JS: add RemoteFlowSource.isDeepObject() and populate it

Author: asger-semmle

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -488,6 +488,20 @@ module Express {
     override string getKind() {
       result = kind
     }
+
+    override predicate isDeepObject() {
+      kind = "body" and
+      exists (ExpressLibraries::BodyParser bodyParser, RouteHandlerExpr expr |
+        expr.getBody() = rh and
+        bodyParser.isDeepObject() and
+        bodyParser.flowsToExpr(expr.getAMatchingAncestor())
+      )
+      or
+      // If we can't find the middlewares for the route handler,
+      // but all known body parsers are deep, assume req.body is a deep object.
+      kind = "body" and
+      forall(ExpressLibraries::BodyParser bodyParser | bodyParser.isDeepObject())
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/ExpressModules.qll

@@ -230,4 +230,52 @@ module ExpressLibraries {
 
   }
 
+  /**
+   * An instance of the Express `body-parser` middleware.
+   */
+  class BodyParser extends DataFlow::InvokeNode {
+    string kind;
+
+    BodyParser() {
+      this = DataFlow::moduleImport("body-parser").getACall() and kind = "json"
+      or
+      exists (string moduleName |
+        (moduleName = "body-parser" or moduleName = "express") and
+        (kind = "json" or kind = "urlencoded") and
+        this = DataFlow::moduleMember(moduleName, kind).getACall()
+      )
+    }
+
+    /**
+     * Holds if this is a JSON body parser.
+     */
+    predicate isJson() {
+      kind = "json"
+    }
+
+    /**
+     * Holds if this is a URL-encoded body parser.
+     */
+    predicate isUrlEncoded() {
+      kind = "urlencoded"
+    }
+
+    /**
+     * Holds if this is an extended URL-encoded body parser.
+     *
+     * The extended URL-encoding allows for nested objects, like JSON.
+     */
+    predicate isExtendedUrlEncoded() {
+      kind = "urlencoded" and
+      not getOptionArgument(0, "extended").mayHaveBooleanValue(false)
+    }
+
+    /**
+     * Holds if this parses the input as JSON or extended URL-encoding.
+     */
+    predicate isDeepObject() {
+      isJson() or isExtendedUrlEncoded()
+    }
+  }
+
 }

javascript/ql/src/semmle/javascript/security/dataflow/RemoteFlowSources.qll

@@ -10,6 +10,11 @@ import semmle.javascript.security.dataflow.DOM
 abstract class RemoteFlowSource extends DataFlow::Node {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
+
+  /**
+   * Holds if this can be a user-controlled deep object, such as a JSON object parsed from user-controlled data.
+   */
+  predicate isDeepObject() { none() }
 }
 
 /**