JS: Exclude error handling from auth calls

asgerf · asgerf · commit d0e94e655dcc · 2021-12-07T10:46:17.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll b/javascript/ql/lib/semmle/javascript/security/SensitiveActions.qll
@@ -147,8 +147,8 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
   AuthorizationCall() {
     exists(string s | s = this.getCalleeName() |
       // name contains `login` or `auth`, but not as part of `loginfo` or `unauth`;
-      // also exclude `author`
-      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify).*") and
+      // also exclude `author` and words followed by `err` (as in `error`)
+      s.regexpMatch("(?i).*(login(?!fo)|(?<!un)auth(?!or\\b)|verify)(?!err).*") and
       // but it does not start with `get` or `set`
       not s.regexpMatch("(?i)(get|set).*")
     )
diff --git a/javascript/ql/test/query-tests/Security/CWE-770/tst.js b/javascript/ql/test/query-tests/Security/CWE-770/tst.js
@@ -77,3 +77,8 @@ express().get('/:path', catchAsync(expensiveHandler1)); // NOT OK
 express().get('/:path', rateLimiterMiddleware, catchAsync(expensiveHandler1)); // OK
 express().get('/:path', catchAsync(rateLimiterMiddleware), expensiveHandler1); // OK
 express().get('/:path', catchAsync(rateLimiterMiddleware), catchAsync(expensiveHandler1)); // OK
+
+function errorHandler(req, res, next) {
+  next(makeOAuthError(req, res));
+}
+express().use(errorHandler); // OK - does not perform authentication
