JS: Add models for Koa routing libraries #5423
Conversation
erik-krogh
added
the
Awaiting evaluation
erik-krogh
removed
the
Awaiting evaluation
erik-krogh
added
the
JS:changes-sources-or-sinks
|
|
||
| RoutedRouteHandler() { | ||
| router = DataFlow::moduleImport(["@koa/router", "koa-router"]).getAnInvocation() and | ||
| call = router.getAMethodCall*() and |
There was a problem hiding this comment.
sanity check: I think the * can be a + here. Is that correct?
| override DataFlow::SourceNode getRouteHandlerRegistration() { | ||
| result = call | ||
| or | ||
| result = router.getAMethodCall("routes") |
There was a problem hiding this comment.
Does this model the mentioned app.use(router.routes()) bit above?
Shouldn't the registration be the app.use(...) call instead then? My intuition is that router.routes() simply is a getter.
There was a problem hiding this comment.
Great work!
Not for this PR, but seeing this reinforced my conviction that we need to migrate HTTP to API graphs. E.g. I thought the .routes() call should just be another step in the type-tracking of route handlers, but it seems Koa doesn't type-tracking its route handlers.
| RoutedRouteHandler() { | ||
| router = DataFlow::moduleImport(["@koa/router", "koa-router"]).getAnInvocation() and | ||
| call = router.getAMethodCall*() and | ||
| call.getMethodName() = |
There was a problem hiding this comment.
We could use getAChainedMethodCall here, but I'll leave it up to you if you want to use it. It's unclear to me what the performance impact would be.
There was a problem hiding this comment.
Thanks, I had forgotten about getAChainedMethodCall.
I think the performance impact is negligible, it will likely unfold to the same thing anyway.
I can do another smoke-test evaluation if you want one.
Co-authored-by: Asger F <asgerf@github.com>
Gets a TP for CVE-2020-8902 (after #5419 is merged).
Evaluation shows a (spurious) speedup.