JS: Recognize Express param value callback as RemoteFlowSource by asgerf · Pull Request #3424 · github/codeql

asgerf · 2020-05-06T21:04:31Z

A param route handler in Express takes the value of the parameter in the 4th argument as seen here. This PR adds it as a RequestInputSource.

esbena

Nice spot. I am curious about how common this is.

Have you considered adjusting

codeql/javascript/ql/src/semmle/javascript/frameworks/ConnectExpressShared.qll

Lines 15 to 28 in b2f1008

    
           SimpleParameter getRouteHandlerParameter(Function routeHandler, string kind) { 
        
             exists(int index, int offset | 
        
               result = routeHandler.getParameter(index + offset) and 
        
               (if routeHandler.getNumParameter() = 4 then offset = 0 else offset = -1) 
        
             | 
        
               kind = "error" and index = 0 
        
               or 
        
               kind = "request" and index = 1 
        
               or 
        
               kind = "response" and index = 2 
        
               or 
        
               kind = "next" and index = 3 
        
             ) 
        
           }

to account for this?

(also: change-note)

asgerf · 2020-05-11T08:04:20Z

Thanks for pointing that out. Turns out we even misclassified the request and response parameters of these route handlers, due to them taking 4 parameters.

Updating this was more tricky than it had any right to be. PTAL.

Evaluation looks a bit swingy, will re-run the slowest.

esbena

Updating this was more tricky than it had any right to be

You don't say! :(
The implementation looks good though.

JS: Go back to disjunction 8fcd024

Is this due to an optimizer limitation?

I suppose we also need a change-note for - [express](https://www.npmjs.com/package/express)

asgerf · 2020-05-11T15:00:23Z

Is this due to an optimizer limitation?

No, just formatting.

asgerf · 2020-05-13T09:26:25Z

Re-run of slowest is nowhere near as bad as in the original evaluation, but still a bit biased. I'll look at some tuple counts to see what's going.

…hared.qll Co-authored-by: Esben Sparre Andreasen <esbena@github.com>

asgerf · 2020-05-15T12:07:19Z

The use of accesses and calls had dubious join orderings, so I opted to switch to the SourceNode-based API instead. After rebasing on the moduleImport-caching PR this now seems to perform well but I'll run more evaluations over the weekend.

As a bonus, we now recognize req.query[x] as a RemoteInputAccess. 😅

Hopefully that's the last feature-creep in this PR.

esbena

Excellent. Thanks for creeping so fast :)

asgerf · 2020-05-16T08:26:09Z

Security/nightly looks good.

asgerf added JS Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish labels May 6, 2020

asgerf requested a review from a team as a code owner May 6, 2020 21:04

esbena reviewed May 7, 2020

View reviewed changes

esbena reviewed May 11, 2020

View reviewed changes

Comment thread javascript/ql/src/semmle/javascript/frameworks/ConnectExpressShared.qll Outdated

asgerf and others added 9 commits May 15, 2020 09:59

JS: Recognize Express param value callback as RemoteFlowSource

9cacfab

JS: Update getRouteHandlerParameter and router tracking

c45d84f

JS: Go back to disjunction 😭

82d3a7e

JS: Fixes

bfbe70a

JS: Autoformat

a982cdc

Update javascript/ql/src/semmle/javascript/frameworks/ConnectExpressS…

b9995b7

…hared.qll Co-authored-by: Esben Sparre Andreasen <esbena@github.com>

JS: Tweak evaluation of route handler params

659e2ff

JS: Add test with dynamic access to req.query

da974f1

JS: Refactor RequestInputAccess to use source nodes

d84f1b4

asgerf force-pushed the js/express-param-handler branch from 9f68e3f to d84f1b4 Compare May 15, 2020 12:00

JS: Change note

e311cc7

esbena previously approved these changes May 15, 2020

View reviewed changes

asgerf added 2 commits May 16, 2020 09:24

JS: Minor fixes

d279845

JS: Autoformat

0171c9e

asgerf dismissed esbena’s stale review via 0171c9e May 16, 2020 08:25

asgerf removed the Awaiting evaluation Do not merge yet, this PR is waiting for an evaluation to finish label May 16, 2020

esbena approved these changes May 18, 2020

View reviewed changes

semmle-qlci merged commit 6041d52 into github:master May 18, 2020

esbena mentioned this pull request May 18, 2020

JS: Add cb as a RouteHandlerCandidate heuristic parameter name #2229

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JS: Recognize Express param value callback as RemoteFlowSource#3424

JS: Recognize Express param value callback as RemoteFlowSource#3424
semmle-qlci merged 12 commits into
github:masterfrom
asger-semmle:js/express-param-handler

asgerf commented May 6, 2020

Uh oh!

esbena left a comment

Uh oh!

asgerf commented May 11, 2020

Uh oh!

esbena left a comment

Uh oh!

Uh oh!

asgerf commented May 11, 2020

Uh oh!

asgerf commented May 13, 2020

Uh oh!

asgerf commented May 15, 2020

Uh oh!

esbena left a comment

Uh oh!

asgerf commented May 16, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

	SimpleParameter getRouteHandlerParameter(Function routeHandler, string kind) {
	exists(int index, int offset \|
	result = routeHandler.getParameter(index + offset) and
	(if routeHandler.getNumParameter() = 4 then offset = 0 else offset = -1)
	\|
	kind = "error" and index = 0
	or
	kind = "request" and index = 1
	or
	kind = "response" and index = 2
	or
	kind = "next" and index = 3
	)
	}

Conversation

asgerf commented May 6, 2020

Uh oh!

esbena left a comment

Choose a reason for hiding this comment

Uh oh!

asgerf commented May 11, 2020

Uh oh!

esbena left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

asgerf commented May 11, 2020

Uh oh!

asgerf commented May 13, 2020

Uh oh!

asgerf commented May 15, 2020

Uh oh!

esbena left a comment

Choose a reason for hiding this comment

Uh oh!

asgerf commented May 16, 2020

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants