JS: add models of URL requests

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 2104cf55e3e5 · 2018-09-04T09:25:42.000+02:00
diff --git a/javascript/ql/src/javascript.qll b/javascript/ql/src/javascript.qll
@@ -71,6 +71,7 @@ import semmle.javascript.frameworks.Request
 import semmle.javascript.frameworks.SQL
 import semmle.javascript.frameworks.StringFormatters
 import semmle.javascript.frameworks.UriLibraries
+import semmle.javascript.frameworks.UrlRequests
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
 import semmle.javascript.linters.ESLint
diff --git a/javascript/ql/src/semmle/javascript/frameworks/UrlRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/UrlRequests.qll
@@ -0,0 +1,127 @@
+/**
+ * Provides classes for modelling URL requests.
+ *
+ * Subclass `UrlRequest` to refine the behavior of the analysis on existing URL requests.
+ * Subclass `CustomUrlRequest` to introduce new kinds of URL requests.
+ */
+
+import javascript
+
+/**
+ * A call that performs a request to a URL.
+ */
+class CustomUrlRequest extends DataFlow::CallNode {
+
+  /**
+   * Gets the URL of the request.
+   */
+  abstract DataFlow::Node getUrl();
+}
+
+/**
+ * A call that performs a request to a URL.
+ */
+class UrlRequest extends DataFlow::CallNode {
+
+  CustomUrlRequest custom;
+
+  UrlRequest() {
+    this = custom
+  }
+
+  /**
+   * Gets the URL of the request.
+   */
+  DataFlow::Node getUrl() {
+    result = custom.getUrl()
+  }
+}
+
+/**
+ * A simple model of common URL request libraries.
+ */
+private class DefaultUrlRequest extends CustomUrlRequest {
+
+  DataFlow::Node url;
+
+  DefaultUrlRequest() {
+    exists (string moduleName, DataFlow::SourceNode callee, string httpMethodName, string urlName |
+      httpMethodName = any(HTTP::RequestMethodName m).toLowerCase() and
+      (urlName = "url" or urlName = "uri") and // slightly over-approximate, in the name of simplicity
+      this = callee.getACall() |
+      (
+        (
+          moduleName = "request" or
+          moduleName = "request-promise" or
+          moduleName = "request-promise-any" or
+          moduleName = "request-promise-native"
+        ) and
+        (
+          callee = DataFlow::moduleImport(moduleName) or
+          callee = DataFlow::moduleMember(moduleName, httpMethodName)
+        ) and
+        (
+          url = getArgument(0) or
+          url = getOptionArgument(0, urlName)
+        )
+      )
+      or
+      (
+        moduleName = "superagent" and
+        callee = DataFlow::moduleMember(moduleName, httpMethodName) and
+        url = getArgument(0)
+      )
+      or
+      (
+        (moduleName = "http" or moduleName = "https") and
+        callee = DataFlow::moduleMember(moduleName, httpMethodName) and
+        url = getArgument(0)
+      )
+      or
+      (
+        moduleName = "axios" and
+        (
+          callee = DataFlow::moduleImport(moduleName) or
+          callee = DataFlow::moduleMember(moduleName, httpMethodName) or
+          callee = DataFlow::moduleMember(moduleName, "request")
+        ) and
+        (
+          url = getArgument(0) or
+          url = getOptionArgument([0..2], urlName) // slightly over-approximate, in the name of simplicity
+        )
+      )
+      or
+      (
+        moduleName = "got" and
+        (
+          callee = DataFlow::moduleImport(moduleName) or
+          callee = DataFlow::moduleMember(moduleName, "stream")
+        ) and
+        (
+          url = getArgument(0) and not exists (getOptionArgument(1, "baseUrl")) 
+        )
+      )
+      or
+      (
+        (
+          moduleName = "node-fetch" or
+          moduleName = "cross-fetch" or
+          moduleName = "isomorphic-fetch"
+        ) and
+        callee = DataFlow::moduleImport(moduleName) and
+        url = getArgument(0)
+      )
+    )
+    or
+    (
+      this = DataFlow::globalVarRef("fetch").getACall() and
+      url = getArgument(0)
+    )
+
+  }
+
+  override DataFlow::Node getUrl() {
+    result = url
+  }
+
+}
diff --git a/javascript/ql/test/library-tests/frameworks/UrlRequests/UrlRequest.expected b/javascript/ql/test/library-tests/frameworks/UrlRequests/UrlRequest.expected
@@ -0,0 +1,16 @@
+| tst.js:11:5:11:16 | request(url) | tst.js:11:13:11:15 | url |
+| tst.js:13:5:13:20 | request.get(url) | tst.js:13:17:13:19 | url |
+| tst.js:15:5:15:23 | request.delete(url) | tst.js:15:20:15:22 | url |
+| tst.js:17:5:17:25 | request ...  url }) | tst.js:17:13:17:24 | { url: url } |
+| tst.js:17:5:17:25 | request ...  url }) | tst.js:17:20:17:22 | url |
+| tst.js:19:5:19:23 | requestPromise(url) | tst.js:19:20:19:22 | url |
+| tst.js:21:5:21:23 | superagent.get(url) | tst.js:21:20:21:22 | url |
+| tst.js:23:5:23:17 | http.get(url) | tst.js:23:14:23:16 | url |
+| tst.js:25:5:25:14 | axios(url) | tst.js:25:11:25:13 | url |
+| tst.js:27:5:27:18 | axios.get(url) | tst.js:27:15:27:17 | url |
+| tst.js:29:5:29:23 | axios({ url: url }) | tst.js:29:11:29:22 | { url: url } |
+| tst.js:29:5:29:23 | axios({ url: url }) | tst.js:29:18:29:20 | url |
+| tst.js:31:5:31:12 | got(url) | tst.js:31:9:31:11 | url |
+| tst.js:33:5:33:19 | got.stream(url) | tst.js:33:16:33:18 | url |
+| tst.js:35:5:35:21 | window.fetch(url) | tst.js:35:18:35:20 | url |
+| tst.js:37:5:37:18 | nodeFetch(url) | tst.js:37:15:37:17 | url |
diff --git a/javascript/ql/test/library-tests/frameworks/UrlRequests/UrlRequest.ql b/javascript/ql/test/library-tests/frameworks/UrlRequests/UrlRequest.ql
@@ -0,0 +1,4 @@
+import javascript
+
+from UrlRequest r
+select r, r.getUrl()
diff --git a/javascript/ql/test/library-tests/frameworks/UrlRequests/tst.js b/javascript/ql/test/library-tests/frameworks/UrlRequests/tst.js
@@ -0,0 +1,39 @@
+import request from 'request';
+import requestPromise from 'request-promise';
+import superagent from 'superagent';
+import http from 'http';
+import express from 'express';
+import axios from 'axios';
+import got from 'got';
+import nodeFetch from 'node-fetch';
+
+(function() {
+    request(url);
+
+    request.get(url);
+
+    request.delete(url);
+
+    request({ url: url });
+
+    requestPromise(url);
+
+    superagent.get(url);
+
+    http.get(url);
+
+    axios(url);
+
+    axios.get(url);
+
+    axios({ url: url });
+
+    got(url);
+
+    got.stream(url);
+
+    window.fetch(url);
+
+    nodeFetch(url);
+
+});
