JS: add Hapi::RouteHandlerCandidate

Esben Sparre Andreasen · Esben Sparre Andreasen · commit a3bd072590ef · 2018-12-03T09:22:21.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll b/javascript/ql/src/semmle/javascript/frameworks/Hapi.qll
@@ -210,7 +210,8 @@ module Hapi {
     }
 
     override DataFlow::SourceNode getARouteHandler() {
-      result.(DataFlow::SourceNode).flowsTo(handler.flow())
+      result.(DataFlow::SourceNode).flowsTo(handler.flow()) or
+      result.(DataFlow::TrackedNode).flowsTo(handler.flow())
     }
 
     Expr getRouteHandlerExpr() {
@@ -221,4 +222,57 @@ module Hapi {
       result = server
     }
   }
+
+  /**
+   * A function that looks like a Hapi route handler.
+   *
+   * For example, this could be the function `function(request, h){...}`.
+   */
+  class RouteHandlerCandidate extends HTTP::RouteHandlerCandidate, DataFlow::FunctionNode {
+
+    override Function astNode;
+
+    RouteHandlerCandidate() {
+      exists (string request, string responseToolkit |
+        (request = "request" or request = "req") and
+        responseToolkit = "h" and
+        // heuristic: parameter names match the Hapi documentation
+        astNode.getNumParameter() = 2 and
+        astNode.getParameter(0).getName() = request and
+        astNode.getParameter(1).getName() = responseToolkit |
+        not (
+          // heuristic: is not invoked (Hapi invokes this at a call site we cannot reason precisely about)
+          exists(DataFlow::InvokeNode cs | cs.getACallee() = astNode)
+        )
+      )
+    }
+  }
+
+  /**
+   * Tracking for `RouteHandlerCandidate`.
+   */
+  private class TrackedRouteHandlerCandidate extends DataFlow::TrackedNode {
+
+    TrackedRouteHandlerCandidate() {
+      this instanceof RouteHandlerCandidate
+    }
+
+  }
+
+  /**
+   * A function that looks like a Hapi route handler and flows to a route setup.
+   */
+  private class TrackedRouteHandlerCandidateWithSetup extends RouteHandler, HTTP::Servers::StandardRouteHandler, DataFlow::ValueNode {
+
+    override Function astNode;
+
+    TrackedRouteHandlerCandidateWithSetup() {
+      exists(TrackedRouteHandlerCandidate tracked |
+        tracked.flowsTo(any(RouteSetup s).getRouteHandlerExpr().flow()) and
+        this = tracked
+      )
+    }
+
+  }
+
 }
diff --git a/javascript/ql/src/semmle/javascript/heuristics/AdditionalRouteHandlers.qll b/javascript/ql/src/semmle/javascript/heuristics/AdditionalRouteHandlers.qll
@@ -18,6 +18,17 @@ private class PromotedNodeJSLibCandidate extends NodeJSLib::RouteHandler, HTTP::
 
 }
 
+/**
+ * Adds `Hapi::RouteHandlerCandidate` to the extent of `Hapi::RouteHandler`.
+ */
+private class PromotedHapiCandidate extends Hapi::RouteHandler, HTTP::Servers::StandardRouteHandler {
+
+    PromotedHapiCandidate() {
+      this instanceof Hapi::RouteHandlerCandidate
+    }
+
+}
+
 /**
  * Adds `ConnectExpressShared::RouteHandlerCandidate` to the extent of `Express::RouteHandler`.
  */
diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/RouteHandlerCandidate.expected b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/RouteHandlerCandidate.expected
@@ -15,6 +15,7 @@
 | src/exported-middleware-attacher.js:2:13:2:32 | function(req, res){} |
 | src/handler-in-property.js:5:14:5:33 | function(req, res){} |
 | src/handler-in-property.js:12:18:12:37 | function(req, res){} |
+| src/hapi.js:1:1:1:30 | functio ... t, h){} |
 | src/iterated-handlers.js:4:2:4:22 | functio ...  res){} |
 | src/middleware-attacher-getter.js:4:17:4:36 | function(req, res){} |
 | src/middleware-attacher-getter.js:19:19:19:38 | function(req, res){} |
diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.expected b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/UnpromotedRouteHandlerCandidate.expected
@@ -1,5 +1,6 @@
 | src/bound-handler.js:4:1:4:28 | functio ...  res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/bound-handler.js:9:12:9:31 | function(req, res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
+| src/hapi.js:1:1:1:30 | functio ... t, h){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/iterated-handlers.js:4:2:4:22 | functio ...  res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/middleware-attacher-getter.js:29:32:29:51 | function(req, res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
 | src/route-objects.js:7:19:7:38 | function(req, res){} | A `RouteHandlerCandidate` that did not get promoted to `RouteHandler`, and it is not used in a `RouteSetupCandidate`. |
diff --git a/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js b/javascript/ql/test/library-tests/frameworks/HTTP-heuristics/src/hapi.js
@@ -0,0 +1 @@
+function handler(request, h){}
diff --git a/javascript/ql/test/library-tests/frameworks/hapi/RouteHandler.expected b/javascript/ql/test/library-tests/frameworks/hapi/RouteHandler.expected
@@ -2,3 +2,4 @@
 | src/hapi.js:13:14:15:5 | functio ... n\\n    } | src/hapi.js:4:15:4:31 | new Hapi.Server() |
 | src/hapi.js:17:30:18:1 | functio ... ndler\\n} | src/hapi.js:4:15:4:31 | new Hapi.Server() |
 | src/hapi.js:20:1:27:1 | functio ... oken;\\n} | src/hapi.js:4:15:4:31 | new Hapi.Server() |
+| src/hapi.js:34:12:34:30 | function (req, h){} | src/hapi.js:4:15:4:31 | new Hapi.Server() |
diff --git a/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup.expected b/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup.expected
@@ -2,3 +2,4 @@
 | src/hapi.js:12:1:15:7 | server2 ...     }}) |
 | src/hapi.js:17:1:18:2 | server2 ... dler\\n}) |
 | src/hapi.js:29:1:29:20 | server2.route(route) |
+| src/hapi.js:36:1:36:38 | server2 ... ler()}) |
diff --git a/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup_getARouteHandler.expected b/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup_getARouteHandler.expected
@@ -2,3 +2,5 @@
 | src/hapi.js:12:1:15:7 | server2 ...     }}) | src/hapi.js:13:14:15:5 | functio ... n\\n    } |
 | src/hapi.js:17:1:18:2 | server2 ... dler\\n}) | src/hapi.js:17:30:18:1 | functio ... ndler\\n} |
 | src/hapi.js:29:1:29:20 | server2.route(route) | src/hapi.js:20:1:27:1 | functio ... oken;\\n} |
+| src/hapi.js:36:1:36:38 | server2 ... ler()}) | src/hapi.js:34:12:34:30 | function (req, h){} |
+| src/hapi.js:36:1:36:38 | server2 ... ler()}) | src/hapi.js:36:25:36:36 | getHandler() |
diff --git a/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup_getServer.expected b/javascript/ql/test/library-tests/frameworks/hapi/RouteSetup_getServer.expected
@@ -2,3 +2,4 @@
 | src/hapi.js:12:1:15:7 | server2 ...     }}) | src/hapi.js:4:15:4:31 | new Hapi.Server() |
 | src/hapi.js:17:1:18:2 | server2 ... dler\\n}) | src/hapi.js:4:15:4:31 | new Hapi.Server() |
 | src/hapi.js:29:1:29:20 | server2.route(route) | src/hapi.js:4:15:4:31 | new Hapi.Server() |
+| src/hapi.js:36:1:36:38 | server2 ... ler()}) | src/hapi.js:4:15:4:31 | new Hapi.Server() |
diff --git a/javascript/ql/test/library-tests/frameworks/hapi/src/hapi.js b/javascript/ql/test/library-tests/frameworks/hapi/src/hapi.js
@@ -29,3 +29,8 @@ var route = {handler: handler4};
 server2.route(route);
 
 server2.cache({ segment: 'countries', expiresIn: 60*60*1000 });
+
+function getHandler() {
+    return function (req, h){}
+}
+server2.route({handler: getHandler()});
