JS: Add GuardedRouteHandler access path component#19132
Conversation
This reverts commit 2460874.
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new MaD token named GuardedRouteHandler to enable middleware to inject data into guarded route handlers. It adds new test definitions in the YAML file to map the token and provides a new test file to validate access to the injected data both before and after middleware installation.
Reviewed Changes
Copilot reviewed 2 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| javascript/ql/test/library-tests/frameworks/data/test.ext.yml | Added two new token mappings for GuardedRouteHandler parameters. |
| javascript/ql/test/library-tests/frameworks/data/guardedRouteHandler.js | Created a new test file to verify data injection behavior before and after middleware installation. |
Files not reviewed (3)
- docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst: Language not supported
- javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsSpecific.qll: Language not supported
- javascript/ql/test/library-tests/frameworks/data/test.expected: Language not supported
Comments suppressed due to low confidence (2)
javascript/ql/test/library-tests/frameworks/data/guardedRouteHandler.js:16
- [nitpick] The property name 'injectedReqData' in this test differs from the documented example that uses 'data'. If this is intentional, consider adding a comment to explain the distinction; if not, update the property name for consistency.
sink(req.injectedReqData); // NOT OK
javascript/ql/test/library-tests/frameworks/data/guardedRouteHandler.js:20
- [nitpick] The property name 'injectedResData' differs from what is shown in the documented example. For consistency and clarity, consider aligning the naming or adding a comment to clarify why different names are used.
sink(res.injectedResData); // NOT OK
Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
Napalys
left a comment
Napalys
left a comment
There was a problem hiding this comment.
LGTM, probably would be good if @erik-krog would review as well.
| - Since we're adding a new taint source, we add a tuple to the **sourceModel** extensible predicate. | ||
| - The first column, **"@example/middleware"**, begins the search at imports of the hypothetical NPM package **@example/middleware**. | ||
| - **Member[injectData]** selects accesses to the **injectData** member. | ||
| - **ReturnValue** selects the return value of the call to **injectData**. | ||
| - **GuardedRouteHandler** interprets the current value as a middleware function and selects all route handlers guarded by that middleware. Since the current value is passd to **app.use()**, the callback subsequently passed to **app.get()** is seen as a guarded route handler. | ||
| - **Parameter[0]** selects the first parameter of the callback (the parameter named **req**). | ||
| - **Member[data]** selects accesses to the **data** property of the **req** object. | ||
| - Finally, the kind **remote** indicates that this is considered a source of remote flow. |
There was a problem hiding this comment.
Maybe it would be helpful to provide an example of what happens to this after adding such MaD?
app.post('/email', (req, res) => {
req.data;
}
There was a problem hiding this comment.
The example above covers that?
There was a problem hiding this comment.
We had a quick chat about this; @Napalys wanted to highlight that it works for both .get and .post handlers. But since the model doesn't mention anything about get I don't think it's necessary.
Adds a new MaD token called
GuardedRouteHandlerwhich goes from a middleware function installed in an HTTP router framework to all route handlers guarded by it.For example
The immediate motivation for this is to support this use-case
For testing purposes, I temporarily included this test commit, and ran this evaluation. It shows good performance and some new taint sources were found (based on the model from the test commit).