JS: Track express route handlers into arrays

asgerf · asgerf · commit 96e415aba68e · 2023-04-27T16:14:22.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -215,6 +215,9 @@ module Express {
         or
         Http::routeHandlerStep(result, succ) and
         t = t2
+        or
+        DataFlow::SharedFlowStep::storeStep(result, succ, DataFlow::PseudoProperties::arrayElement()) and
+        t = t2.continue()
       )
     }
 

Original file line number	Diff line number	Diff line change
`@@ -215,6 +215,9 @@ module Express {`
`215`	`215`	`or`
`216`	`216`	`Http::routeHandlerStep(result, succ) and`
`217`	`217`	`t = t2`
	`218`	`+ or`
	`219`	`+ DataFlow::SharedFlowStep::storeStep(result, succ, DataFlow::PseudoProperties::arrayElement()) and`
	`220`	`+ t = t2.continue()`
`218`	`221`	`)`
`219`	`222`	`}`
`220`	`223`