Merge pull request #14643 from aibaars/express-req-path

erik-krogh · web-flow · commit 8f58685b38d5 · 2023-10-31T16:36:48.000+01:00
Javascript: add `req.path` as remote flow source
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -618,6 +618,10 @@ module Express {
         or
         kind = "body" and
         this = ref.getAPropertyRead("body")
+        or
+        // `req.path`
+        kind = "url" and
+        this = ref.getAPropertyRead("path")
       )
     }
 
diff --git a/javascript/ql/test/library-tests/frameworks/Express/src/express.js b/javascript/ql/test/library-tests/frameworks/Express/src/express.js
@@ -67,3 +67,9 @@ app.get('/some/non-xss1', function(req, res) {
   res.send(req.params.foo)
   foo(res);
 });
+
+app.get('/some/xss3', function(req, res) {
+  res.header("Content-Type", "text/html");
+  res.send(req.path)
+  foo(res);
+});
diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected

Original file line number	Diff line number	Diff line change
`@@ -618,6 +618,10 @@ module Express {`
`618`	`618`	`or`
`619`	`619`	`kind = "body" and`
`620`	`620`	`this = ref.getAPropertyRead("body")`
	`621`	`+ or`
	`622`	+ // `req.path`
	`623`	`+ kind = "url" and`
	`624`	`+ this = ref.getAPropertyRead("path")`
`621`	`625`	`)`
`622`	`626`	`}`
`623`	`627`