Enhance SuperAgent URL request handling for both method calls and direct calls

Napalys · Napalys · commit 2983b0829f85 · 2025-03-19T17:50:05.000+01:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll
@@ -522,8 +522,16 @@ module ClientRequest {
     SuperAgentUrlRequest() {
       exists(string moduleName, DataFlow::SourceNode callee | this = callee.getACall() |
         moduleName = "superagent" and
-        callee = DataFlow::moduleMember(moduleName, httpMethodName()) and
-        url = this.getArgument(0)
+        (
+          // Handle method calls like superagent.get(url)
+          callee = DataFlow::moduleMember(moduleName, httpMethodName()) and
+          url = this.getArgument(0)
+          or
+          // Handle direct calls like superagent('GET', url)
+          callee = DataFlow::moduleImport(moduleName) and
+          this.getArgument(0).mayHaveStringValue([httpMethodName().toUpperCase(), httpMethodName()]) and
+          url = this.getArgument(1)
+        )
       )
     }
 
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected b/javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequests.expected
@@ -91,6 +91,7 @@ test_ClientRequest
 | tst.js:286:20:286:55 | new Web ... :8080') |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') |
+| tst.js:319:5:319:26 | superag ... ', url) |
 | tst.js:320:5:320:23 | superagent.del(url) |
 test_getADataNode
 | axiosTest.js:12:5:17:6 | axios({ ... \\n    }) | axiosTest.js:15:18:15:55 | { 'Cont ... json' } |
@@ -241,6 +242,7 @@ test_getUrl
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:296:11:299:5 | {\\n      ... ,\\n    } |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:298:14:298:44 | "http:/ ... -axios" |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:26:312:35 | '/foo/bar' |
+| tst.js:319:5:319:26 | superag ... ', url) | tst.js:319:23:319:25 | url |
 | tst.js:320:5:320:23 | superagent.del(url) | tst.js:320:20:320:22 | url |
 test_getAResponseDataNode
 | axiosTest.js:4:5:7:6 | axios({ ... \\n    }) | axiosTest.js:4:5:7:6 | axios({ ... \\n    }) | json | true |
@@ -316,4 +318,5 @@ test_getAResponseDataNode
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:303:26:303:37 | err.response | json | false |
 | tst.js:296:5:299:6 | axios({ ... \\n    }) | tst.js:304:27:304:38 | err.response | json | false |
 | tst.js:312:12:312:36 | fetchPo ... o/bar') | tst.js:312:12:312:36 | fetchPo ... o/bar') | fetch.response | true |
+| tst.js:319:5:319:26 | superag ... ', url) | tst.js:319:5:319:26 | superag ... ', url) | stream | true |
 | tst.js:320:5:320:23 | superagent.del(url) | tst.js:320:5:320:23 | superagent.del(url) | stream | true |
diff --git a/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js b/javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js
@@ -316,7 +316,7 @@ function usePolyfill() {
 }
 
 function useSuperagent(url){
-    superagent('GET', url); // Not flagged
+    superagent('GET', url);
     superagent.del(url);
     superagent.agent().post(url).send(data); // Not flagged
 }

Original file line number	Diff line number	Diff line change
`@@ -316,7 +316,7 @@ function usePolyfill() {`
`316`	`316`	`}`
`317`	`317`
`318`	`318`	`function useSuperagent(url){`
`319`		`- superagent('GET', url); // Not flagged`
	`319`	`+ superagent('GET', url);`
`320`	`320`	`superagent.del(url);`
`321`	`321`	`superagent.agent().post(url).send(data); // Not flagged`
`322`	`322`	`}`