make query parameters in ServerSideProps and next/router

tyage · tyage · commit 232893aafa4d · 2022-10-26T14:41:07.000+09:00
as a RemoteFlowSource
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll
@@ -53,6 +53,15 @@ module NextJS {
             .getAFunctionValue()
             .getParameter(0)
             .getAPropertyRead("params")
+      or
+      exists(DataFlow::ParameterNode params |
+        params = getServerSidePropsFunction(_).getParameter(0)
+      |
+        this = params.getAPropertyRead("params") or
+        this = params.getAPropertyRead("query")
+      )
+      or
+      this = nextRouter().getAPropertyRead("query")
     }
 
     override string getSourceType() { result = "Next request parameter" }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/Xss.expected
@@ -504,6 +504,38 @@ nodes
 | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
 | optionalSanitizer.js:45:41:45:46 | target |
 | optionalSanitizer.js:45:51:45:56 | target |
+| pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:5:9:5:29 | id |
+| pages/[id].jsx:5:9:5:29 | id |
+| pages/[id].jsx:5:11:5:12 | id |
+| pages/[id].jsx:5:11:5:12 | id |
+| pages/[id].jsx:5:18:5:29 | router.query |
+| pages/[id].jsx:5:18:5:29 | router.query |
+| pages/[id].jsx:5:18:5:29 | router.query |
+| pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:25:11:25:24 | context.params |
+| pages/[id].jsx:25:11:25:24 | context.params |
+| pages/[id].jsx:25:11:25:24 | context.params |
+| pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
+| pages/[id].jsx:26:10:26:22 | context.query |
+| pages/[id].jsx:26:10:26:22 | context.query |
+| pages/[id].jsx:26:10:26:22 | context.query |
+| pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:7:7:33 | tainted |
 | react-native.js:7:17:7:33 | req.param("code") |
@@ -1604,6 +1636,38 @@ edges
 | optionalSanitizer.js:45:41:45:46 | target | optionalSanitizer.js:45:29:45:47 | sanitizeBad(target) |
 | optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
 | optionalSanitizer.js:45:51:45:56 | target | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target |
+| pages/[id].jsx:5:9:5:14 | { id } | pages/[id].jsx:5:11:5:12 | id |
+| pages/[id].jsx:5:9:5:14 | { id } | pages/[id].jsx:5:11:5:12 | id |
+| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:5:9:5:29 | id | pages/[id].jsx:10:44:10:45 | id |
+| pages/[id].jsx:5:11:5:12 | id | pages/[id].jsx:5:9:5:29 | id |
+| pages/[id].jsx:5:11:5:12 | id | pages/[id].jsx:5:9:5:29 | id |
+| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:5:9:5:14 | { id } |
+| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:25:11:25:27 | context.params.id |
+| pages/[id].jsx:25:11:25:27 | context.params.id | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
+| pages/[id].jsx:25:11:25:27 | context.params.id | pages/[id].jsx:25:11:25:33 | context ... d \|\| "" |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:25:11:25:33 | context ... d \|\| "" | pages/[id].jsx:13:44:13:52 | params.id |
+| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:26:10:26:30 | context ... .foobar |
+| pages/[id].jsx:26:10:26:30 | context ... .foobar | pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
+| pages/[id].jsx:26:10:26:30 | context ... .foobar | pages/[id].jsx:26:10:26:36 | context ... r \|\| "" |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
+| pages/[id].jsx:26:10:26:36 | context ... r \|\| "" | pages/[id].jsx:16:44:16:51 | params.q |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
 | react-native.js:7:7:7:33 | tainted | react-native.js:8:18:8:24 | tainted |
@@ -2287,6 +2351,9 @@ edges
 | optionalSanitizer.js:39:18:39:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:39:18:39:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
 | optionalSanitizer.js:43:18:43:25 | tainted3 | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:43:18:43:25 | tainted3 | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
 | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target | optionalSanitizer.js:26:16:26:39 | documen ... .search | optionalSanitizer.js:45:18:45:56 | sanitiz ...  target | Cross-site scripting vulnerability due to $@. | optionalSanitizer.js:26:16:26:39 | documen ... .search | user-provided value |
+| pages/[id].jsx:10:44:10:45 | id | pages/[id].jsx:5:18:5:29 | router.query | pages/[id].jsx:10:44:10:45 | id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:5:18:5:29 | router.query | user-provided value |
+| pages/[id].jsx:13:44:13:52 | params.id | pages/[id].jsx:25:11:25:24 | context.params | pages/[id].jsx:13:44:13:52 | params.id | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:25:11:25:24 | context.params | user-provided value |
+| pages/[id].jsx:16:44:16:51 | params.q | pages/[id].jsx:26:10:26:22 | context.query | pages/[id].jsx:16:44:16:51 | params.q | Cross-site scripting vulnerability due to $@. | pages/[id].jsx:26:10:26:22 | context.query | user-provided value |
 | react-native.js:8:18:8:24 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:18:8:24 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-native.js:9:27:9:33 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:9:27:9:33 | tainted | Cross-site scripting vulnerability due to $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
 | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | react-use-context.js:10:22:10:32 | window.name | Cross-site scripting vulnerability due to $@. | react-use-context.js:10:22:10:32 | window.name | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx b/javascript/ql/test/query-tests/Security/CWE-079/DomBasedXss/pages/[id].jsx
@@ -1,16 +1,28 @@
-export default function Post({ id, q }) {
+import { useRouter } from 'next/router'
+
+export default function Post(params) {
+  const router = useRouter()
+  const { id } = router.query
+
   return (
     <>
-      <div dangerouslySetInnerHTML={{__html: id }} />
-      <div dangerouslySetInnerHTML={{__html: q }} />
+      <div
+        dangerouslySetInnerHTML={{ __html: id }} // NOT OK
+      />
+      <div
+        dangerouslySetInnerHTML={{ __html: params.id }} // NOT OK
+      />
+      <div
+        dangerouslySetInnerHTML={{ __html: params.q }} // NOT OK
+      />
     </>
   )
 }
 
 export async function getServerSideProps(context) {
   return {
     props: {
-      id: context.params?.id || "",
+      id: context.params.id || "",
       q: context.query?.foobar || "",
     }
   }
