Skip to content

JS: recognize more express URL related sources #12518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 20, 2023
Merged

JS: recognize more express URL related sources #12518

merged 2 commits into from
Mar 20, 2023

Conversation

erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Mar 14, 2023
edited
Loading

CVE-2022-2237: Recognize the source

I'm hoping the code is self-explanatory.

Evaluation was unevenful.

@github-actions github-actions bot added the JS label Mar 14, 2023
@erik-krogh erik-krogh force-pushed the more-express-sources branch from 0a89291 to a72436f Compare March 15, 2023 09:14
@erik-krogh erik-krogh marked this pull request as ready for review March 16, 2023 07:12
@erik-krogh erik-krogh requested a review from a team as a code owner March 16, 2023 07:12
asgerf
asgerf reviewed Mar 16, 2023
View reviewed changes
javascript/ql/lib/semmle/javascript/frameworks/Express.qll Outdated
(
if exists(queryRef(request).getAPropertyRead())
then this = queryRef(request).getAPropertyRead()
else this = queryRef(request)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
else this = queryRef(request)
else this = request.ref().getAPropertyRead("query")

and similar for params (feel free to refactor to eliminate the duplication with queryRef).

Treating the result of the type-tracking predicate as a source can lead to redundant sources:

foo(req.query); // <-- 'req.query' is the correct source
function foo(query) {} // <-- 'query' becomes a redundant source

@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Mar 16, 2023
@erik-krogh
Copy link
Contributor Author

Final confirmation evaluations looks good.

@erik-krogh erik-krogh merged commit 540542c into github:main Mar 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
JS no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@erik-krogh @asgerf