Added support for axios.interceptors.request.

Author: Napalys

javascript/ql/lib/ext/axios.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["axios", "Member[interceptors].Member[request].Member[use].Argument[0].Parameter[0].Member[url]", "request-forgery"]

javascript/ql/test/experimental/Security/CWE-918/SSRF.expected

@@ -21,6 +21,11 @@ edges
 | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | provenance |  |
 | check-validator.js:62:29:62:37 | numberURL | check-validator.js:62:15:62:37 | "test.c ... mberURL | provenance |  |
 | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | provenance |  |
+| interceptors.js:19:11:19:17 | { url } | interceptors.js:19:11:19:28 | url | provenance |  |
+| interceptors.js:19:11:19:28 | url | interceptors.js:20:23:20:25 | url | provenance |  |
+| interceptors.js:19:21:19:28 | req.body | interceptors.js:19:11:19:17 | { url } | provenance |  |
+| interceptors.js:20:5:20:25 | userProvidedUrl | interceptors.js:11:26:11:40 | userProvidedUrl | provenance |  |
+| interceptors.js:20:23:20:25 | url | interceptors.js:20:5:20:25 | userProvidedUrl | provenance |  |
 nodes
 | check-domain.js:16:9:16:27 | url | semmle.label | url |
 | check-domain.js:16:15:16:27 | req.query.url | semmle.label | req.query.url |
@@ -64,6 +69,12 @@ nodes
 | check-validator.js:62:29:62:37 | numberURL | semmle.label | numberURL |
 | check-validator.js:68:15:68:45 | "test.c ... tainted | semmle.label | "test.c ... tainted |
 | check-validator.js:68:29:68:45 | req.query.tainted | semmle.label | req.query.tainted |
+| interceptors.js:11:26:11:40 | userProvidedUrl | semmle.label | userProvidedUrl |
+| interceptors.js:19:11:19:17 | { url } | semmle.label | { url } |
+| interceptors.js:19:11:19:28 | url | semmle.label | url |
+| interceptors.js:19:21:19:28 | req.body | semmle.label | req.body |
+| interceptors.js:20:5:20:25 | userProvidedUrl | semmle.label | userProvidedUrl |
+| interceptors.js:20:23:20:25 | url | semmle.label | url |
 subpaths
 #select
 | check-domain.js:17:13:17:15 | url | check-domain.js:16:15:16:27 | req.query.url | check-domain.js:17:13:17:15 | url | The URL of this request depends on a user-provided value. |
@@ -86,3 +97,4 @@ subpaths
 | check-validator.js:59:15:59:45 | "test.c ... tainted | check-validator.js:59:29:59:45 | req.query.tainted | check-validator.js:59:15:59:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
 | check-validator.js:62:15:62:37 | "test.c ... mberURL | check-validator.js:54:21:54:37 | req.query.tainted | check-validator.js:62:15:62:37 | "test.c ... mberURL | The URL of this request depends on a user-provided value. |
 | check-validator.js:68:15:68:45 | "test.c ... tainted | check-validator.js:68:29:68:45 | req.query.tainted | check-validator.js:68:15:68:45 | "test.c ... tainted | The URL of this request depends on a user-provided value. |
+| interceptors.js:11:26:11:40 | userProvidedUrl | interceptors.js:19:21:19:28 | req.body | interceptors.js:11:26:11:40 | userProvidedUrl | The URL of this request depends on a user-provided value. |

javascript/ql/test/experimental/Security/CWE-918/interceptors.js

@@ -8,7 +8,7 @@ let userProvidedUrl = "";
 axios.interceptors.request.use(
     function (config) {
         if (userProvidedUrl) {
-            config.url = userProvidedUrl; // SSRF -- not flagged
+            config.url = userProvidedUrl; // SSRF
         }
         return config;
     },