Added support for del function in superagent

Napalys · Napalys · commit 2e1734eebab9 · 2025-03-20T12:01:18.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
@@ -513,6 +513,13 @@ module ClientRequest {
     }
   }
 
+  /**
+   * Gets the name of a superagent request method.
+   */
+  private string getSuperagentRequestMethodName() {
+    result = [httpMethodName(), any(Http::RequestMethodName m), "del", "DEL"]
+  }
+
   /**
    * A model of a URL request made using the `superagent` library.
    */
@@ -522,7 +529,7 @@ module ClientRequest {
     SuperAgentUrlRequest() {
       exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
         moduleName = "superagent" and
-        callee = DataFlow::moduleMember(moduleName, httpMethodName()) and
+        callee = DataFlow::moduleMember(moduleName, getSuperagentRequestMethodName()) and
         url = this.getArgument(0)
       )
     }
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -91,6 +91,7 @@ test_ClientRequest
 | tst.js:286:20:286:55 | new Web ... :8080') |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') |
+| tst.js:320:5:320:23 | superagent.del(url) |
 test_getADataNode
 | axiosTest.js:12:5:17:6 | axios({ ... \\n    }) | axiosTest.js:15:18:15:55 | { 'Cont ... json' } |
 | axiosTest.js:12:5:17:6 | axios({ ... \\n    }) | axiosTest.js:16:15:16:35 | {x: 'te ... 'test'} |
@@ -240,6 +241,7 @@ test_getUrl
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:11:299:5 | {\\n      ... ,\\n    } |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:26:312:35 | '/foo/bar' |
+| tst.js:320:5:320:23 | superagent.del(url) | tst.js:320:20:320:22 | url |
 test_getAResponseDataNode
 | axiosTest.js:4:5:7:6 | axios({ ... \\n    }) | axiosTest.js:4:5:7:6 | axios({ ... \\n    }) | json | true |
 | axiosTest.js:12:5:17:6 | axios({ ... \\n    }) | axiosTest.js:12:5:17:6 | axios({ ... \\n    }) | json | true |
@@ -314,3 +316,4 @@ test_getAResponseDataNode
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:37 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:304:27:304:38 | err.response | json | false |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:12:312:36 | fetchPo ... o/bar') | fetch.response | true |
+| tst.js:320:5:320:23 | superagent.del(url) | tst.js:320:5:320:23 | superagent.del(url) | stream | true |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -317,6 +317,6 @@ function usePolyfill() {
 
 function useSuperagent(url){
     superagent('GET', url); // Not flagged
-    superagent.del(url); // Not flagged
+    superagent.del(url);
     superagent.agent().post(url).send(data); // Not flagged
 }

Original file line number	Diff line number	Diff line change
`@@ -513,6 +513,13 @@ module ClientRequest {`
`513`	`513`	`}`
`514`	`514`	`}`
`515`	`515`
	`516`	`+ /**`
	`517`	`+ * Gets the name of a superagent request method.`
	`518`	`+ */`
	`519`	`+ private string getSuperagentRequestMethodName() {`
	`520`	`+ result = [httpMethodName(), any(Http::RequestMethodName m), "del", "DEL"]`
	`521`	`+ }`
	`522`	`+`
`516`	`523`	`/**`
`517`	`524`	* A model of a URL request made using the `superagent` library.
`518`	`525`	`*/`
`@@ -522,7 +529,7 @@ module ClientRequest {`
`522`	`529`	`SuperAgentUrlRequest() {`
`523`	`530`	`exists(string moduleName, DataFlow::SourceNode callee \| this = callee.getACall() \|`
`524`	`531`	`moduleName = "superagent" and`
`525`		`- callee = DataFlow::moduleMember(moduleName, httpMethodName()) and`
	`532`	`+ callee = DataFlow::moduleMember(moduleName, getSuperagentRequestMethodName()) and`
`526`	`533`	`url = this.getArgument(0)`
`527`	`534`	`)`
`528`	`535`	`}`
Original file line number	Diff line number	Diff line change
`@@ -317,6 +317,6 @@ function usePolyfill() {`
`317`	`317`
`318`	`318`	`function useSuperagent(url){`
`319`	`319`	`superagent('GET', url); // Not flagged`
`320`		`- superagent.del(url); // Not flagged`
	`320`	`+ superagent.del(url);`
`321`	`321`	`superagent.agent().post(url).send(data); // Not flagged`
`322`	`322`	`}`