Skip to content

Commit 2b0a091

Browse files
erik-krogherik-krogh
committed
split out type-tracking into two predicates, to avoid catastrophic join-order
1 parent 3157cd7 commit 2b0a091

File tree

1 file changed

+18
-9
lines changed
  • javascript/ql/src/semmle/javascript/frameworks

1 file changed

+18
-9
lines changed

javascript/ql/src/semmle/javascript/frameworks/Express.qll

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -464,16 +464,23 @@ module Express {
464464
}
465465

466466
/**
467-
* Gets a reference to the "query" or "params" object from a request-object originating from route-handler `rh`.
467+
* Gets a reference to the "query" object from a request-object originating from route-handler `rh`.
468468
*/
469-
DataFlow::SourceNode getAQueryObjectReference(
470-
DataFlow::TypeTracker t, RouteHandler rh, string prop
471-
) {
472-
prop = ["params", "query"] and
473-
t.startInProp(prop) and
469+
DataFlow::SourceNode getAQueryObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
470+
t.startInProp("query") and
474471
result = rh.getARequestSource()
475472
or
476-
exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh, prop).track(t2, t))
473+
exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh).track(t2, t))
474+
}
475+
476+
/**
477+
* Gets a reference to the "params" object from a request-object originating from route-handler `rh`.
478+
*/
479+
DataFlow::SourceNode getAParamsObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
480+
t.startInProp("params") and
481+
result = rh.getARequestSource()
482+
or
483+
exists(DataFlow::TypeTracker t2 | result = getAParamsObjectReference(t2, rh).track(t2, t))
477484
}
478485

479486
/**
@@ -485,7 +492,9 @@ module Express {
485492

486493
RequestInputAccess() {
487494
kind = "parameter" and
488-
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh, _).getAPropertyRead()
495+
this =
496+
[getAQueryObjectReference(DataFlow::TypeTracker::end(), rh),
497+
getAParamsObjectReference(DataFlow::TypeTracker::end(), rh)].getAPropertyRead()
489498
or
490499
exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
491500
kind = "parameter" and
@@ -534,7 +543,7 @@ module Express {
534543
or
535544
// `req.query.name`
536545
kind = "parameter" and
537-
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh, "query").getAPropertyRead()
546+
this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh).getAPropertyRead()
538547
}
539548
}
540549

0 commit comments

Comments
 (0)