Skip to content

JS: Handle Next.js files named 'page' or 'route' #20916

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

JS: Handle Next.js files named 'page' or 'route' #20916

wants to merge 7 commits into from
+67 −19

Conversation

@asgerf
Copy link
Contributor

@asgerf asgerf commented Nov 26, 2025

The Next.js model was missing cases for files named route.ts or page.ts outside the pages or api folders.

@github-actions github-actions bot added the JS label Nov 26, 2025
@asgerf asgerf marked this pull request as ready for review November 27, 2025 09:02
@asgerf asgerf requested a review from a team as a code owner November 27, 2025 09:02
Copilot AI review requested due to automatic review settings November 27, 2025 09:02
Copilot finished reviewing on behalf of asgerf November 27, 2025 09:05
Copilot AI reviewed Nov 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug in the Next.js model to properly detect server-side taint sources in files named route.ts or page.tsx/.jsx that appear outside the traditional api and pages folders, specifically within the app directory structure used by Next.js 13+ App Router.

Key Changes

  • Refactored folder resolution predicates to support recursive traversal of app and pages directories
  • Extended getAPagesModule() to recognize files named page anywhere within the app folder hierarchy
  • Enhanced NextAppRouteHandler to recognize files named route anywhere within the app folder hierarchy

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
javascript/ql/lib/semmle/javascript/frameworks/Next.qll Refactored folder predicates and extended route/page file detection to support Next.js App Router structure
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/route.ts Added test case for route handler in non-api folder
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/blah/page.jsx Added test case for page component with server-side functions in non-pages folder
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected Updated expected test results to include new test cases
javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected Updated expected test results to include new test cases
javascript/ql/src/change-notes/2025-11-26-nextjs-page-route-files.md Added change note documenting the bug fix

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@asgerf