github
diff --git a/‎javascript/ql/lib/semmle/javascript/frameworks/Express.qll
Lines changed: 64 additions & 4 deletions b/‎javascript/ql/lib/semmle/javascript/frameworks/Express.qll
Lines changed: 64 additions & 4 deletions
diff --git a/‎javascript/ql/test/library-tests/Routing/route-setups.js
Lines changed: 293 additions & 0 deletions b/‎javascript/ql/test/library-tests/Routing/route-setups.js
Lines changed: 293 additions & 0 deletions
diff --git a/‎javascript/ql/test/library-tests/Routing/test.expected b/‎javascript/ql/test/library-tests/Routing/test.expected
@@ -75,6 +75,63 @@ module Express {
     result = "del"
   }
 
+  private class RouterRange extends Routing::Router::Range {
+    RouterDefinition def;
+
+    RouterRange() { this = def.flow() }
+
+    override DataFlow::SourceNode getAReference() { result = def.ref() }
+  }
+
+  private class RoutingTreeSetup extends Routing::RouteSetup::MethodCall {
+    RoutingTreeSetup() { asExpr() instanceof RouteSetup }
+
+    override string getRelativePath() {
+      not getMethodName() = "param" and // do not treat parameter name as a path
+      result = getArgument(0).getStringValue()
+    }
+
+    override HTTP::RequestMethodName getHttpMethod() { result.toLowerCase() = getMethodName() }
+  }
+
+  /**
+   * A route setup performed via `express-limiter`.
+   *
+   * `express-limiter` is unusual in that it can install the middleware on its own,
+   * rather than expecting the caller to install it with `app.use()` or similar.
+   *
+   * For example:
+   * ```js
+   * let app = express();
+   * require('express-limiter')(app, client)({ method: 'get', path: '/foo' });
+   * ```
+   */
+  private class RateLimiterRouteSetup extends Routing::RouteSetup::Range {
+    DataFlow::CallNode limitCall;
+
+    RateLimiterRouteSetup() {
+      limitCall = DataFlow::moduleImport("express-limiter").getACall() and
+      exists(this.(DataFlow::CallNode).getOptionArgument(0, ["path", "method"])) and
+      this = limitCall.getACall()
+    }
+
+    override predicate isInstalledAt(Routing::Router::Range router, ControlFlowNode cfgNode) {
+      router.getAReference().getALocalUse() = limitCall.getArgument(0) and
+      cfgNode = asExpr()
+    }
+  }
+
+  private class AppTree extends Routing::Node {
+    AppTree() { this = Routing::getNode(appCreation()) }
+
+    override DataFlow::Node getValueAtAccessPath(int n, string path) {
+      // req.app and res.app refer to the app object
+      n = [0, 1] and
+      path = "app" and
+      this = Routing::getNode(result)
+    }
+  }
+
   /**
    * A call to an Express router method that sets up a route.
    */
@@ -788,10 +845,13 @@ module Express {
       exists(DataFlow::TypeTracker t2 | result = this.ref(t2).track(t2, t))
     }
 
+    /** Gets a data flow node referring to this router. */
+    DataFlow::SourceNode ref() { result = ref(DataFlow::TypeTracker::end()) }
+
     /**
      * Holds if `sink` may refer to this router.
      */
-    predicate flowsTo(Expr sink) { this.ref(DataFlow::TypeTracker::end()).flowsToExpr(sink) }
+    predicate flowsTo(Expr sink) { this.ref().flowsToExpr(sink) }
 
     /**
      * Gets a `RouteSetup` that was used for setting up a route on this router.
@@ -970,9 +1030,9 @@ module Express {
    */
   private class RenderCallAsTemplateInstantiation extends Templating::TemplateInstantiation::Range,
     DataFlow::CallNode {
-    RenderCallAsTemplateInstantiation() {
-      this = any(ResponseSource res).ref().getAMethodCall("render")
-    }
+    ResponseSource res;
+
+    RenderCallAsTemplateInstantiation() { this = res.ref().getAMethodCall("render") }
 
     override DataFlow::Node getTemplateFileNode() { result = this.getArgument(0) }
 
 
@@ -0,0 +1,293 @@
+const express = require('express');
+const TestObj = require('@example/test');
+
+function basicTaint() {
+    const app = express();
+    app.use((req, res, next) => {
+        req.tainted = source();
+        req.safe = 'safe';
+        next();
+    });
+    app.get('/', (req, res) => {
+        sink(req.tainted); // NOT OK
+        sink(req.safe); // OK
+    });
+}
+
+function basicApiGraph() {
+    const app = express();
+    app.use((req, res, next) => {
+        req.obj = new TestObj();
+        next();
+    });
+    app.get('/', (req, res) => {
+        sink(req.obj.getSource()); // NOT OK
+        req.obj.getSink(source()); // NOT OK
+    });
+}
+
+function noTaint() {
+    const app = express();
+    function middleware(req, res, next) {
+        req.tainted = source();
+        req.safe = 'safe';
+        next();
+    }
+    app.get('/unsafe', middleware, (req, res) => {
+        sink(req.tainted); // NOT OK
+        sink(req.safe); // OK
+    });
+    app.get('/safe', (req, res) => {
+        sink(req.tainted); // OK - not preceded by middleware
+        sink(req.safe); // OK
+    });
+}
+
+function looseApiGraphStep() {
+    const app = express();
+    function middleware(req, res, next) {
+        req.obj = new TestObj();
+        next();
+    }
+    app.get('/unsafe', middleware, (req, res) => {
+        sink(req.obj.getSource()); // NOT OK
+    });
+    app.get('/safe', (req, res) => {
+        sink(req.obj.getSource()); // NOT OK - we allow API graph steps within the same app
+    });
+}
+
+function chainMiddlewares() {
+    const app = express();
+    function step1(req, res, next) {
+        req.taint = source();
+        next();
+    }
+    function step2(req, res, next) {
+        req.locals.alsoTaint = req.taint;
+        next();
+    }
+    app.get('/', step1, step2, (req, res) => {
+        sink(req.taint); // NOT OK
+        sink(req.locals.alsoTaint); // NOT OK
+    });
+}
+
+function routerEscapesIntoParameter() {
+    const app = express();
+    function setupMiddlewares(router) {
+        router.use((req, res, next) => {
+            req.taint = source();
+            next();
+        });
+    }
+    app.get('/before', (req, res) => {
+        sink(req.taint); // OK
+    });
+    setupMiddlewares(app);
+    app.get('/after', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}
+
+function routerReturned() {
+    const app = express();
+    function makeMiddlewares() {
+        let router = new express.Router();
+        router.use((req, res, next) => {
+            req.taint = source();
+            next();
+        });
+        return router;
+    }
+    app.get('/before', (req, res) => {
+        sink(req.taint); // OK
+    });
+    app.use(makeMiddlewares());
+    app.get('/after', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}
+
+function routerCaptured() {
+    const app = express();
+    function addMiddlewares() {
+        app.use((req, res, next) => {
+            req.taint = source();
+            next();
+        });
+    }
+    app.get('/before', (req, res) => {
+        sink(req.taint); // OK
+    });
+    addMiddlewares();
+    app.get('/after', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}
+
+function withPath() {
+    const app = express();
+    app.use('/foo', (req, res, next) => {
+        req.taint = source();
+        next();
+    });
+    app.get('/foo', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+    app.get('/bar', (req, res) => {
+        sink(req.taint); // OK
+    });
+}
+
+
+function withNestedPath() {
+    const app = express();
+    app.use('/foo/bar', (req, res, next) => {
+        req.taint = source();
+        next();
+    });
+    function makeRouter() {
+        const router = express.Router();
+        router.get('/bar', (req, res) => {
+            sink(req.taint); // NOT OK
+        })
+        router.get('/baz', (req, res) => {
+            sink(req.taint); // OK
+        })
+        return router;
+    }
+    app.get('/foo', makeRouter());
+    app.get('/bar', (req, res) => {
+        sink(req.taint); // OK
+    });
+}
+
+function withHttpMethods() {
+    const app = express();
+    app.get('/foo', (req, res, next) => {
+        req.taintGet = source();
+        next();
+    });
+    app.post('/foo', (req, res, next) => {
+        req.taintPost = source();
+        next();
+    });
+    app.all('/foo', (req, res, next) => {
+        req.taintAll = source();
+        next();
+    });
+    app.get('/foo/a', (req, res) => {
+        sink(req.taintGet); // NOT OK
+        sink(req.taintPost); // OK - not tainted for GET requests
+        sink(req.taintAll); // NOT OK
+    });
+    app.post('/foo/b', (req, res) => {
+        sink(req.taintGet); // OK - not tainted for POST requests
+        sink(req.taintPost); // NOT OK
+        sink(req.taintAll); // NOT OK
+    });
+    app.all('/foo/c', (req, res) => {
+        sink(req.taintGet); // NOT OK
+        sink(req.taintPost); // NOT OK
+        sink(req.taintAll); // NOT OK
+    });
+}
+
+function withChaining() {
+    const app = express();
+    app.use('/', (req, res) => {
+        sink(req.taint); // OK
+    });
+    function middleware() {
+        return express.Router()
+            .use((req, res, next) => {
+                req.taint = source();
+                next();
+            })
+            .use(blah());
+    }
+    app.use(middleware());
+    app.use('/', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}
+
+function withClass() {
+    class App {
+        constructor(router) {
+            this.router = router;
+            this.earlyRoutes();
+            this.addMiddleware();
+            this.lateRoutes();
+        }
+        earlyRoutes() {
+            this.router.get('/', (req, res) => {
+                sink(req.taint); // OK
+            })
+        }
+        addMiddleware() {
+            this.router.use((req, res, next) => {
+                req.taint = source();
+                next();
+            })
+        }
+        lateRoutes() {
+            this.router.get('/', (req, res) => {
+                sink(req.taint); // NOT OK
+            })
+        }
+    }
+    let app = new App(express());
+}
+
+function withArray() {
+    const app = express();
+    app.get('/before', (req, res) => {
+        sink(req.taint); // OK
+    });
+    app.use([
+        (req, res, next) => {
+            sink(req.taint); // OK
+            next();
+        },
+        (req, res, next) => {
+            req.taint = source();
+            next();
+        },
+        (req, res, next) => {
+            sink(req.taint); // NOT OK
+            next();
+        }
+    ]);
+    app.get('/after', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}
+
+function withForLoop() {
+    const app = express();
+    let middlewares = [
+        (req, res, next) => {
+            sink(req.taint); // OK
+            next();
+        },
+        (req, res, next) => {
+            req.taint = source();
+            next();
+        },
+        (req, res, next) => {
+            sink(req.taint); // NOT OK
+            next();
+        }
+    ];
+    app.get('/before', (req, res) => {
+        sink(req.taint); // OK
+    });
+    for (let route of middlewares) {
+        app.use(route);
+    }
+    app.get('/after', (req, res) => {
+        sink(req.taint); // NOT OK
+    });
+}