestSource().ref().getAPropertyRead() = validated and
validated.getPropertyName().matches("validated%") and
Expand Down