-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathGqlgen.qll
More file actions
49 lines (42 loc) · 1.66 KB
/
Gqlgen.qll
File metadata and controls
49 lines (42 loc) · 1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/** Provides models of commonly used functions and types in the gqlgen packages. */
overlay[local?]
module;
import go
/** Provides models of commonly used functions and types in the gqlgen packages. */
module Gqlgen {
/** An autogenerated file containing gqlgen code. */
private class GqlgenGeneratedFile extends File {
GqlgenGeneratedFile() {
exists(DataFlow::CallNode call |
call.getReceiver().getType().hasQualifiedName("github.com/99designs/gqlgen/graphql", _) and
call.getFile() = this
)
}
}
/** A resolver interface. */
private class ResolverInterface extends Type {
ResolverInterface() {
this.getQualifiedName().matches("%Resolver") and
this.getEntity().getDeclaration().getFile() instanceof GqlgenGeneratedFile
}
}
/** A resolver implementation. */
private class ResolverInterfaceMethod extends Method {
ResolverInterfaceMethod() { this.getReceiver().getType() instanceof ResolverInterface }
}
/** A resolver method which is exposed as a Graphql endpoint */
private class ResolverImplementationMethod extends Method {
ResolverImplementationMethod() { this.implements(any(ResolverInterfaceMethod r)) }
Parameter getAnUntrustedParameter() {
result.getFunction() = this.getFuncDecl() and
not result.getType().hasQualifiedName("context", "Context") and
result.getIndex() > 0
}
}
/** A parameter of a resolver method which receives untrusted input. */
class ResolverParameter extends RemoteFlowSource::Range instanceof DataFlow::ParameterNode {
ResolverParameter() {
this.asParameter() = any(ResolverImplementationMethod h).getAnUntrustedParameter()
}
}
}