Merge pull request github#5921 from erik-krogh/expressChain

Approved by esbena

Author: codeql-ci

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -19,6 +19,9 @@ module Express {
     or
     // `app = express.createServer()`
     result = DataFlow::moduleMember("express", "createServer").getAnInvocation()
+    or
+    // `app = express().disable(x)`, and other chaining methods
+    result = appCreation().getAMemberCall(["engine", "set", "param", "enable", "disable", "on"])
   }
 
   /**

javascript/ql/test/library-tests/frameworks/Express/tests.expected

@@ -1422,6 +1422,7 @@ test_appCreation
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/routesetups.js:7:11:7:32 | express ... erver() |
 | src/subrouter.js:2:11:2:19 | express() |
@@ -1519,6 +1520,7 @@ test_RouteExpr
 | src/express.js:46:1:51:2 | app.pos ... me];\\n}) | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:4:1:8:2 | app.pos ... url;\\n}) | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:4:1:12:2 | app.par ...    }\\n}) | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) | src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/params.js:14:1:16:2 | app.get ... o");\\n}) | src/params.js:2:11:2:19 | express() |
 | src/responseExprs.js:4:1:6:2 | app.get ... res1\\n}) | src/responseExprs.js:2:11:2:19 | express() |
 | src/responseExprs.js:7:1:9:2 | app.get ... es2;\\n}) | src/responseExprs.js:2:11:2:19 | express() |
@@ -2174,6 +2176,7 @@ test_isRouterCreation
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/route.js:2:14:2:29 | express.Router() |
 | src/routesetups.js:3:1:3:16 | express.Router() |
@@ -2264,6 +2267,7 @@ test_RouterDefinition_RouterDefinition
 | src/express.js:2:11:2:19 | express() |
 | src/inheritedFromNode.js:2:11:2:19 | express() |
 | src/params.js:2:11:2:19 | express() |
+| src/params.js:4:1:12:2 | app.par ...    }\\n}) |
 | src/responseExprs.js:2:11:2:19 | express() |
 | src/route.js:2:14:2:29 | express.Router() |
 | src/routesetups.js:3:1:3:16 | express.Router() |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -182,6 +182,11 @@ nodes
 | tst2.js:36:12:36:12 | p |
 | tst2.js:37:12:37:18 | other.p |
 | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:6:12:6:12 | p |
+| tst3.js:6:12:6:12 | p |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
@@ -333,6 +338,10 @@ edges
 | tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
@@ -376,3 +385,4 @@ edges
 | tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -39,3 +39,4 @@
 | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js

@@ -0,0 +1,7 @@
+var express = require('express');
+
+var app = express();
+app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) {
+  let { p } = req.params;
+  res.send(p); // NOT OK
+});