update the predicates on Express::RouteHandler to use dataflow nodes

erik-krogh · erik-krogh · commit 8266b083d7c8 · 2022-09-05T16:11:54.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll b/javascript/ql/lib/semmle/javascript/frameworks/Connect.qll
@@ -30,29 +30,31 @@ module Connect {
      *
      * `kind` is one of: "error", "request", "response", "next".
      */
-    abstract Parameter getRouteHandlerParameter(string kind);
+    abstract DataFlow::ParameterNode getRouteHandlerParameter(string kind);
 
     /**
      * Gets the parameter of the route handler that contains the request object.
      */
-    override Parameter getRequestParameter() { result = getRouteHandlerParameter("request") }
+    override DataFlow::ParameterNode getRequestParameter() {
+      result = getRouteHandlerParameter("request")
+    }
 
     /**
      * Gets the parameter of the route handler that contains the response object.
      */
-    override Parameter getResponseParameter() { result = getRouteHandlerParameter("response") }
+    override DataFlow::ParameterNode getResponseParameter() {
+      result = getRouteHandlerParameter("response")
+    }
   }
 
   /**
    * A Connect route handler installed by a route setup.
    */
-  class StandardRouteHandler extends RouteHandler {
-    override Function astNode;
-
+  class StandardRouteHandler extends RouteHandler, DataFlow::FunctionNode {
     StandardRouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
 
-    override Parameter getRouteHandlerParameter(string kind) {
-      result = getRouteHandlerParameter(astNode, kind)
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+      result = getRouteHandlerParameter(this, kind)
     }
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ConnectExpressShared.qll b/javascript/ql/lib/semmle/javascript/frameworks/ConnectExpressShared.qll
@@ -52,7 +52,7 @@ module ConnectExpressShared {
   /**
    * Holds if `function` appears to match the given signature based on parameter naming.
    */
-  private predicate matchesSignature(Function function, RouteHandlerSignature sig) {
+  private predicate matchesSignature(DataFlow::FunctionNode function, RouteHandlerSignature sig) {
     function.getNumParameter() = sig.getArity() and
     function.getParameter(sig.getParameterIndex("request")).getName() = ["req", "request"] and
     function.getParameter(sig.getParameterIndex("response")).getName() = ["res", "response"] and
@@ -71,8 +71,8 @@ module ConnectExpressShared {
    * so the caller should restrict the function accordingly.
    */
   pragma[inline]
-  private Parameter getRouteHandlerParameter(
-    Function routeHandler, RouteHandlerSignature sig, string kind
+  private DataFlow::ParameterNode getRouteHandlerParameter(
+    DataFlow::FunctionNode routeHandler, RouteHandlerSignature sig, string kind
   ) {
     result = routeHandler.getParameter(sig.getParameterIndex(kind))
   }
@@ -83,7 +83,9 @@ module ConnectExpressShared {
    * `kind` is one of: "error", "request", "response", "next".
    */
   pragma[inline]
-  Parameter getRouteParameterHandlerParameter(Function routeHandler, string kind) {
+  DataFlow::ParameterNode getRouteParameterHandlerParameter(
+    DataFlow::FunctionNode routeHandler, string kind
+  ) {
     result =
       getRouteHandlerParameter(routeHandler, RouteHandlerSignature::requestResponseNextParameter(),
         kind)
@@ -95,7 +97,7 @@ module ConnectExpressShared {
    * `kind` is one of: "error", "request", "response", "next".
    */
   pragma[inline]
-  Parameter getRouteHandlerParameter(Function routeHandler, string kind) {
+  DataFlow::ParameterNode getRouteHandlerParameter(DataFlow::FunctionNode routeHandler, string kind) {
     if routeHandler.getNumParameter() = 4
     then
       // For arity 4 there is ambiguity between (err, req, res, next) and (req, res, next, param)
@@ -115,7 +117,7 @@ module ConnectExpressShared {
    */
   class RouteHandlerCandidate extends HTTP::RouteHandlerCandidate {
     RouteHandlerCandidate() {
-      matchesSignature(astNode, _) and
+      matchesSignature(this, _) and
       not (
         // heuristic: not a class method (the server invokes this with a function call)
         astNode = any(MethodDefinition def).getBody()
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -286,14 +286,12 @@ module Express {
    * The callback given to passport in PassportRouteSetup.
    */
   private class PassportRouteHandler extends RouteHandler, HTTP::Servers::StandardRouteHandler,
-    DataFlow::ValueNode {
-    override Function astNode;
-
+    DataFlow::FunctionNode {
     PassportRouteHandler() { this = any(PassportRouteSetup setup).getARouteHandler() }
 
-    override Parameter getRouteHandlerParameter(string kind) {
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
       kind = "request" and
-      result = astNode.getParameter(0)
+      result = this.getParameter(0)
     }
   }
 
@@ -478,40 +476,41 @@ module Express {
      *
      * `kind` is one of: "error", "request", "response", "next", or "parameter".
      */
-    abstract Parameter getRouteHandlerParameter(string kind); // TODO: DataFlow::ParameterNode
+    abstract DataFlow::ParameterNode getRouteHandlerParameter(string kind);
 
     /**
      * Gets the parameter of the route handler that contains the request object.
      */
-    Parameter getRequestParameter() { result = this.getRouteHandlerParameter("request") } // TODO: DataFlow::ParameterNode
+    DataFlow::ParameterNode getRequestParameter() {
+      result = this.getRouteHandlerParameter("request")
+    }
 
     /**
      * Gets the parameter of the route handler that contains the response object.
      */
-    Parameter getResponseParameter() { result = this.getRouteHandlerParameter("response") } // TODO: DataFlow::ParameterNode
+    DataFlow::ParameterNode getResponseParameter() {
+      result = this.getRouteHandlerParameter("response")
+    }
 
     /**
      * Gets a request body access of this handler.
      */
-    Expr getARequestBodyAccess() {
-      result.(PropAccess).accesses(this.getARequestNode().asExpr(), "body")
-    } // TODO: DataFlow::Node
+    DataFlow::PropRead getARequestBodyAccess() { result.accesses(this.getARequestNode(), "body") }
   }
 
   /**
    * An Express route handler installed by a route setup.
    */
   class StandardRouteHandler extends RouteHandler, HTTP::Servers::StandardRouteHandler,
-    DataFlow::ValueNode {
-    override Function astNode;
+    DataFlow::FunctionNode {
     RouteSetup routeSetup;
 
     StandardRouteHandler() { this = routeSetup.getARouteHandler() }
 
-    override Parameter getRouteHandlerParameter(string kind) {
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
       if routeSetup.isParameterHandler()
-      then result = getRouteParameterHandlerParameter(astNode, kind)
-      else result = getRouteHandlerParameter(astNode, kind)
+      then result = getRouteParameterHandlerParameter(this, kind)
+      else result = getRouteHandlerParameter(this, kind)
     }
   }
 
@@ -540,7 +539,7 @@ module Express {
     RouteHandler rh;
 
     ExplicitResponseSource() {
-      this = DataFlow::parameterNode(rh.getResponseParameter())
+      this = rh.getResponseParameter()
       or
       isChainableResponseMethodCall(rh, this.asExpr())
     }
@@ -570,7 +569,7 @@ module Express {
   private class ExplicitRequestSource extends RequestSource {
     RouteHandler rh;
 
-    ExplicitRequestSource() { this = DataFlow::parameterNode(rh.getRequestParameter()) }
+    ExplicitRequestSource() { this = rh.getRequestParameter() }
 
     /**
      * Gets the route handler that handles this request.
@@ -637,7 +636,7 @@ module Express {
 
     ParamHandlerInputAccess() {
       exists(RouteSetup setup | rh = setup.getARouteHandler() |
-        this = DataFlow::parameterNode(rh.getRouteHandlerParameter("parameter"))
+        this = rh.getRouteHandlerParameter("parameter")
       )
     }
 
@@ -778,7 +777,8 @@ module Express {
    * An access to the HTTP request body.
    */
   class RequestBodyAccess extends Expr {
-    RequestBodyAccess() { any(RouteHandler h).getARequestBodyAccess() = this }
+    // TODO: DataFlow::Node
+    RequestBodyAccess() { any(RouteHandler h).getARequestBodyAccess().asExpr() = this }
   }
 
   abstract private class HeaderDefinition extends HTTP::Servers::StandardHeaderDefinition {
@@ -1049,10 +1049,10 @@ module Express {
 
     TrackedRouteHandlerCandidateWithSetup() { this = routeSetup.getARouteHandler() }
 
-    override Parameter getRouteHandlerParameter(string kind) {
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
       if routeSetup.isParameterHandler()
-      then result = getRouteParameterHandlerParameter(astNode, kind)
-      else result = getRouteHandlerParameter(astNode, kind)
+      then result = getRouteParameterHandlerParameter(this, kind)
+      else result = getRouteHandlerParameter(this, kind)
     }
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Firebase.qll b/javascript/ql/lib/semmle/javascript/frameworks/Firebase.qll
@@ -216,15 +216,13 @@ module Firebase {
      * A function used as a route handler.
      */
     private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler,
-      DataFlow::ValueNode {
-      override Function astNode;
-
+      DataFlow::FunctionNode {
       RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
 
-      override Parameter getRouteHandlerParameter(string kind) {
-        kind = "request" and result = astNode.getParameter(0)
+      override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+        kind = "request" and result = this.getParameter(0)
         or
-        kind = "response" and result = astNode.getParameter(1)
+        kind = "response" and result = this.getParameter(1)
       }
     }
   }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll b/javascript/ql/lib/semmle/javascript/frameworks/HttpProxy.qll
@@ -83,16 +83,12 @@ private module HttpProxy {
       )
     }
 
-    override Parameter getRequestParameter() {
-      exists(int req | routeHandlingEventHandler(event, req, _) |
-        result = getFunction().getParameter(req)
-      )
+    override DataFlow::ParameterNode getRequestParameter() {
+      exists(int req | routeHandlingEventHandler(event, req, _) | result = getParameter(req))
     }
 
-    override Parameter getResponseParameter() {
-      exists(int res | routeHandlingEventHandler(event, _, res) |
-        result = getFunction().getParameter(res)
-      )
+    override DataFlow::ParameterNode getResponseParameter() {
+      exists(int res | routeHandlingEventHandler(event, _, res) | result = getParameter(res))
     }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll b/javascript/ql/lib/semmle/javascript/frameworks/LiveServer.qll
@@ -22,8 +22,8 @@ private module LiveServer {
   class RouteHandler extends Connect::RouteHandler, DataFlow::FunctionNode {
     RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
 
-    override Parameter getRouteHandlerParameter(string kind) {
-      result = ConnectExpressShared::getRouteHandlerParameter(astNode, kind)
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+      result = ConnectExpressShared::getRouteHandlerParameter(this, kind)
     }
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -230,10 +230,10 @@ module NextJS {
       )
     }
 
-    override Parameter getRouteHandlerParameter(string kind) {
-      kind = "request" and result = this.getFunction().getParameter(0)
+    override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+      kind = "request" and result = this.getParameter(0)
       or
-      kind = "response" and result = this.getFunction().getParameter(1)
+      kind = "response" and result = this.getParameter(1)
     }
   }
 
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll
@@ -114,12 +114,12 @@ module NodeJSLib {
     /**
      * Gets the parameter of the route handler that contains the request object.
      */
-    Parameter getRequestParameter() { result = this.getFunction().getParameter(0) }
+    DataFlow::ParameterNode getRequestParameter() { result = this.getParameter(0) }
 
     /**
      * Gets the parameter of the route handler that contains the response object.
      */
-    Parameter getResponseParameter() { result = this.getFunction().getParameter(1) }
+    DataFlow::ParameterNode getResponseParameter() { result = this.getParameter(1) }
   }
 
   /**
@@ -141,7 +141,7 @@ module NodeJSLib {
   private class StandardResponseSource extends ResponseSource {
     RouteHandler rh;
 
-    StandardResponseSource() { this = DataFlow::parameterNode(rh.getResponseParameter()) }
+    StandardResponseSource() { this = rh.getResponseParameter() }
 
     /**
      * Gets the route handler that provides this response.
@@ -161,7 +161,7 @@ module NodeJSLib {
   private class StandardRequestSource extends RequestSource {
     RouteHandler rh;
 
-    StandardRequestSource() { this = DataFlow::parameterNode(rh.getRequestParameter()) }
+    StandardRequestSource() { this = rh.getRequestParameter() }
 
     /**
      * Gets the route handler that handles this request.
diff --git a/javascript/ql/lib/semmle/javascript/heuristics/AdditionalRouteHandlers.qll b/javascript/ql/lib/semmle/javascript/heuristics/AdditionalRouteHandlers.qll
@@ -29,8 +29,8 @@ private class PromotedExpressCandidate extends Express::RouteHandler,
   HTTP::Servers::StandardRouteHandler {
   PromotedExpressCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }
 
-  override Parameter getRouteHandlerParameter(string kind) {
-    result = ConnectExpressShared::getRouteHandlerParameter(getAstNode(), kind)
+  override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+    result = ConnectExpressShared::getRouteHandlerParameter(this, kind)
   }
 }
 
@@ -41,7 +41,7 @@ private class PromotedConnectCandidate extends Connect::RouteHandler,
   HTTP::Servers::StandardRouteHandler {
   PromotedConnectCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }
 
-  override Parameter getRouteHandlerParameter(string kind) {
-    result = ConnectExpressShared::getRouteHandlerParameter(getAstNode(), kind)
+  override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {
+    result = ConnectExpressShared::getRouteHandlerParameter(this, kind)
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
@@ -199,7 +199,7 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {
       rateLimiterClassName.matches("RateLimiter%") and
       rateLimiterClass = API::moduleImport("rate-limiter-flexible").getMember(rateLimiterClassName) and
       rateLimiterConsume = rateLimiterClass.getInstance().getMember("consume") and
-      request.getParameter() = getRouteHandlerParameter(this.getFunction(), "request") and
+      request = getRouteHandlerParameter(this, "request") and
       request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().asSink())
     )
   }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/RouteHandler.qll b/javascript/ql/test/library-tests/frameworks/Express/RouteHandler.qll
@@ -1,5 +1,7 @@
 import javascript
 
-query predicate test_RouteHandler(Express::RouteHandler rh, Parameter res0, Parameter res1) {
+query predicate test_RouteHandler(
+  Express::RouteHandler rh, DataFlow::ParameterNode res0, DataFlow::ParameterNode res1
+) {
   res0 = rh.getRequestParameter() and res1 = rh.getResponseParameter()
 }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/RouteHandler_getARequestBodyAccess.qll b/javascript/ql/test/library-tests/frameworks/Express/RouteHandler_getARequestBodyAccess.qll
@@ -1,5 +1,5 @@
 import javascript
 
-query predicate test_RouteHandler_getARequestBodyAccess(Express::RouteHandler rh, Expr res) {
+query predicate test_RouteHandler_getARequestBodyAccess(Express::RouteHandler rh, DataFlow::Node res) {
   res = rh.getARequestBodyAccess()
 }
diff --git a/javascript/ql/test/library-tests/frameworks/Express/StandardRouteHandler.qll b/javascript/ql/test/library-tests/frameworks/Express/StandardRouteHandler.qll
@@ -1,7 +1,8 @@
 import javascript
 
 query predicate test_StandardRouteHandler(
-  Express::StandardRouteHandler rh, DataFlow::Node res0, SimpleParameter res1, SimpleParameter res2
+  Express::StandardRouteHandler rh, DataFlow::Node res0, DataFlow::ParameterNode res1,
+  DataFlow::ParameterNode res2
 ) {
   res0 = rh.getServer() and res1 = rh.getRequestParameter() and res2 = rh.getResponseParameter()
 }

Original file line number	Diff line number	Diff line change
`@@ -216,15 +216,13 @@ module Firebase {`
`216`	`216`	`* A function used as a route handler.`
`217`	`217`	`*/`
`218`	`218`	`private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler,`
`219`		`- DataFlow::ValueNode {`
`220`		`- override Function astNode;`
`221`		`-`
	`219`	`+ DataFlow::FunctionNode {`
`222`	`220`	`RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }`
`223`	`221`
`224`		`- override Parameter getRouteHandlerParameter(string kind) {`
`225`		`- kind = "request" and result = astNode.getParameter(0)`
	`222`	`+ override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {`
	`223`	`+ kind = "request" and result = this.getParameter(0)`
`226`	`224`	`or`
`227`		`- kind = "response" and result = astNode.getParameter(1)`
	`225`	`+ kind = "response" and result = this.getParameter(1)`
`228`	`226`	`}`
`229`	`227`	`}`
`230`	`228`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,16 +83,12 @@ private module HttpProxy {`
`83`	`83`	`)`
`84`	`84`	`}`
`85`	`85`
`86`		`- override Parameter getRequestParameter() {`
`87`		`- exists(int req \| routeHandlingEventHandler(event, req, _) \|`
`88`		`- result = getFunction().getParameter(req)`
`89`		`- )`
	`86`	`+ override DataFlow::ParameterNode getRequestParameter() {`
	`87`	`+ exists(int req \| routeHandlingEventHandler(event, req, _) \| result = getParameter(req))`
`90`	`88`	`}`
`91`	`89`
`92`		`- override Parameter getResponseParameter() {`
`93`		`- exists(int res \| routeHandlingEventHandler(event, _, res) \|`
`94`		`- result = getFunction().getParameter(res)`
`95`		`- )`
	`90`	`+ override DataFlow::ParameterNode getResponseParameter() {`
	`91`	`+ exists(int res \| routeHandlingEventHandler(event, _, res) \| result = getParameter(res))`
`96`	`92`	`}`
`97`	`93`	`}`
`98`	`94`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,8 +22,8 @@ private module LiveServer {`
`22`	`22`	`class RouteHandler extends Connect::RouteHandler, DataFlow::FunctionNode {`
`23`	`23`	`RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }`
`24`	`24`
`25`		`- override Parameter getRouteHandlerParameter(string kind) {`
`26`		`- result = ConnectExpressShared::getRouteHandlerParameter(astNode, kind)`
	`25`	`+ override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {`
	`26`	`+ result = ConnectExpressShared::getRouteHandlerParameter(this, kind)`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
Original file line number	Diff line number	Diff line change
`@@ -230,10 +230,10 @@ module NextJS {`
`230`	`230`	`)`
`231`	`231`	`}`
`232`	`232`
`233`		`- override Parameter getRouteHandlerParameter(string kind) {`
`234`		`- kind = "request" and result = this.getFunction().getParameter(0)`
	`233`	`+ override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {`
	`234`	`+ kind = "request" and result = this.getParameter(0)`
`235`	`235`	`or`
`236`		`- kind = "response" and result = this.getFunction().getParameter(1)`
	`236`	`+ kind = "response" and result = this.getParameter(1)`
`237`	`237`	`}`
`238`	`238`	`}`
`239`	`239`
Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,8 @@ private class PromotedExpressCandidate extends Express::RouteHandler,`
`29`	`29`	`HTTP::Servers::StandardRouteHandler {`
`30`	`30`	`PromotedExpressCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }`
`31`	`31`
`32`		`- override Parameter getRouteHandlerParameter(string kind) {`
`33`		`- result = ConnectExpressShared::getRouteHandlerParameter(getAstNode(), kind)`
	`32`	`+ override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {`
	`33`	`+ result = ConnectExpressShared::getRouteHandlerParameter(this, kind)`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`@@ -41,7 +41,7 @@ private class PromotedConnectCandidate extends Connect::RouteHandler,`
`41`	`41`	`HTTP::Servers::StandardRouteHandler {`
`42`	`42`	`PromotedConnectCandidate() { this instanceof ConnectExpressShared::RouteHandlerCandidate }`
`43`	`43`
`44`		`- override Parameter getRouteHandlerParameter(string kind) {`
`45`		`- result = ConnectExpressShared::getRouteHandlerParameter(getAstNode(), kind)`
	`44`	`+ override DataFlow::ParameterNode getRouteHandlerParameter(string kind) {`
	`45`	`+ result = ConnectExpressShared::getRouteHandlerParameter(this, kind)`
`46`	`46`	`}`
`47`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,7 @@ class RateLimiterFlexibleRateLimiter extends DataFlow::FunctionNode {`
`199`	`199`	`rateLimiterClassName.matches("RateLimiter%") and`
`200`	`200`	`rateLimiterClass = API::moduleImport("rate-limiter-flexible").getMember(rateLimiterClassName) and`
`201`	`201`	`rateLimiterConsume = rateLimiterClass.getInstance().getMember("consume") and`
`202`		`- request.getParameter() = getRouteHandlerParameter(this.getFunction(), "request") and`
	`202`	`+ request = getRouteHandlerParameter(this, "request") and`
`203`	`203`	`request.getAPropertyRead().flowsTo(rateLimiterConsume.getAParameter().asSink())`
`204`	`204`	`)`
`205`	`205`	`}`