Express Argument has to be Cors

maikypedia · maikypedia · commit 87cac2a4e355 · 2023-12-07T23:01:41.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -1077,7 +1077,13 @@ module Express {
    * An express route setup configured with the `cors` package.
    */
   class CorsConfiguration extends DataFlow::MethodCallNode {
-    CorsConfiguration() { exists(Express::RouteSetup setup | this = setup | setup.isUseCall()) }
+    CorsConfiguration() {
+      exists(Express::RouteSetup setup | this = setup |
+        setup.isUseCall() and setup.getArgument(0) instanceof Cors::Cors
+        or
+        not setup.isUseCall() and setup.getAnArgument() instanceof Cors::Cors
+      )
+    }
 
     /** Gets the cors argument */
     Cors::Cors getArgument() { result = this.getArgument(0) }
