JS: Use types

asgerf · asgerf · commit 49ca88957cca · 2021-03-29T12:25:15.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -166,14 +166,24 @@ private module Postgres {
   API::Node pgPromise() { result = API::moduleImport("pg-promise") }
 
   /** Gets an initialized `pg-promise` library. */
-  API::Node pgpMain() { result = pgPromise().getReturn() }
+  API::Node pgpMain() {
+    result = pgPromise().getReturn()
+    or
+    result = API::Node::ofType("pg-promise", "IMain")
+  }
 
   /** Gets a database from `pg-promise`. */
-  API::Node pgpDatabase() { result = pgpMain().getReturn() }
+  API::Node pgpDatabase() {
+    result = pgpMain().getReturn()
+    or
+    result = API::Node::ofType("pg-promise", "IDatabase")
+  }
 
   /** Gets a connection created from a `pg-promise` database. */
   API::Node pgpConnection() {
     result = pgpDatabase().getMember("connect").getReturn().getPromised()
+    or
+    result = API::Node::ofType("pg-promise", "IConnected")
   }
 
   /** Gets a `pg-promise` task object. */
@@ -185,10 +195,16 @@ private module Postgres {
       or
       result = taskMethod.getParameter(0).getMember("cnd").getParameter(0)
     )
+    or
+    result = API::Node::ofType("pg-promise", "ITask")
   }
 
   /** Gets a `pg-promise` object which supports querying (database, connection, or task). */
-  API::Node pgpObject() { result = [pgpDatabase(), pgpConnection(), pgpTask()] }
+  API::Node pgpObject() {
+    result = [pgpDatabase(), pgpConnection(), pgpTask()]
+    or
+    result = API::Node::ofType("pg-promise", "IBaseProtocol")
+  }
 
   private string pgpQueryMethodName() {
     result =
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -206,6 +206,11 @@ nodes
 | mongooseModelClient.js:12:22:12:29 | req.body |
 | mongooseModelClient.js:12:22:12:29 | req.body |
 | mongooseModelClient.js:12:22:12:32 | req.body.id |
+| pg-promise-types.ts:7:9:7:28 | taint |
+| pg-promise-types.ts:7:17:7:28 | req.params.x |
+| pg-promise-types.ts:7:17:7:28 | req.params.x |
+| pg-promise-types.ts:8:17:8:21 | taint |
+| pg-promise-types.ts:8:17:8:21 | taint |
 | pg-promise.js:6:7:7:55 | query |
 | pg-promise.js:6:15:7:55 | "SELECT ...  PRICE" |
 | pg-promise.js:7:16:7:34 | req.params.category |
@@ -612,6 +617,10 @@ edges
 | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:22:12:32 | req.body.id |
 | mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
 | mongooseModelClient.js:12:22:12:32 | req.body.id | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } |
+| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint |
+| pg-promise-types.ts:7:9:7:28 | taint | pg-promise-types.ts:8:17:8:21 | taint |
+| pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:7:9:7:28 | taint |
+| pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:7:9:7:28 | taint |
 | pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query |
 | pg-promise.js:6:7:7:55 | query | pg-promise.js:9:10:9:14 | query |
 | pg-promise.js:6:7:7:55 | query | pg-promise.js:10:11:10:15 | query |
@@ -776,6 +785,7 @@ edges
 | mongooseJsonParse.js:23:19:23:23 | query | mongooseJsonParse.js:20:30:20:43 | req.query.data | mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | mongooseModelClient.js:11:16:11:24 | { id: v } | mongooseModelClient.js:10:22:10:29 | req.body | mongooseModelClient.js:11:16:11:24 | { id: v } | This query depends on $@. | mongooseModelClient.js:10:22:10:29 | req.body | a user-provided value |
 | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | mongooseModelClient.js:12:22:12:29 | req.body | mongooseModelClient.js:12:16:12:34 | { id: req.body.id } | This query depends on $@. | mongooseModelClient.js:12:22:12:29 | req.body | a user-provided value |
+| pg-promise-types.ts:8:17:8:21 | taint | pg-promise-types.ts:7:17:7:28 | req.params.x | pg-promise-types.ts:8:17:8:21 | taint | This query depends on $@. | pg-promise-types.ts:7:17:7:28 | req.params.x | a user-provided value |
 | pg-promise.js:9:10:9:14 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:9:10:9:14 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
 | pg-promise.js:10:11:10:15 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:10:11:10:15 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
 | pg-promise.js:11:17:11:21 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:11:17:11:21 | query | This query depends on $@. | pg-promise.js:7:16:7:34 | req.params.category | a user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts b/javascript/ql/test/query-tests/Security/CWE-089/untyped/pg-promise-types.ts
@@ -0,0 +1,13 @@
+import { IDatabase } from "pg-promise";
+
+export class Foo {
+  db: IDatabase;
+
+  onRequest(req, res) {
+    let taint = req.params.x;
+    this.db.one(taint); // NOT OK
+    res.end();
+  }
+}
+
+require('express')().get('/foo', (req, res) => new Foo().onRequest(req, res));
