diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index 551d325f26af..a65fcdce44db 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -13,12 +13,31 @@ module NextJS { */ PackageJson getANextPackage() { result.getDependencies().getADependency("next", _) } + bindingset[base, name] + pragma[inline_late] + private Folder getOptionalFolder(Folder base, string name) { + result = base.getFolder(name) + or + not exists(base.getFolder(name)) and + result = base + } + + private Folder packageRoot() { result = getANextPackage().getFile().getParentContainer() } + + private Folder srcRoot() { result = getOptionalFolder(packageRoot(), "src") } + + private Folder appRoot() { result = srcRoot().getFolder("app") } + + private Folder pagesRoot() { result = [srcRoot(), appRoot()].getFolder("pages") } + + private Folder apiRoot() { result = [pagesRoot(), appRoot()].getFolder("api") } + /** * Gets a "pages" folder in a `Next.js` application. * JavaScript files inside these folders are mapped to routes. */ Folder getAPagesFolder() { - result = getANextPackage().getFile().getParentContainer().getFolder("pages") + result = pagesRoot() or result = getAPagesFolder().getAFolder() } @@ -217,8 +236,7 @@ module NextJS { * the App Router (`app/api/`) Next.js 13+ structures. */ Folder apiFolder() { - result = - getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or + result = apiRoot() or result = apiFolder().getAFolder() } diff --git a/javascript/ql/src/change-notes/2025-11-25-nextjs-project-layout.md b/javascript/ql/src/change-notes/2025-11-25-nextjs-project-layout.md new file mode 100644 index 000000000000..7135aa3f2ed1 --- /dev/null +++ b/javascript/ql/src/change-notes/2025-11-25-nextjs-project-layout.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Fixed a bug in the Next.js model that would cause the analysis to miss server-side taint sources in the `app/pages` folder. diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index e536364f805d..b488018d09d1 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -35,6 +35,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | +| app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to a $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | @@ -365,6 +367,8 @@ nodes | app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body | | app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body | +| app/pages/Next2.jsx:8:13:8:19 | req.url | semmle.label | req.url | +| app/pages/Next2.jsx:15:13:15:19 | req.url | semmle.label | req.url | | etherpad.js:9:5:9:12 | response | semmle.label | response | | etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp | | etherpad.js:11:12:11:19 | response | semmle.label | response | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index a4b02fa07491..2dceb5fa8071 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -34,6 +34,8 @@ | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/pages/Next2.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:8:13:8:19 | req.url | user-provided value | +| app/pages/Next2.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | app/pages/Next2.jsx:15:13:15:19 | req.url | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | live-server.js:6:13:6:50 | ` ... /html>` | Cross-site scripting vulnerability due to $@. | live-server.js:4:21:4:27 | req.url | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/pages/Next2.jsx b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/pages/Next2.jsx new file mode 100644 index 000000000000..d6c2232e9571 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/pages/Next2.jsx @@ -0,0 +1,19 @@ +export default function Post() { + return ; +} + +Post.getInitialProps = async (ctx) => { + const req = ctx.req; + const res = ctx.res; + res.end(req.url); // $ Alert + return {} +} + +export async function getServerSideProps(ctx) { + const req = ctx.req; + const res = ctx.res; + res.end(req.url); // $ Alert + return { + props: {} + } +} \ No newline at end of file