change ResponseBody to a DataFlow::Node

erik-krogh · erik-krogh · commit 24b845589d60 · 2022-09-05T15:44:13.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -766,7 +766,7 @@ module Express {
   private class ResponseSendArgument extends HTTP::ResponseSendArgument {
     ResponseSource response;
 
-    ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0).asExpr() }
+    ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0) }
 
     override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
@@ -794,7 +794,7 @@ module Express {
     TemplateObjectInput obj;
 
     TemplateInput() {
-      obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this.flow())
+      obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this)
     }
 
     override RouteHandler getRouteHandler() { result = obj.getRouteHandler() }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll b/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
@@ -340,9 +340,9 @@ module Fastify {
     RouteHandler rh;
 
     ResponseSendArgument() {
-      this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0).asExpr()
+      this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0)
       or
-      this = rh.(DataFlow::FunctionNode).getAReturn().asExpr()
+      this = rh.(DataFlow::FunctionNode).getAReturn()
     }
 
     override RouteHandler getRouteHandler() { result = rh }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -117,7 +117,7 @@ module HTTP {
   /**
    * An expression whose value is sent as (part of) the body of an HTTP response.
    */
-  abstract class ResponseBody extends Expr {
+  abstract class ResponseBody extends DataFlow::Node {
     /**
      * Gets the route handler that sends this expression.
      */
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll b/javascript/ql/lib/semmle/javascript/frameworks/Hapi.qll
@@ -270,7 +270,7 @@ module Hapi {
   private class HandlerReturn extends HTTP::ResponseSendArgument {
     RouteHandler handler;
 
-    HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn().asExpr() }
+    HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn() }
 
     override RouteHandler getRouteHandler() { result = handler }
   }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll b/javascript/ql/lib/semmle/javascript/frameworks/Koa.qll
@@ -412,8 +412,7 @@ module Koa {
 
     ResponseSendArgument() {
       exists(DataFlow::PropWrite pwn |
-        pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body",
-          DataFlow::valueNode(this))
+        pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body", this)
       )
     }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Micro.qll b/javascript/ql/lib/semmle/javascript/frameworks/Micro.qll
@@ -104,7 +104,7 @@ private module Micro {
 
     MicroSendArgument() {
       send = moduleMember("micro", ["send", "sendError"]).getACall() and
-      this = send.getLastArgument().asExpr()
+      this = send.getLastArgument()
     }
 
     override HTTP::RouteHandler getRouteHandler() {
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll b/javascript/ql/lib/semmle/javascript/frameworks/Nest.qll
@@ -349,10 +349,10 @@ module NestJS {
 
     ReturnValueAsResponseSend() {
       handler.isReturnValueReflected() and
-      this = handler.getAReturn().asExpr() and
+      this = handler.getAReturn() and
       // Only returned strings are sinks
       not exists(Type type |
-        type = getType() and
+        type = this.asExpr().getType() and
         not isStringType(type.unfold())
       )
     }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -363,9 +363,9 @@ module NodeJSLib {
     HTTP::RouteHandler rh;
 
     ResponseSendArgument() {
-      exists(MethodCallExpr mce, string m | m = "write" or m = "end" |
-        mce.calls(any(ResponseExpr e | e.getRouteHandler() = rh), m) and
-        this = mce.getArgument(0) and
+      exists(DataFlow::MethodCallNode mcn, string m | m = "write" or m = "end" |
+        mcn.calls(any(ResponseExpr e | e.getRouteHandler() = rh).flow(), m) and
+        this = mcn.getArgument(0) and
         // don't mistake callback functions as data
         not this.analyze().getAValue() instanceof AbstractFunction
       )
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -24,10 +24,8 @@ module ReflectedXss {
    * a content type that does not (case-insensitively) contain the string "html". This
    * is to prevent us from flagging plain-text or JSON responses as vulnerable.
    */
-  class HttpResponseSink extends Sink, DataFlow::ValueNode {
-    override HTTP::ResponseSendArgument astNode;
-
-    HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(astNode)) }
+  class HttpResponseSink extends Sink instanceof HTTP::ResponseSendArgument {
+    HttpResponseSink() { not exists(getANonHtmlHeaderDefinition(this)) }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/StackTraceExposureCustomizations.qll
@@ -32,7 +32,5 @@ module StackTraceExposure {
    * An expression that can become part of an HTTP response body, viewed
    * as a data flow sink for stack trace exposure vulnerabilities.
    */
-  class DefaultSink extends Sink, DataFlow::ValueNode {
-    override HTTP::ResponseBody astNode;
-  }
+  class DefaultSink extends Sink instanceof HTTP::ResponseBody { }
 }

Original file line number	Diff line number	Diff line change
`@@ -766,7 +766,7 @@ module Express {`
`766`	`766`	`private class ResponseSendArgument extends HTTP::ResponseSendArgument {`
`767`	`767`	`ResponseSource response;`
`768`	`768`
`769`		`- ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0).asExpr() }`
	`769`	`+ ResponseSendArgument() { this = response.ref().getAMethodCall("send").getArgument(0) }`
`770`	`770`
`771`	`771`	`override RouteHandler getRouteHandler() { result = response.getRouteHandler() }`
`772`	`772`	`}`
`@@ -794,7 +794,7 @@ module Express {`
`794`	`794`	`TemplateObjectInput obj;`
`795`	`795`
`796`	`796`	`TemplateInput() {`
`797`		`- obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this.flow())`
	`797`	`+ obj.getALocalSource().(DataFlow::ObjectLiteralNode).hasPropertyWrite(_, this)`
`798`	`798`	`}`
`799`	`799`
`800`	`800`	`override RouteHandler getRouteHandler() { result = obj.getRouteHandler() }`
Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,7 @@ module Hapi {`
`270`	`270`	`private class HandlerReturn extends HTTP::ResponseSendArgument {`
`271`	`271`	`RouteHandler handler;`
`272`	`272`
`273`		`- HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn().asExpr() }`
	`273`	`+ HandlerReturn() { this = handler.(DataFlow::FunctionNode).getAReturn() }`
`274`	`274`
`275`	`275`	`override RouteHandler getRouteHandler() { result = handler }`
`276`	`276`	`}`
Original file line number	Diff line number	Diff line change
`@@ -412,8 +412,7 @@ module Koa {`
`412`	`412`
`413`	`413`	`ResponseSendArgument() {`
`414`	`414`	`exists(DataFlow::PropWrite pwn \|`
`415`		`- pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body",`
`416`		`- DataFlow::valueNode(this))`
	`415`	`+ pwn.writes(DataFlow::valueNode(rh.getAResponseOrContextExpr()), "body", this)`
`417`	`416`	`)`
`418`	`417`	`}`
`419`	`418`
Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ private module Micro {`
`104`	`104`
`105`	`105`	`MicroSendArgument() {`
`106`	`106`	`send = moduleMember("micro", ["send", "sendError"]).getACall() and`
`107`		`- this = send.getLastArgument().asExpr()`
	`107`	`+ this = send.getLastArgument()`
`108`	`108`	`}`
`109`	`109`
`110`	`110`	`override HTTP::RouteHandler getRouteHandler() {`
Original file line number	Diff line number	Diff line change
`@@ -349,10 +349,10 @@ module NestJS {`
`349`	`349`
`350`	`350`	`ReturnValueAsResponseSend() {`
`351`	`351`	`handler.isReturnValueReflected() and`
`352`		`- this = handler.getAReturn().asExpr() and`
	`352`	`+ this = handler.getAReturn() and`
`353`	`353`	`// Only returned strings are sinks`
`354`	`354`	`not exists(Type type \|`
`355`		`- type = getType() and`
	`355`	`+ type = this.asExpr().getType() and`
`356`	`356`	`not isStringType(type.unfold())`
`357`	`357`	`)`
`358`	`358`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,5 @@ module StackTraceExposure {`
`32`	`32`	`* An expression that can become part of an HTTP response body, viewed`
`33`	`33`	`* as a data flow sink for stack trace exposure vulnerabilities.`
`34`	`34`	`*/`
`35`		`- class DefaultSink extends Sink, DataFlow::ValueNode {`
`36`		`- override HTTP::ResponseBody astNode;`
`37`		`- }`
	`35`	`+ class DefaultSink extends Sink instanceof HTTP::ResponseBody { }`
`38`	`36`	`}`