JS: make Express' res/req extend Node's res/req

Esben Sparre Andreasen · Esben Sparre Andreasen · commit 59b7b0757a52 · 2019-06-12T12:45:01.000+02:00
diff --git a/change-notes/1.22/analysis-javascript.md b/change-notes/1.22/analysis-javascript.md
@@ -8,6 +8,7 @@
   - [exec](https://www.npmjs.com/package/exec)
   - [execa](https://www.npmjs.com/package/execa)
   - [exec-async](https://www.npmjs.com/package/exec-async)
+  - [express](https://www.npmjs.com/package/express)
   - [remote-exec](https://www.npmjs.com/package/remote-exec)
   
 ## New queries
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -380,14 +380,14 @@ module Express {
   /**
    * An Express response expression.
    */
-  class ResponseExpr extends HTTP::Servers::StandardResponseExpr {
+  class ResponseExpr extends NodeJSLib::ResponseExpr {
     override ResponseSource src;
   }
 
   /**
    * An Express request expression.
    */
-  class RequestExpr extends HTTP::Servers::StandardRequestExpr {
+  class RequestExpr extends NodeJSLib::RequestExpr {
     override RequestSource src;
   }
 
@@ -415,14 +415,9 @@ module Express {
           )
         )
         or
-        exists(string propName |
-          // `req.url` or `req.originalUrl`
-          kind = "url" and
-          this.(DataFlow::PropRef).accesses(request, propName)
-        |
-          propName = "url" or
-          propName = "originalUrl"
-        )
+        // `req.originalUrl`
+        kind = "url" and
+        this.(DataFlow::PropRef).accesses(request, "originalUrl")
         or
         // `req.cookies`
         kind = "cookie" and
@@ -431,11 +426,6 @@ module Express {
       or
       kind = "body" and
       this.asExpr() = rh.getARequestBodyAccess()
-      or
-      exists(RequestHeaderAccess access | this = access |
-        rh = access.getRouteHandler() and
-        kind = "header"
-      )
     }
 
     override RouteHandler getRouteHandler() { result = rh }
@@ -626,9 +616,8 @@ module Express {
     RouteHandler rh;
 
     ResponseSendArgument() {
-      exists(MethodCallExpr mce, string name |
-        mce.calls(rh.getAResponseExpr(), name) and
-        (name = "send" or name = "end") and
+      exists(MethodCallExpr mce |
+        mce.calls(rh.getAResponseExpr(), "send") and
         this = mce.getArgument(0)
       )
     }
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -146,7 +146,7 @@ module NodeJSLib {
       )
     }
 
-    override RouteHandler getRouteHandler() { result = request.getRouteHandler() }
+    override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
 
     override string getKind() { result = kind }
   }
@@ -170,7 +170,7 @@ module NodeJSLib {
       result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
     }
 
-    override RouteHandler getRouteHandler() { result = request.getRouteHandler() }
+    override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }
 
     override string getKind() { result = "header" }
 
diff --git a/javascript/ql/test/library-tests/frameworks/Express/src/inheritedFromNode.js b/javascript/ql/test/library-tests/frameworks/Express/src/inheritedFromNode.js
@@ -0,0 +1,8 @@
+var express = require('express');
+var app = express();
+
+app.post('/', function(req, res) {
+	res.end();
+	res.setHeader();
+	req.url;
+});
diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXssGood.js

Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ module NodeJSLib {`
`146`	`146`	`)`
`147`	`147`	`}`
`148`	`148`
`149`		`- override RouteHandler getRouteHandler() { result = request.getRouteHandler() }`
	`149`	`+ override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }`
`150`	`150`
`151`	`151`	`override string getKind() { result = kind }`
`152`	`152`	`}`
`@@ -170,7 +170,7 @@ module NodeJSLib {`
`170`	`170`	`result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()`
`171`	`171`	`}`
`172`	`172`
`173`		`- override RouteHandler getRouteHandler() { result = request.getRouteHandler() }`
	`173`	`+ override HTTP::RouteHandler getRouteHandler() { result = request.getRouteHandler() }`
`174`	`174`
`175`	`175`	`override string getKind() { result = "header" }`
`176`	`176`