Skip to content

JS: Add routing trees library #7049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 37 commits into from
Dec 17, 2021
Merged

JS: Add routing trees library #7049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
e9575c3
JS: Support AdditionalUseStep in API graphs
asgerf Sep 6, 2021
aae4260
JS: Routing model
asgerf Oct 7, 2021
3dd5d4d
JS: Instantiate for Express and add tests
asgerf Oct 11, 2021
16fa066
JS: Fix false negative in Mongo model
asgerf Oct 7, 2021
389a3c9
JS: Port CSRF query
asgerf Oct 7, 2021
5269933
JS: Port missing rate limiting query
asgerf Oct 7, 2021
cfb9265
JS: Add template steps for res.locals.x
asgerf Oct 7, 2021
7182056
JS: Instantiate for Fastify
asgerf Oct 7, 2021
400bf10
JS: Move fastify-specific route handler step into extension point
asgerf Oct 7, 2021
d0e94e6
JS: Exclude error handling from auth calls
asgerf Oct 12, 2021
b732193
JS: Improve precision of missing CSRF middleware
asgerf Oct 25, 2021
66b1612
JS: Treat non-cookie based auth as CSRF preventer
asgerf Oct 26, 2021
5f8ea39
JS: Do not flag auth endpoints that are immune to Login CSRF
asgerf Oct 27, 2021
8af430d
JS: Shift line numbers in TemplateObjectInjection test
asgerf Oct 28, 2021
64db70f
JS: Add explicit body-parsers to TemplateObjectInjection test
asgerf Oct 28, 2021
3cbe94a
JS: Add consistency checks to TemplateObjectInjection test
asgerf Oct 28, 2021
7492293
JS: Add test with route handler indirection
asgerf Oct 28, 2021
da8e67b
JS: Use routing trees to detect deeply tainted req.body
asgerf Oct 28, 2021
635ac0a
JS: Fix perf issue in data flow step generation
asgerf Nov 2, 2021
5559681
JS: Change note
asgerf Nov 8, 2021
614c807
Apply suggestions from code review
asgerf Dec 7, 2021
23480b2
JS: Remove stray TODO
asgerf Dec 7, 2021
b2016bd
JS: Merge concepts of client/database in MongoDB model
asgerf Dec 7, 2021
c1bb40f
Update javascript/ql/lib/semmle/javascript/frameworks/Express.qll
asgerf Dec 14, 2021
04bdba8
JS: Shift line numbers in test expectations
asgerf Dec 14, 2021
995e331
JS: Add test for res.locals flow to template
asgerf Dec 14, 2021
1b20506
Update javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
asgerf Dec 14, 2021
0ca9feb
JS: Always treat routers as resuming dispatch
asgerf Dec 15, 2021
b226f76
JS: Fix tracking of fastify server instance
asgerf Dec 15, 2021
615b2ec
JS: Fix handling of fastify-plugin
asgerf Dec 15, 2021
4d85799
JS: Add test for fastify-rate-limit
asgerf Dec 15, 2021
218b746
JS: Rename getAUseSite -> getRouteInstallation
asgerf Dec 15, 2021
8aa4d82
JS: Rename RouteHandlerInput->RouteHandlerParameter
asgerf Dec 15, 2021
79e6dca
JS: Rename getValueAtAccessPath->getValueImplicitlyStoredInAccessPath
asgerf Dec 15, 2021
784991c
Update javascript/ql/lib/semmle/javascript/Routing.qll
asgerf Dec 15, 2021
53b3581
JS: Add test to stress flow through properties
asgerf Dec 15, 2021
0e9c237
JS: Use a field in RouterHandlerParameter
asgerf Dec 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions javascript/change-notes/2021-11-08-routing-trees.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
lgtm,codescanning
* Data flow is now tracked across middleware functions in more cases, leading to more security results in general. Affected packages are `express` and `fastify`.
* `js/missing-token-validation` has been made more precise, yielding both fewer false positives and more true positives.
1 change: 1 addition & 0 deletions javascript/ql/lib/javascript.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ import semmle.javascript.Promises
import semmle.javascript.CanonicalNames
import semmle.javascript.RangeAnalysis
import semmle.javascript.Regexp
import semmle.javascript.Routing
import semmle.javascript.SSA
import semmle.javascript.StandardLibrary
import semmle.javascript.Stmt
Expand Down
22 changes: 22 additions & 0 deletions javascript/ql/lib/semmle/javascript/ApiGraphs.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,6 +388,23 @@ module API {
API::Node getNode() { result = root().getASuccessor(Label::entryPoint(this)) }
}

/**
* A class for contributing new steps for tracking uses of an API.
*/
class AdditionalUseStep extends Unit {
/**
* Holds if use nodes should flow from `pred` to `succ`.
*/
predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ) { none() }
}

private module AdditionalUseStep {
pragma[nomagic]
predicate step(DataFlow::SourceNode pred, DataFlow::SourceNode succ) {
any(AdditionalUseStep st).step(pred, succ)
}
}

/**
* Provides the actual implementation of API graphs, cached for performance.
*
Expand Down Expand Up @@ -751,6 +768,11 @@ module API {
boundArgs in [0 .. 10]
)
or
exists(DataFlow::SourceNode mid |
mid = trackUseNode(nd, promisified, boundArgs, prop, t) and
AdditionalUseStep::step(pragma[only_bind_out](mid), result)
)
or
exists(DataFlow::Node pred, string preprop |
trackUseNode(nd, promisified, boundArgs, preprop, t.continue()).flowsTo(pred) and
promisified = false and
Expand Down
Loading