Merge pull request github#9356 from erik-krogh/getRouting

erik-krogh · web-flow · commit 6cfd790cda9e · 2022-05-31T11:08:54.000+02:00
JS: rewrite js/sensitive-get-query to use routing trees
diff --git a/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql b/javascript/ql/src/Security/CWE-598/SensitiveGetQuery.ql
@@ -14,12 +14,12 @@
 import javascript
 
 from
-  Express::RouteSetup setup, Express::RouteHandler handler, Express::RequestInputAccess input,
+  Routing::RouteSetup setup, Routing::RouteHandler handler, HTTP::RequestInputAccess input,
   SensitiveExpr sensitive
 where
-  setup.getRequestMethod() = "GET" and
-  handler = setup.getARouteHandler() and
-  input.getRouteHandler() = handler and
+  setup.getOwnHttpMethod() = "GET" and
+  setup.getAChild+() = handler and
+  input.getRouteHandler() = handler.getFunction() and
   input.getKind() = "parameter" and
   input.(DataFlow::SourceNode).flowsToExpr(sensitive) and
   not sensitive.getClassification() = SensitiveDataClassification::id()
diff --git a/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.expected b/javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.expected
@@ -1,3 +1,5 @@
 | tst.js:8:22:8:39 | req.query.password | $@ for GET requests uses query parameter as sensitive data. | tst.js:6:19:14:1 | (req, r ... serId\\n} | Route handler |
 | tst.js:26:22:26:42 | req.par ... sword') | $@ for GET requests uses query parameter as sensitive data. | tst.js:24:20:35:1 | (req, r ...   });\\n} | Route handler |
 | tst.js:31:24:31:40 | req.param('word') | $@ for GET requests uses query parameter as sensitive data. | tst.js:24:20:35:1 | (req, r ...   });\\n} | Route handler |
+| tst.js:39:29:39:41 | query.current | $@ for GET requests uses query parameter as sensitive data. | tst.js:37:19:43:1 | ({query ...   });\\n} | Route handler |
+| tst.js:50:33:50:52 | req.param('current') | $@ for GET requests uses query parameter as sensitive data. | tst.js:48:12:54:5 | (req, r ... ;\\n    } | Route handler |
diff --git a/javascript/ql/test/query-tests/Security/CWE-598/tst.js b/javascript/ql/test/query-tests/Security/CWE-598/tst.js
@@ -32,4 +32,24 @@ app.get("/login2", (req, res) => {
     checkUser(username, myPassword, (result) => {
         res.send(result);
     });
-});
+});
+
+app.get("/login", ({query}, res) => {
+    const username = query.username; // OK - usernames are fine
+    const currentPassword = query.current; // NOT OK - password read
+    checkUser(username, currentPassword, (result) => {
+        res.send(result);
+    });
+});
+
+app.get('/rest/user/change-password', mkHandler());
+
+function mkHandler() {
+    return (req, res) => {
+        const username = req.param('username'); // OK - usernames are fine
+        const currentPassword = req.param('current'); // NOT OK - password read
+        checkUser(username, currentPassword, (result) => {
+            res.send(result);
+        });
+    }
+}
