JS: Add template steps for res.locals.x

asgerf · asgerf · commit cfb9265f0a47 · 2021-12-07T10:44:53.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -1038,6 +1038,10 @@ module Express {
 
     override DataFlow::Node getTemplateParamsNode() { result = this.getArgument(1) }
 
+    override DataFlow::Node getTemplateParamForValue(string accessPath) {
+      result = res.(Routing::RouteHandlerInput).getValueFromAccessPath("locals." + accessPath)
+    }
+
     override DataFlow::SourceNode getOutput() { result = this.getCallback(2).getParameter(1) }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll b/javascript/ql/lib/semmle/javascript/frameworks/Templating.qll
@@ -158,6 +158,17 @@ module Templating {
     DataFlow::SourceNode getAVariableUse(string name) {
       result = this.getScope().getVariable(name).getAnAccess().flow()
     }
+
+    /** Gets a data flow node corresponding to a use of the given template variable within this top-level. */
+    DataFlow::SourceNode getAnAccessPathUse(string accessPath) {
+      result = getAVariableUse(accessPath)
+      or
+      exists(string varName, string suffix |
+        accessPath = varName + "." + suffix and
+        suffix != "" and
+        result = AccessPath::getAReferenceTo(getAVariableUse(varName), suffix)
+      )
+    }
   }
 
   /**
@@ -177,6 +188,11 @@ module Templating {
     /** Gets a data flow node that refers to an object whose properties become variables in the template. */
     DataFlow::Node getTemplateParamsNode() { result = range.getTemplateParamsNode() }
 
+    /** Gets a data flow node that provides the value for the template variable at the given access path. */
+    DataFlow::Node getTemplateParamForValue(string accessPath) {
+      result = range.getTemplateParamForValue(accessPath)
+    }
+
     /** Gets the template file instantiated here, if any. */
     TemplateFile getTemplateFile() {
       result = this.getTemplateFileNode().(TemplateFileReference).getTemplateFile()
@@ -202,6 +218,9 @@ module Templating {
       /** Gets a data flow node that refers to an object whose properties become variables in the template. */
       abstract DataFlow::Node getTemplateParamsNode();
 
+      /** Gets a data flow node that provides the value for the template variable at the given access path. */
+      DataFlow::Node getTemplateParamForValue(string accessPath) { none() }
+
       /**
        * Gets the template syntax used by this template instantiation, if known.
        *
@@ -224,6 +243,16 @@ module Templating {
             .getAVariableUse(name)
     )
     or
+    exists(TemplateInstantiation inst, string accessPath |
+      result.getARhs() = inst.getTemplateParamForValue(accessPath) and
+      succ =
+        inst.getTemplateFile()
+            .getAnImportedFile*()
+            .getAPlaceholder()
+            .getInnerTopLevel()
+            .getAnAccessPathUse(accessPath)
+    )
+    or
     exists(string prop, DataFlow::SourceNode prev |
       result = getTemplateInput(prev).getMember(prop) and
       succ = prev.getAPropertyRead(prop)

Original file line number	Diff line number	Diff line change
`@@ -1038,6 +1038,10 @@ module Express {`
`1038`	`1038`
`1039`	`1039`	`override DataFlow::Node getTemplateParamsNode() { result = this.getArgument(1) }`
`1040`	`1040`
	`1041`	`+ override DataFlow::Node getTemplateParamForValue(string accessPath) {`
	`1042`	`+ result = res.(Routing::RouteHandlerInput).getValueFromAccessPath("locals." + accessPath)`
	`1043`	`+ }`
	`1044`	`+`
`1041`	`1045`	`override DataFlow::SourceNode getOutput() { result = this.getCallback(2).getParameter(1) }`
`1042`	`1046`	`}`
`1043`	`1047`	`}`