recognize access to a query object through function calls

erik-krogh · erik-krogh · commit ed48efe5b49a · 2020-06-30T15:52:08.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -463,6 +463,16 @@ module Express {
     override RequestSource src;
   }
 
+  /**
+   * Gets a reference to the "query" or "params" object from a request-object originating from route-handler `rh`.
+   */
+  DataFlow::SourceNode getAQueryObjectReference(DataFlow::TypeTracker t, RouteHandler rh) {
+    t.startInProp(["params", "query"]) and
+    result = rh.getARequestSource()
+    or
+    exists(DataFlow::TypeTracker t2 | result = getAQueryObjectReference(t2, rh).track(t2, t))
+  }
+
   /**
    * An access to a user-controlled Express request input.
    */
@@ -471,13 +481,12 @@ module Express {
     string kind;
 
     RequestInputAccess() {
+      kind = "parameter" and
+      this = getAQueryObjectReference(DataFlow::TypeTracker::end(), rh).getAPropertyRead()
+      or
       exists(DataFlow::SourceNode request | request = rh.getARequestSource().ref() |
         kind = "parameter" and
-        (
-          this = request.getAMethodCall("param")
-          or
-          this = request.getAPropertyRead(["params", "query"]).getAPropertyRead()
-        )
+        this = request.getAMethodCall("param")
         or
         // `req.originalUrl`
         kind = "url" and
