Skip to content

JS: Modeling of fastify #19439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Napalys merged 4 commits into from
May 1, 2025
Merged

JS: Modeling of fastify #19439

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
6d61766
Added test case for `fastify.all`
Napalys Apr 30, 2025
71f1b82
Added support for `fastify.all`
Napalys Apr 30, 2025
9624a41
Added change note
Napalys Apr 30, 2025
68a9dd9
Address comments
Napalys May 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions javascript/ql/lib/change-notes/2025-04-30-fastify-all.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Enhanced modeling of the [fastify](https://www.npmjs.com/package/fastify) framework to support the `all` route handler method.
7 changes: 5 additions & 2 deletions javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,8 @@ module Fastify {

RouteSetup() {
this = server(server).getAMethodCall(methodName) and
methodName = ["route", "get", "head", "post", "put", "delete", "options", "patch", "addHook"]
methodName =
["route", "get", "head", "post", "put", "delete", "options", "patch", "addHook", "all"]
}

override DataFlow::SourceNode getARouteHandler() {
Expand Down Expand Up @@ -168,7 +169,9 @@ module Fastify {

override string getRelativePath() { result = this.getArgument(0).getStringValue() }

override Http::RequestMethodName getHttpMethod() { result = this.getMethodName().toUpperCase() }
override Http::RequestMethodName getHttpMethod() {
if this.getMethodName() = "all" then any() else result = this.getMethodName().toUpperCase()
Comment thread
asgerf marked this conversation as resolved.
Outdated
Comment thread
Napalys marked this conversation as resolved.
Outdated
}
}

private class AddHookRouteSetup extends Routing::RouteSetup::MethodCall instanceof RouteSetup {
Expand Down
13 changes: 13 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@
| fastify.js:84:30:84:43 | reply.userCode | fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:79:20:79:42 | request ... plyCode | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| fastify.js:107:23:107:31 | userInput | fastify.js:106:21:106:33 | request.query | fastify.js:107:23:107:31 | userInput | This code execution depends on a $@. | fastify.js:106:21:106:33 | request.query | user-provided value |
| fastify.js:107:23:107:31 | userInput | fastify.js:106:21:106:38 | request.query.code | fastify.js:107:23:107:31 | userInput | This code execution depends on a $@. | fastify.js:106:21:106:38 | request.query.code | user-provided value |
| fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:41 | request.query | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:41 | request.query | user-provided value |
| fastify.js:108:28:108:50 | reply.l ... tedCode | fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:94:29:94:51 | request ... plyCode | user-provided value |
| module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
| module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
| react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
Expand Down Expand Up @@ -145,6 +149,10 @@ edges
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | provenance | |
| fastify.js:106:9:106:38 | userInput | fastify.js:107:23:107:31 | userInput | provenance | |
| fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:38 | userInput | provenance | |
| fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:38 | userInput | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
Expand Down Expand Up @@ -268,6 +276,11 @@ nodes
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| fastify.js:106:9:106:38 | userInput | semmle.label | userInput |
| fastify.js:106:21:106:33 | request.query | semmle.label | request.query |
| fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
| fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
| fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
Expand Down
9 changes: 9 additions & 0 deletions .../ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ edges
| fastify.js:79:20:79:42 | request ... plyCode | fastify.js:84:30:84:43 | reply.userCode | provenance | |
| fastify.js:94:29:94:41 | request.query | fastify.js:94:29:94:51 | request ... plyCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:99:30:99:52 | reply.l ... tedCode | provenance | |
| fastify.js:94:29:94:51 | request ... plyCode | fastify.js:108:28:108:50 | reply.l ... tedCode | provenance | |
| fastify.js:106:9:106:38 | userInput | fastify.js:107:23:107:31 | userInput | provenance | |
| fastify.js:106:21:106:33 | request.query | fastify.js:106:9:106:38 | userInput | provenance | |
| fastify.js:106:21:106:38 | request.query.code | fastify.js:106:9:106:38 | userInput | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
Expand Down Expand Up @@ -176,6 +180,11 @@ nodes
| fastify.js:94:29:94:41 | request.query | semmle.label | request.query |
| fastify.js:94:29:94:51 | request ... plyCode | semmle.label | request ... plyCode |
| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| fastify.js:106:9:106:38 | userInput | semmle.label | userInput |
| fastify.js:106:21:106:33 | request.query | semmle.label | request.query |
| fastify.js:106:21:106:38 | request.query.code | semmle.label | request.query.code |
| fastify.js:107:23:107:31 | userInput | semmle.label | userInput |
| fastify.js:108:28:108:50 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
Expand Down
7 changes: 7 additions & 0 deletions javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,10 @@ fastify.get('/flow-through-reply', async (request, reply) => {
}
return { result: null };
});

fastify.all('/eval', async (request, reply) => {
const userInput = request.query.code; // $ Source[js/code-injection]
const result = eval(userInput); // $ Alert[js/code-injection]
const replyResult = eval(reply.locals.nestedCode); // $ Alert[js/code-injection]
return { method: request.method, result };
});