Merge pull request github#6033 from erik-krogh/serverlessLib

Approved by asgerf

Author: codeql-ci

javascript/change-notes/2021-06-07-serverless.md

@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Events from the [`serverless`](https://npmjs.com/package/serverless) package are recognized a source of remote user input.
+  Affected packages are
+    [serverless](https://npmjs.com/package/serverless)

javascript/ql/src/semmle/javascript/frameworks/ServerLess.qll

@@ -1,13 +1,13 @@
 /**
  * Provides classes and predicates for working with serverless handlers.
- * E.g. AWS: https://docs.aws.amazon.com/lambda/latest/dg/nodejs-handler.html
+ * E.g. [AWS](https://docs.aws.amazon.com/lambda/latest/dg/nodejs-handler.html) or [serverless](https://npmjs.com/package/serverless)
  */
 
 import javascript
 
 /**
  * Provides classes and predicates for working with serverless handlers.
- * In particular a `RemoteFlowSource` is added for AWS and Alibaba serverless.
+ * In particular a `RemoteFlowSource` is added for AWS, Alibaba, and serverless.
  */
 private module ServerLess {
   /**
@@ -24,6 +24,14 @@ private module ServerLess {
         then codeURI = properties.lookup("CodeUri").(YAMLScalar).getValue()
         else codeURI = ""
       )
+      or
+      // The `serverless` library, which specifies a top-level `functions` property
+      exists(YAMLMapping functions |
+        functions = resource.lookup("functions") and
+        not exists(resource.getParentNode()) and
+        handler = functions.getValue(_).(YAMLMapping).lookup("handler").(YAMLScalar).getValue() and
+        codeURI = ""
+      )
     )
   }
 

javascript/ql/test/library-tests/frameworks/ServerLess/test.expected

@@ -3,3 +3,5 @@
 | tst3/function/index.js:1:36:1:40 | event |
 | tst4/app.js:1:36:1:40 | event |
 | tst5/app.js:1:36:1:40 | event |
+| tst6/handler.js:6:23:6:36 | req.query.name |
+| tst7/handler.js:1:34:1:38 | event |

javascript/ql/test/library-tests/frameworks/ServerLess/tst6/handler.js

@@ -0,0 +1,9 @@
+const serverless = require("serverless-http");
+const express = require("express");
+const app = express();
+
+app.get("/", (req, res, next) => {
+  res.send("Hello " + req.query.name);
+});
+
+module.exports.handler = serverless(app);

javascript/ql/test/library-tests/frameworks/ServerLess/tst6/serverless.yml

@@ -0,0 +1,16 @@
+service: aws-node-express-api
+
+frameworkVersion: '2'
+
+provider:
+  name: aws
+  runtime: nodejs12.x
+  lambdaHashingVersion: '20201221'
+
+functions:
+  api:
+    handler: handler.handler
+    events:
+      - http:
+          path: /
+          method: ANY

javascript/ql/test/library-tests/frameworks/ServerLess/tst7/handler.js

@@ -0,0 +1,4 @@
+export async function myFunction(event, context, callback) {
+  const body = JSON.parse(event.body);
+  // do something
+}

javascript/ql/test/library-tests/frameworks/ServerLess/tst7/serverless.yml

@@ -0,0 +1,25 @@
+
+service: serverless-myChecker
+
+plugins:
+  - serverless-webpack
+  - serverless-offline
+
+custom:
+  webpack:
+    webpackConfig: ./webpack.config.js
+    includeModules: true
+
+provider:
+  name: aws
+  runtime: nodejs12.x
+  profile: personal
+  region: eu-west-1
+
+functions:
+  myChecker:
+    handler: handler.myFunction
+    events:
+      - http:
+          path: webhook
+          method: post