support NextJS API endpoints

erik-krogh · erik-krogh · commit a79c30a818ea · 2021-03-02T12:25:49.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Next.qll b/javascript/ql/src/semmle/javascript/frameworks/Next.qll
@@ -193,4 +193,34 @@ module NextJS {
 
     override HTTP::RouteHandler getRouteHandler() { result = rh }
   }
+
+  /**
+   * Gets a folder that contains API endpoints for a Next.js application.
+   * These API endpoints act as Express-like route-handlers.
+   */
+  Folder apiFolder() {
+    result = getANextPackage().getFile().getParentContainer().getFolder("pages").getFolder("api")
+    or
+    result = apiFolder().getAFolder()
+  }
+
+  /**
+   * A Next.js route handler for an API endpoint.
+   * The response (res) includes a set of Express.js-like methods,
+   * and we therefore model the routehandler as an Express.js routehandler.
+   */
+  class NextAPIRouteHandler extends DataFlow::FunctionNode, Express::RouteHandler,
+    HTTP::Servers::StandardRouteHandler {
+    NextAPIRouteHandler() {
+      exists(Module mod | mod.getFile().getParentContainer() = apiFolder() |
+        this = mod.getAnExportedValue("default").getAFunctionValue()
+      )
+    }
+
+    override Parameter getRouteHandlerParameter(string kind) {
+      kind = "request" and result = getFunction().getParameter(0)
+      or
+      kind = "response" and result = getFunction().getParameter(1)
+    }
+  }
 }
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -109,6 +109,9 @@ nodes
 | pages/Next.jsx:15:13:15:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url |
 | partial.js:9:25:9:25 | x |
 | partial.js:10:14:10:14 | x |
 | partial.js:10:14:10:18 | x + y |
@@ -245,6 +248,7 @@ edges
 | formatting.js:7:49:7:52 | evil | formatting.js:7:14:7:53 | require ... , evil) |
 | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url |
 | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url |
+| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url |
 | partial.js:9:25:9:25 | x | partial.js:10:14:10:14 | x |
 | partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
 | partial.js:10:14:10:14 | x | partial.js:10:14:10:18 | x + y |
@@ -313,6 +317,7 @@ edges
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value |
 | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value |
+| pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value |
 | partial.js:10:14:10:18 | x + y | partial.js:13:42:13:48 | req.url | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
 | partial.js:19:14:19:18 | x + y | partial.js:22:51:22:57 | req.url | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
 | partial.js:28:14:28:18 | x + y | partial.js:31:47:31:53 | req.url | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -23,6 +23,7 @@
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | pages/Next.jsx:8:13:8:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:8:13:8:19 | req.url | user-provided value |
 | pages/Next.jsx:15:13:15:19 | req.url | Cross-site scripting vulnerability due to $@. | pages/Next.jsx:15:13:15:19 | req.url | user-provided value |
+| pages/api/myapi.js:2:14:2:20 | req.url | Cross-site scripting vulnerability due to $@. | pages/api/myapi.js:2:14:2:20 | req.url | user-provided value |
 | partial.js:10:14:10:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:13:42:13:48 | req.url | user-provided value |
 | partial.js:19:14:19:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:22:51:22:57 | req.url | user-provided value |
 | partial.js:28:14:28:18 | x + y | Cross-site scripting vulnerability due to $@. | partial.js:31:47:31:53 | req.url | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/pages/api/myapi.js
@@ -0,0 +1,3 @@
+export default function handler(req, res) {
+    res.send(req.url);
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+export default function handler(req, res) {`
	`2`	`+ res.send(req.url);`
	`3`	`+}`