Skip to content

Commit c6333af

Browse files
NapalysNapalys
committed
JS: Added MaD for fastify.addHook 
1 parent f4eb899 commit c6333af

File tree

4 files changed

+145
-20
lines changed

4 files changed

+145
-20
lines changed

Diff for: javascript/ql/lib/ext/fastify.model.yml

+6
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/javascript-all
4+
extensible: sourceModel
5+
data:
6+
- ["fastify", "ReturnValue.Member[addHook].Argument[1].Parameter[0].Member[query]", "remote"]

Diff for: javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

+60
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,16 @@
2727
| express.js:20:34:20:38 | taint | express.js:19:17:19:35 | req.param("wobble") | express.js:20:34:20:38 | taint | This code execution depends on a $@. | express.js:19:17:19:35 | req.param("wobble") | user-provided value |
2828
| express.js:36:15:36:19 | taint | express.js:27:17:27:35 | req.param("wobble") | express.js:36:15:36:19 | taint | This code execution depends on a $@. | express.js:27:17:27:35 | req.param("wobble") | user-provided value |
2929
| express.js:43:10:43:12 | msg | express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | This code execution depends on a $@. | express.js:42:30:42:32 | msg | user-provided value |
30+
| fastify.js:5:44:5:52 | userInput | fastify.js:4:21:4:33 | request.query | fastify.js:5:44:5:52 | userInput | This code execution depends on a $@. | fastify.js:4:21:4:33 | request.query | user-provided value |
31+
| fastify.js:10:44:10:52 | userInput | fastify.js:9:21:9:33 | request.query | fastify.js:10:44:10:52 | userInput | This code execution depends on a $@. | fastify.js:9:21:9:33 | request.query | user-provided value |
32+
| fastify.js:16:44:16:52 | userInput | fastify.js:15:21:15:33 | request.query | fastify.js:16:44:16:52 | userInput | This code execution depends on a $@. | fastify.js:15:21:15:33 | request.query | user-provided value |
33+
| fastify.js:22:44:22:52 | userInput | fastify.js:21:21:21:33 | request.query | fastify.js:22:44:22:52 | userInput | This code execution depends on a $@. | fastify.js:21:21:21:33 | request.query | user-provided value |
34+
| fastify.js:27:44:27:52 | userInput | fastify.js:26:21:26:33 | request.query | fastify.js:27:44:27:52 | userInput | This code execution depends on a $@. | fastify.js:26:21:26:33 | request.query | user-provided value |
35+
| fastify.js:32:44:32:52 | userInput | fastify.js:31:21:31:33 | request.query | fastify.js:32:44:32:52 | userInput | This code execution depends on a $@. | fastify.js:31:21:31:33 | request.query | user-provided value |
36+
| fastify.js:38:44:38:52 | userInput | fastify.js:37:21:37:33 | request.query | fastify.js:38:44:38:52 | userInput | This code execution depends on a $@. | fastify.js:37:21:37:33 | request.query | user-provided value |
37+
| fastify.js:43:44:43:52 | userInput | fastify.js:42:21:42:33 | request.query | fastify.js:43:44:43:52 | userInput | This code execution depends on a $@. | fastify.js:42:21:42:33 | request.query | user-provided value |
38+
| fastify.js:48:44:48:52 | userInput | fastify.js:47:21:47:33 | request.query | fastify.js:48:44:48:52 | userInput | This code execution depends on a $@. | fastify.js:47:21:47:33 | request.query | user-provided value |
39+
| fastify.js:53:46:53:54 | userInput | fastify.js:52:23:52:35 | request.query | fastify.js:53:46:53:54 | userInput | This code execution depends on a $@. | fastify.js:52:23:52:35 | request.query | user-provided value |
3040
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
3141
| fastify.js:58:44:58:52 | userInput | fastify.js:57:21:57:39 | request.query.input | fastify.js:58:44:58:52 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:39 | request.query.input | user-provided value |
3242
| fastify.js:59:23:59:31 | userInput | fastify.js:57:21:57:33 | request.query | fastify.js:59:23:59:31 | userInput | This code execution depends on a $@. | fastify.js:57:21:57:33 | request.query | user-provided value |
@@ -79,6 +89,26 @@ edges
7989
| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | |
8090
| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | |
8191
| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | |
92+
| fastify.js:4:9:4:43 | userInput | fastify.js:5:44:5:52 | userInput | provenance | |
93+
| fastify.js:4:21:4:33 | request.query | fastify.js:4:9:4:43 | userInput | provenance | |
94+
| fastify.js:9:9:9:40 | userInput | fastify.js:10:44:10:52 | userInput | provenance | |
95+
| fastify.js:9:21:9:33 | request.query | fastify.js:9:9:9:40 | userInput | provenance | |
96+
| fastify.js:15:9:15:44 | userInput | fastify.js:16:44:16:52 | userInput | provenance | |
97+
| fastify.js:15:21:15:33 | request.query | fastify.js:15:9:15:44 | userInput | provenance | |
98+
| fastify.js:21:9:21:47 | userInput | fastify.js:22:44:22:52 | userInput | provenance | |
99+
| fastify.js:21:21:21:33 | request.query | fastify.js:21:9:21:47 | userInput | provenance | |
100+
| fastify.js:26:9:26:44 | userInput | fastify.js:27:44:27:52 | userInput | provenance | |
101+
| fastify.js:26:21:26:33 | request.query | fastify.js:26:9:26:44 | userInput | provenance | |
102+
| fastify.js:31:9:31:50 | userInput | fastify.js:32:44:32:52 | userInput | provenance | |
103+
| fastify.js:31:21:31:33 | request.query | fastify.js:31:9:31:50 | userInput | provenance | |
104+
| fastify.js:37:9:37:44 | userInput | fastify.js:38:44:38:52 | userInput | provenance | |
105+
| fastify.js:37:21:37:33 | request.query | fastify.js:37:9:37:44 | userInput | provenance | |
106+
| fastify.js:42:9:42:41 | userInput | fastify.js:43:44:43:52 | userInput | provenance | |
107+
| fastify.js:42:21:42:33 | request.query | fastify.js:42:9:42:41 | userInput | provenance | |
108+
| fastify.js:47:9:47:43 | userInput | fastify.js:48:44:48:52 | userInput | provenance | |
109+
| fastify.js:47:21:47:33 | request.query | fastify.js:47:9:47:43 | userInput | provenance | |
110+
| fastify.js:52:11:52:50 | userInput | fastify.js:53:46:53:54 | userInput | provenance | |
111+
| fastify.js:52:23:52:35 | request.query | fastify.js:52:11:52:50 | userInput | provenance | |
82112
| fastify.js:57:9:57:39 | userInput | fastify.js:58:44:58:52 | userInput | provenance | |
83113
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
84114
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
@@ -152,6 +182,36 @@ nodes
152182
| express.js:36:15:36:19 | taint | semmle.label | taint |
153183
| express.js:42:30:42:32 | msg | semmle.label | msg |
154184
| express.js:43:10:43:12 | msg | semmle.label | msg |
185+
| fastify.js:4:9:4:43 | userInput | semmle.label | userInput |
186+
| fastify.js:4:21:4:33 | request.query | semmle.label | request.query |
187+
| fastify.js:5:44:5:52 | userInput | semmle.label | userInput |
188+
| fastify.js:9:9:9:40 | userInput | semmle.label | userInput |
189+
| fastify.js:9:21:9:33 | request.query | semmle.label | request.query |
190+
| fastify.js:10:44:10:52 | userInput | semmle.label | userInput |
191+
| fastify.js:15:9:15:44 | userInput | semmle.label | userInput |
192+
| fastify.js:15:21:15:33 | request.query | semmle.label | request.query |
193+
| fastify.js:16:44:16:52 | userInput | semmle.label | userInput |
194+
| fastify.js:21:9:21:47 | userInput | semmle.label | userInput |
195+
| fastify.js:21:21:21:33 | request.query | semmle.label | request.query |
196+
| fastify.js:22:44:22:52 | userInput | semmle.label | userInput |
197+
| fastify.js:26:9:26:44 | userInput | semmle.label | userInput |
198+
| fastify.js:26:21:26:33 | request.query | semmle.label | request.query |
199+
| fastify.js:27:44:27:52 | userInput | semmle.label | userInput |
200+
| fastify.js:31:9:31:50 | userInput | semmle.label | userInput |
201+
| fastify.js:31:21:31:33 | request.query | semmle.label | request.query |
202+
| fastify.js:32:44:32:52 | userInput | semmle.label | userInput |
203+
| fastify.js:37:9:37:44 | userInput | semmle.label | userInput |
204+
| fastify.js:37:21:37:33 | request.query | semmle.label | request.query |
205+
| fastify.js:38:44:38:52 | userInput | semmle.label | userInput |
206+
| fastify.js:42:9:42:41 | userInput | semmle.label | userInput |
207+
| fastify.js:42:21:42:33 | request.query | semmle.label | request.query |
208+
| fastify.js:43:44:43:52 | userInput | semmle.label | userInput |
209+
| fastify.js:47:9:47:43 | userInput | semmle.label | userInput |
210+
| fastify.js:47:21:47:33 | request.query | semmle.label | request.query |
211+
| fastify.js:48:44:48:52 | userInput | semmle.label | userInput |
212+
| fastify.js:52:11:52:50 | userInput | semmle.label | userInput |
213+
| fastify.js:52:23:52:35 | request.query | semmle.label | request.query |
214+
| fastify.js:53:46:53:54 | userInput | semmle.label | userInput |
155215
| fastify.js:57:9:57:39 | userInput | semmle.label | userInput |
156216
| fastify.js:57:21:57:33 | request.query | semmle.label | request.query |
157217
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |

Diff for: javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

+59
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,30 @@ edges
1111
| express.js:27:9:27:35 | taint | express.js:36:15:36:19 | taint | provenance | |
1212
| express.js:27:17:27:35 | req.param("wobble") | express.js:27:9:27:35 | taint | provenance | |
1313
| express.js:42:30:42:32 | msg | express.js:43:10:43:12 | msg | provenance | |
14+
| fastify.js:4:9:4:43 | userInput | fastify.js:5:44:5:52 | userInput | provenance | |
15+
| fastify.js:4:21:4:33 | request.query | fastify.js:4:9:4:43 | userInput | provenance | |
16+
| fastify.js:9:9:9:40 | userInput | fastify.js:10:44:10:52 | userInput | provenance | |
17+
| fastify.js:9:21:9:33 | request.query | fastify.js:9:9:9:40 | userInput | provenance | |
18+
| fastify.js:15:9:15:44 | userInput | fastify.js:16:44:16:52 | userInput | provenance | |
19+
| fastify.js:15:21:15:33 | request.query | fastify.js:15:9:15:44 | userInput | provenance | |
20+
| fastify.js:21:9:21:47 | userInput | fastify.js:22:44:22:52 | userInput | provenance | |
21+
| fastify.js:21:21:21:33 | request.query | fastify.js:21:9:21:47 | userInput | provenance | |
22+
| fastify.js:26:9:26:44 | userInput | fastify.js:27:44:27:52 | userInput | provenance | |
23+
| fastify.js:26:21:26:33 | request.query | fastify.js:26:9:26:44 | userInput | provenance | |
24+
| fastify.js:31:9:31:50 | userInput | fastify.js:32:44:32:52 | userInput | provenance | |
25+
| fastify.js:31:21:31:33 | request.query | fastify.js:31:9:31:50 | userInput | provenance | |
26+
| fastify.js:37:9:37:44 | userInput | fastify.js:38:44:38:52 | userInput | provenance | |
27+
| fastify.js:37:21:37:33 | request.query | fastify.js:37:9:37:44 | userInput | provenance | |
28+
| fastify.js:42:9:42:41 | userInput | fastify.js:43:44:43:52 | userInput | provenance | |
29+
| fastify.js:42:21:42:33 | request.query | fastify.js:42:9:42:41 | userInput | provenance | |
30+
| fastify.js:47:9:47:43 | userInput | fastify.js:48:44:48:52 | userInput | provenance | |
31+
| fastify.js:47:21:47:33 | request.query | fastify.js:47:9:47:43 | userInput | provenance | |
32+
| fastify.js:52:11:52:50 | userInput | fastify.js:53:46:53:54 | userInput | provenance | |
33+
| fastify.js:52:23:52:35 | request.query | fastify.js:52:11:52:50 | userInput | provenance | |
34+
| fastify.js:57:9:57:39 | userInput | fastify.js:58:44:58:52 | userInput | provenance | |
35+
| fastify.js:57:9:57:39 | userInput | fastify.js:59:23:59:31 | userInput | provenance | |
36+
| fastify.js:57:21:57:33 | request.query | fastify.js:57:9:57:39 | userInput | provenance | |
37+
| fastify.js:57:21:57:39 | request.query.input | fastify.js:57:9:57:39 | userInput | provenance | |
1438
| react-native.js:7:7:7:33 | tainted | react-native.js:8:32:8:38 | tainted | provenance | |
1539
| react-native.js:7:7:7:33 | tainted | react-native.js:10:23:10:29 | tainted | provenance | |
1640
| react-native.js:7:17:7:33 | req.param("code") | react-native.js:7:7:7:33 | tainted | provenance | |
@@ -82,6 +106,41 @@ nodes
82106
| express.js:36:15:36:19 | taint | semmle.label | taint |
83107
| express.js:42:30:42:32 | msg | semmle.label | msg |
84108
| express.js:43:10:43:12 | msg | semmle.label | msg |
109+
| fastify.js:4:9:4:43 | userInput | semmle.label | userInput |
110+
| fastify.js:4:21:4:33 | request.query | semmle.label | request.query |
111+
| fastify.js:5:44:5:52 | userInput | semmle.label | userInput |
112+
| fastify.js:9:9:9:40 | userInput | semmle.label | userInput |
113+
| fastify.js:9:21:9:33 | request.query | semmle.label | request.query |
114+
| fastify.js:10:44:10:52 | userInput | semmle.label | userInput |
115+
| fastify.js:15:9:15:44 | userInput | semmle.label | userInput |
116+
| fastify.js:15:21:15:33 | request.query | semmle.label | request.query |
117+
| fastify.js:16:44:16:52 | userInput | semmle.label | userInput |
118+
| fastify.js:21:9:21:47 | userInput | semmle.label | userInput |
119+
| fastify.js:21:21:21:33 | request.query | semmle.label | request.query |
120+
| fastify.js:22:44:22:52 | userInput | semmle.label | userInput |
121+
| fastify.js:26:9:26:44 | userInput | semmle.label | userInput |
122+
| fastify.js:26:21:26:33 | request.query | semmle.label | request.query |
123+
| fastify.js:27:44:27:52 | userInput | semmle.label | userInput |
124+
| fastify.js:31:9:31:50 | userInput | semmle.label | userInput |
125+
| fastify.js:31:21:31:33 | request.query | semmle.label | request.query |
126+
| fastify.js:32:44:32:52 | userInput | semmle.label | userInput |
127+
| fastify.js:37:9:37:44 | userInput | semmle.label | userInput |
128+
| fastify.js:37:21:37:33 | request.query | semmle.label | request.query |
129+
| fastify.js:38:44:38:52 | userInput | semmle.label | userInput |
130+
| fastify.js:42:9:42:41 | userInput | semmle.label | userInput |
131+
| fastify.js:42:21:42:33 | request.query | semmle.label | request.query |
132+
| fastify.js:43:44:43:52 | userInput | semmle.label | userInput |
133+
| fastify.js:47:9:47:43 | userInput | semmle.label | userInput |
134+
| fastify.js:47:21:47:33 | request.query | semmle.label | request.query |
135+
| fastify.js:48:44:48:52 | userInput | semmle.label | userInput |
136+
| fastify.js:52:11:52:50 | userInput | semmle.label | userInput |
137+
| fastify.js:52:23:52:35 | request.query | semmle.label | request.query |
138+
| fastify.js:53:46:53:54 | userInput | semmle.label | userInput |
139+
| fastify.js:57:9:57:39 | userInput | semmle.label | userInput |
140+
| fastify.js:57:21:57:33 | request.query | semmle.label | request.query |
141+
| fastify.js:57:21:57:39 | request.query.input | semmle.label | request.query.input |
142+
| fastify.js:58:44:58:52 | userInput | semmle.label | userInput |
143+
| fastify.js:59:23:59:31 | userInput | semmle.label | userInput |
85144
| module.js:9:16:9:29 | req.query.code | semmle.label | req.query.code |
86145
| module.js:11:17:11:30 | req.query.code | semmle.label | req.query.code |
87146
| react-native.js:7:7:7:33 | tainted | semmle.label | tainted |

Diff for: javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/fastify.js

+20-20
Original file line numberDiff line numberDiff line change
@@ -1,56 +1,56 @@
11
const fastify = require('fastify')({ logger: true });
22

33
fastify.addHook('onRequest', async (request, reply) => {
4-
const userInput = request.query.onRequest; // $ MISSING: Source[js/code-injection]
5-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
4+
const userInput = request.query.onRequest; // $ Source[js/code-injection]
5+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
66
});
77

88
fastify.addHook('onSend', async (request, reply, payload) => {
9-
const userInput = request.query.onSend; // $ MISSING: Source[js/code-injection]
10-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
9+
const userInput = request.query.onSend; // $ Source[js/code-injection]
10+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
1111
return JSON.stringify({ ...JSON.parse(payload), onSend: request.evalResult });
1212
});
1313

1414
fastify.addHook('preParsing', async (request, reply, payload) => {
15-
const userInput = request.query.preParsing; // $ MISSING: Source[js/code-injection]
16-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
15+
const userInput = request.query.preParsing; // $ Source[js/code-injection]
16+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
1717
return payload;
1818
});
1919

2020
fastify.addHook('preValidation', async (request, reply) => {
21-
const userInput = request.query.preValidation; // $ MISSING: Source[js/code-injection]
22-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
21+
const userInput = request.query.preValidation; // $ Source[js/code-injection]
22+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
2323
});
2424

2525
fastify.addHook('preHandler', async (request, reply) => {
26-
const userInput = request.query.preHandler; // $ MISSING: Source[js/code-injection]
27-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
26+
const userInput = request.query.preHandler; // $ Source[js/code-injection]
27+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
2828
});
2929

3030
fastify.addHook('preSerialization', async (request, reply, payload) => {
31-
const userInput = request.query.preSerialization; // $ MISSING: Source[js/code-injection]
32-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
31+
const userInput = request.query.preSerialization; // $ Source[js/code-injection]
32+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
3333
return payload;
3434
});
3535

3636
fastify.addHook('onResponse', async (request, reply) => {
37-
const userInput = request.query.onResponse; // $ MISSING: Source[js/code-injection]
38-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
37+
const userInput = request.query.onResponse; // $ Source[js/code-injection]
38+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
3939
});
4040

4141
fastify.addHook('onError', async (request, reply, error) => {
42-
const userInput = request.query.onError; // $ MISSING: Source[js/code-injection]
43-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
42+
const userInput = request.query.onError; // $ Source[js/code-injection]
43+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
4444
});
4545

4646
fastify.addHook('onTimeout', async (request, reply) => {
47-
const userInput = request.query.onTimeout; // $ MISSING: Source[js/code-injection]
48-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
47+
const userInput = request.query.onTimeout; // $ Source[js/code-injection]
48+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
4949
});
5050

5151
fastify.addHook('onRequestAbort', (request, done) => {
52-
const userInput = request.query.onRequestAbort; // $ MISSING: Source[js/code-injection]
53-
if (userInput) request.evalResult = eval(userInput); // $ MISSING: Alert[js/code-injection]
52+
const userInput = request.query.onRequestAbort; // $ Source[js/code-injection]
53+
if (userInput) request.evalResult = eval(userInput); // $ Alert[js/code-injection]
5454
});
5555

5656
fastify.get('/dangerous', async (request, reply) => {

0 commit comments

Comments
 (0)