Add user-controlled property tracking and update code injection alerts in Fastify hooks

Napalys · Napalys · commit 5c3556da66d7 · 2025-04-15T09:41:52.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll b/javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll
@@ -238,6 +238,20 @@ module Fastify {
     }
   }
 
+  /**
+   * Gets the property name where user-controlled input is written to a request or response object
+   * in a route handler. This is used to track taint flow through request and response object properties.
+   */
+  private string getUserControlledPropertyName() {
+    exists(DataFlow::PropWrite write, DataFlow::Node source, RouteHandler rh |
+      write.getBase*() =
+        [rh.getARequestSource().ref().getALocalUse(), rh.getAResponseSource().ref().getALocalUse()] and
+      write.getPropertyName() = result and
+      write.getRhs() = source and
+      source = any(Http::RequestInputAccess ria).getASuccessor*()
+    )
+  }
+
   /**
    * An access to a user-controlled Fastify request input.
    */
@@ -252,6 +266,20 @@ module Fastify {
         or
         kind = "body" and
         name = "body"
+        or
+        kind = "stored" and
+        name = getUserControlledPropertyName()
+      )
+      or
+      // Handle reading from reply object with user input stored on it
+      exists(string name |
+        (
+          this = rh.getAResponseSource().ref().getAPropertyRead(name)
+          or
+          this = rh.getAResponseSource().ref().getAPropertyRead+().getAPropertyRead(name)
+        ) and
+        kind = "stored" and
+        name = getUserControlledPropertyName()
       )
     }
 
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -51,6 +51,9 @@
 | fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
 | fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
 | fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
+| fastify.js:71:34:71:51 | request.storedCode | fastify.js:71:34:71:51 | request.storedCode | fastify.js:71:34:71:51 | request.storedCode | This code execution depends on a $@. | fastify.js:71:34:71:51 | request.storedCode | user-provided value |
+| fastify.js:84:30:84:43 | reply.userCode | fastify.js:84:30:84:43 | reply.userCode | fastify.js:84:30:84:43 | reply.userCode | This code execution depends on a $@. | fastify.js:84:30:84:43 | reply.userCode | user-provided value |
+| fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:99:30:99:52 | reply.l ... tedCode | fastify.js:99:30:99:52 | reply.l ... tedCode | This code execution depends on a $@. | fastify.js:99:30:99:52 | reply.l ... tedCode | user-provided value |
 | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | module.js:9:16:9:29 | req.query.code | This code execution depends on a $@. | module.js:9:16:9:29 | req.query.code | user-provided value |
 | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | module.js:11:17:11:30 | req.query.code | This code execution depends on a $@. | module.js:11:17:11:30 | req.query.code | user-provided value |
 | react-native.js:8:32:8:38 | tainted | react-native.js:7:17:7:33 | req.param("code") | react-native.js:8:32:8:38 | tainted | This code execution depends on a $@. | react-native.js:7:17:7:33 | req.param("code") | user-provided value |
@@ -247,6 +250,9 @@ nodes
 | fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
 | fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
 | fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
+| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
+| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
+| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -161,6 +161,9 @@ nodes
 | fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
 | fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
 | fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
+| fastify.js:71:34:71:51 | request.storedCode | semmle.label | request.storedCode |
+| fastify.js:84:30:84:43 | reply.userCode | semmle.label | reply.userCode |
+| fastify.js:99:30:99:52 | reply.l ... tedCode | semmle.label | reply.l ... tedCode |
 | module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
 | module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
 | react-native.js:7:7:7:33 | tainted | semmle.label | tainted |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js
@@ -68,7 +68,7 @@ fastify.addHook('preHandler', async (request, reply) => {
 fastify.get('/flow-through-request', async (request, reply) => {
   // Use the stored code from previous hook
   if (request.storedCode) {
-    const evaluatedResult = eval(request.storedCode); // $ MISSING: Alert[js/code-injection]
+    const evaluatedResult = eval(request.storedCode); // $ Alert[js/code-injection]
     return { result: evaluatedResult };
   }
   return { result: null };
@@ -81,7 +81,7 @@ fastify.addHook('onRequest', async (request, reply) => {
 fastify.get('/flow-through-reply', async (request, reply) => {
   // Use the code stored in reply object
   if (reply.userCode) {
-    const replyResult = eval(reply.userCode); // $ MISSING: Alert[js/code-injection]
+    const replyResult = eval(reply.userCode); // $ Alert[js/code-injection]
     return { result: replyResult };
   }
   return { result: null };
@@ -96,7 +96,7 @@ fastify.addHook('onRequest', async (request, reply) => {
 fastify.get('/flow-through-reply', async (request, reply) => {
   // Use the code stored in reply object
   if (reply.locals && reply.locals.nestedCode) {
-    const replyResult = eval(reply.locals.nestedCode); // $ MISSING: Alert[js/code-injection]
+    const replyResult = eval(reply.locals.nestedCode); // $ Alert[js/code-injection]
     return { result: replyResult };
   }
   return { result: null };
