add support for graphql in @actions/github

erik-krogh · erik-krogh · commit 416c986cbca6 · 2021-06-15T09:43:11.000+02:00
diff --git a/javascript/change-notes/2021-06-09-graphql.md b/javascript/change-notes/2021-06-09-graphql.md
@@ -4,5 +4,6 @@ lgtm,codescanning
     [@octokit/core](https://npmjs.com/package/@octokit/core),
     [@octokit/rest](https://npmjs.com/package/@octokit/rest),
     [@octokit/graphql](https://npmjs.com/package/@octokit/graphql),
-    [@octokit/request](https://npmjs.com/package/@octokit/request), and
+    [@octokit/request](https://npmjs.com/package/@octokit/request), 
+    [@actions/github](https://npmjs.com/package/@actions/github), and
     [graphql](https://npmjs.com/package/graphql)
diff --git a/javascript/ql/src/semmle/javascript/frameworks/GraphQL.qll b/javascript/ql/src/semmle/javascript/frameworks/GraphQL.qll
@@ -20,6 +20,8 @@ private module Octokit {
   private API::Node octokit() {
     result =
       API::moduleImport(["@octokit/core", "@octokit/rest"]).getMember("Octokit").getInstance()
+    or
+    result = API::moduleImport("@actions/github").getMember("getOctokit").getReturn()
   }
 
   /**
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -44,6 +44,12 @@ nodes
 | graphql.js:84:14:90:8 | `{\\n     ...      }` |
 | graphql.js:84:14:90:8 | `{\\n     ...      }` |
 | graphql.js:88:13:88:14 | id |
+| graphql.js:119:11:119:28 | id |
+| graphql.js:119:16:119:28 | req.params.id |
+| graphql.js:119:16:119:28 | req.params.id |
+| graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:45:120:46 | id |
 | json-schema-validator.js:25:15:25:48 | query |
 | json-schema-validator.js:25:23:25:48 | JSON.pa ... y.data) |
 | json-schema-validator.js:25:34:25:47 | req.query.data |
@@ -417,6 +423,11 @@ edges
 | graphql.js:75:56:75:57 | id | graphql.js:75:46:75:64 | "{ foo" + id + " }" |
 | graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
 | graphql.js:88:13:88:14 | id | graphql.js:84:14:90:8 | `{\\n     ...      }` |
+| graphql.js:119:11:119:28 | id | graphql.js:120:45:120:46 | id |
+| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id |
+| graphql.js:119:16:119:28 | req.params.id | graphql.js:119:11:119:28 | id |
+| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` |
+| graphql.js:120:45:120:46 | id | graphql.js:120:38:120:48 | `foo ${id}` |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:33:22:33:26 | query |
 | json-schema-validator.js:25:15:25:48 | query | json-schema-validator.js:35:18:35:22 | query |
@@ -835,6 +846,7 @@ edges
 | graphql.js:58:66:58:76 | `foo ${id}` | graphql.js:55:16:55:28 | req.params.id | graphql.js:58:66:58:76 | `foo ${id}` | This query depends on $@. | graphql.js:55:16:55:28 | req.params.id | a user-provided value |
 | graphql.js:75:46:75:64 | "{ foo" + id + " }" | graphql.js:74:14:74:25 | req.query.id | graphql.js:75:46:75:64 | "{ foo" + id + " }" | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
 | graphql.js:84:14:90:8 | `{\\n     ...      }` | graphql.js:74:14:74:25 | req.query.id | graphql.js:84:14:90:8 | `{\\n     ...      }` | This query depends on $@. | graphql.js:74:14:74:25 | req.query.id | a user-provided value |
+| graphql.js:120:38:120:48 | `foo ${id}` | graphql.js:119:16:119:28 | req.params.id | graphql.js:120:38:120:48 | `foo ${id}` | This query depends on $@. | graphql.js:119:16:119:28 | req.params.id | a user-provided value |
 | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query depends on $@. | json-schema-validator.js:25:34:25:47 | req.query.data | a user-provided value |
 | json-schema-validator.js:55:22:55:26 | query | json-schema-validator.js:50:34:50:47 | req.query.data | json-schema-validator.js:55:22:55:26 | query | This query depends on $@. | json-schema-validator.js:50:34:50:47 | req.query.data | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/graphql.js
@@ -111,3 +111,11 @@ app.get('/thing/:id', async function(req, res) {
     })
   })
 });
+
+const github = require('@actions/github');
+app.get('/event/:id/', async function(req, res) {
+    const kit = github.getOctokit("foo")
+
+    const id = req.params.id;
+    const result = await kit.graphql(`foo ${id}`); // NOT OK
+});

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,8 @@ private module Octokit {`
`20`	`20`	`private API::Node octokit() {`
`21`	`21`	`result =`
`22`	`22`	`API::moduleImport(["@octokit/core", "@octokit/rest"]).getMember("Octokit").getInstance()`
	`23`	`+ or`
	`24`	`+ result = API::moduleImport("@actions/github").getMember("getOctokit").getReturn()`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`/**`