JS: add ClientRequest::getHost

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll

@@ -21,6 +21,11 @@ abstract class CustomClientRequest extends DataFlow::InvokeNode {
    */
   abstract DataFlow::Node getUrl();
 
+  /**
+   * Gets the host of the request.
+   */
+  abstract DataFlow::Node getHost();
+
   /**
    * Gets a node that contributes to the data-part this request.
    */
@@ -50,6 +55,13 @@ class ClientRequest extends DataFlow::InvokeNode {
     result = custom.getUrl()
   }
 
+  /**
+   * Gets the host of the request.
+   */
+  DataFlow::Node getHost() {
+    result = custom.getHost()
+  }
+
   /**
    * Gets a node that contributes to the data-part this request.
    */
@@ -102,6 +114,10 @@ private class RequestUrlRequest extends CustomClientRequest {
     result = getOptionArgument(0, urlPropertyName())
   }
 
+  override DataFlow::Node getHost() {
+    none()
+  }
+
   override DataFlow::Node getADataNode() {
     result = getArgument(1)
   }
@@ -126,10 +142,18 @@ private class AxiosUrlRequest extends CustomClientRequest {
     )
   }
 
+  private DataFlow::Node getOptionArgument(string name) {
+    // depends on the method name and the call arity, over-approximating slightly in the name of simplicity
+    result = getOptionArgument([0..2], name)
+  }
+
   override DataFlow::Node getUrl() {
     result = getArgument(0) or
-    // depends on the method name and the call arity, over-approximating slightly in the name of simplicity
-    result = getOptionArgument([0..2], urlPropertyName())
+    result = getOptionArgument(urlPropertyName())
+  }
+
+  override DataFlow::Node getHost() {
+    result = getOptionArgument("host")
   }
 
   override DataFlow::Node getADataNode() {
@@ -176,6 +200,8 @@ private class FetchUrlRequest extends CustomClientRequest {
     result = url
   }
 
+  override DataFlow::Node getHost() { none() }
+
   override DataFlow::Node getADataNode() {
     exists (string name |
       name = "headers" or name = "body" |
@@ -206,6 +232,14 @@ private class GotUrlRequest extends CustomClientRequest {
     not exists (getOptionArgument(1, "baseUrl"))
   }
 
+  override DataFlow::Node getHost() {
+    exists (string name |
+      name = "host" or
+      name = "hostname" |
+      result = getOptionArgument(1, name)
+    )
+  }
+
   override DataFlow::Node getADataNode() {
     exists (string name |
       name = "headers" or name = "body" or name = "query" |
@@ -235,6 +269,8 @@ private class SuperAgentUrlRequest extends CustomClientRequest {
     result = url
   }
 
+  override DataFlow::Node getHost() { none() }
+
   override DataFlow::Node getADataNode() {
     exists (string name |
       name = "set" or name = "send" or name = "query" |
@@ -252,5 +288,6 @@ private class XMLHttpRequest extends CustomClientRequest {
 
   override DataFlow::Node getUrl() { result = getAMethodCall("open").getArgument(1) }
 
+  override DataFlow::Node getHost() { none() }
   override DataFlow::Node getADataNode() { result = getAMethodCall("send").getArgument(0) }
 }

javascript/ql/src/semmle/javascript/frameworks/Electron.qll

@@ -64,6 +64,14 @@ module Electron {
       result = getOptionArgument(0, "url")
     }
 
+    override DataFlow::Node getHost() {
+      exists (string name |
+        name = "host" or
+        name = "hostname" |
+        result = getOptionArgument(0, name)
+      )
+    }
+
     override DataFlow::Node getADataNode() {
       exists (string name |
         name = "write" or name = "end" |

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -737,6 +737,14 @@ module NodeJSLib {
       result = url
     }
 
+    override DataFlow::Node getHost() {
+      exists (string name |
+        name = "host" or
+        name = "hostname" |
+        result = getOptionArgument(1, name)
+      )
+    }
+
     override DataFlow::Node getADataNode() {
       exists (string name |
         name = "write" or name = "end" |

javascript/ql/src/semmle/javascript/frameworks/jQuery.qll

@@ -359,5 +359,7 @@ private class JQueryClientRequest extends CustomClientRequest {
     result = getOptionArgument([0 .. 1], "url")
   }
 
+  override DataFlow::Node getHost() { none() }
+
   override DataFlow::Node getADataNode() { result = getOptionArgument([0 .. 1], "data") }
 }

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequest.expected

@@ -32,3 +32,7 @@
 | tst.js:77:5:77:32 | $.getJS ...  data}) |
 | tst.js:78:5:78:38 | $.getJS ...  data}) |
 | tst.js:80:15:80:34 | new XMLHttpRequest() |
+| tst.js:87:5:87:39 | http.ge ...  host}) |
+| tst.js:89:5:89:23 | axios({host: host}) |
+| tst.js:91:5:91:34 | got(rel ...  host}) |
+| tst.js:93:5:93:35 | net.req ... host }) |

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequest_getHost.expected

@@ -0,0 +1,4 @@
+| tst.js:87:5:87:39 | http.ge ...  host}) | tst.js:87:34:87:37 | host |
+| tst.js:89:5:89:23 | axios({host: host}) | tst.js:89:18:89:21 | host |
+| tst.js:91:5:91:34 | got(rel ...  host}) | tst.js:91:29:91:32 | host |
+| tst.js:93:5:93:35 | net.req ... host }) | tst.js:93:29:93:32 | host |

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequest_getHost.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from ClientRequest r
+select r, r.getHost()

javascript/ql/test/library-tests/frameworks/ClientRequests/ClientRequest_getUrl.expected

@@ -38,3 +38,7 @@
 | tst.js:78:5:78:38 | $.getJS ...  data}) | tst.js:78:15:78:37 | {url: u ... : data} |
 | tst.js:78:5:78:38 | $.getJS ...  data}) | tst.js:78:21:78:23 | url |
 | tst.js:80:15:80:34 | new XMLHttpRequest() | tst.js:81:17:81:19 | url |
+| tst.js:87:5:87:39 | http.ge ...  host}) | tst.js:87:14:87:24 | relativeUrl |
+| tst.js:89:5:89:23 | axios({host: host}) | tst.js:89:11:89:22 | {host: host} |
+| tst.js:91:5:91:34 | got(rel ...  host}) | tst.js:91:9:91:19 | relativeUrl |
+| tst.js:93:5:93:35 | net.req ... host }) | tst.js:93:17:93:34 | { hostname: host } |

javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js

@@ -81,3 +81,15 @@ import {ClientRequest, net} from 'electron';
     xhr.open(_, url);
     xhr.send(data);
 });
+
+(function() {
+
+    http.get(relativeUrl, {host: host});
+
+    axios({host: host});
+
+    got(relativeUrl, {host: host});
+
+    net.request({ hostname: host });
+
+});