JS: Enable association with headers without needing a route handler

asgerf · asgerf · commit 315b1ebb9f88 · 2025-04-02T14:01:02.000+02:00
Previously it was not possible to associate a ResponseSendArgument with its header definitions if they did not have the same route handler.

But for calls like `new Response(body, { headers })` the headers are fairly obvious whereas the route handler is unnecessarily hard to find. So we use the direct and obvious association between 'body' and 'headers' in the call.
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -108,6 +108,12 @@ module Http {
      * Gets the route handler that sends this expression.
      */
     abstract RouteHandler getRouteHandler();
+
+    /**
+     * Gets a header definition associated with this response body, if it they are provided
+     * by the same call.
+     */
+    HeaderDefinition getAnAssociatedHeaderDefinition() { none() }
   }
 
   /**
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/WebResponse.qll b/javascript/ql/lib/semmle/javascript/frameworks/WebResponse.qll
@@ -93,4 +93,8 @@ private class ResponseSink extends Http::ResponseSendArgument {
   ResponseSink() { this = response.getArgument(0) }
 
   override Http::RouteHandler getRouteHandler() { none() }
+
+  override ResponseArgumentHeaders getAnAssociatedHeaderDefinition() {
+    result.getResponse() = response
+  }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll
@@ -32,13 +32,8 @@ module ReflectedXss {
    * Gets a HeaderDefinition that defines a XSS safe content-type for `send`.
    */
   Http::HeaderDefinition getAXssSafeHeaderDefinition(Http::ResponseSendArgument send) {
-    exists(Http::RouteHandler h |
-      send.getRouteHandler() = h and
-      result = xssSafeContentTypeHeader(h)
-    |
-      // The HeaderDefinition affects a response sent at `send`.
-      headerAffects(result, send)
-    )
+    isSafeHeader(result) and
+    headerAffects(result, send)
   }
 
   /**
@@ -54,14 +49,23 @@ module ReflectedXss {
       ]
   }
 
+  private predicate isSafeHeader(Http::HeaderDefinition def) {
+    exists(string tp | def.defines("content-type", tp) |
+      not tp.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+    or
+    // It sets the content-type but the value is not known
+    def.getAHeaderName() = "content-type" and
+    not def.defines("content-type", _)
+  }
+
   /**
+   * DEPRECATED. Use `getAXssSafeHeaderDefinition` instead.
    * Holds if `h` may send a response with a content type that is safe for XSS.
    */
-  Http::HeaderDefinition xssSafeContentTypeHeader(Http::RouteHandler h) {
+  deprecated Http::HeaderDefinition xssSafeContentTypeHeader(Http::RouteHandler h) {
     result = h.getAResponseHeader("content-type") and
-    not exists(string tp | result.defines("content-type", tp) |
-      tp.toLowerCase().matches(xssUnsafeContentType() + "%")
-    )
+    isSafeHeader(result)
   }
 
   /**
@@ -80,6 +84,8 @@ module ReflectedXss {
         dominatingHeader.getBasicBlock().(ReachableBasicBlock).dominates(sender.getBasicBlock())
       )
     )
+    or
+    header = sender.getAnAssociatedHeaderDefinition()
   }
 
   bindingset[headerBlock]
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected
@@ -43,14 +43,10 @@
 | response-object.js:9:18:9:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:10:18:10:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:11:18:11:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:13:18:13:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:14:18:14:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:16:18:16:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:17:18:17:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:20:18:20:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:23:18:23:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:26:18:26:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:30:18:30:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:34:18:34:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:38:18:38:21 | data | response-object.js:7:18:7:25 | req.body | response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to a $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | tst2.js:7:12:7:12 | p | tst2.js:6:9:6:9 | p | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to a $@. | tst2.js:6:9:6:9 | p | user-provided value |
@@ -165,14 +161,10 @@ edges
 | response-object.js:7:11:7:25 | data | response-object.js:9:18:9:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:10:18:10:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:11:18:11:21 | data | provenance |  |
-| response-object.js:7:11:7:25 | data | response-object.js:13:18:13:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:14:18:14:21 | data | provenance |  |
-| response-object.js:7:11:7:25 | data | response-object.js:16:18:16:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:17:18:17:21 | data | provenance |  |
-| response-object.js:7:11:7:25 | data | response-object.js:20:18:20:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:23:18:23:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:26:18:26:21 | data | provenance |  |
-| response-object.js:7:11:7:25 | data | response-object.js:30:18:30:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:34:18:34:21 | data | provenance |  |
 | response-object.js:7:11:7:25 | data | response-object.js:38:18:38:21 | data | provenance |  |
 | response-object.js:7:18:7:25 | req.body | response-object.js:7:11:7:25 | data | provenance |  |
@@ -364,14 +356,10 @@ nodes
 | response-object.js:9:18:9:21 | data | semmle.label | data |
 | response-object.js:10:18:10:21 | data | semmle.label | data |
 | response-object.js:11:18:11:21 | data | semmle.label | data |
-| response-object.js:13:18:13:21 | data | semmle.label | data |
 | response-object.js:14:18:14:21 | data | semmle.label | data |
-| response-object.js:16:18:16:21 | data | semmle.label | data |
 | response-object.js:17:18:17:21 | data | semmle.label | data |
-| response-object.js:20:18:20:21 | data | semmle.label | data |
 | response-object.js:23:18:23:21 | data | semmle.label | data |
 | response-object.js:26:18:26:21 | data | semmle.label | data |
-| response-object.js:30:18:30:21 | data | semmle.label | data |
 | response-object.js:34:18:34:21 | data | semmle.label | data |
 | response-object.js:38:18:38:21 | data | semmle.label | data |
 | tst2.js:6:7:6:30 | p | semmle.label | p |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected
@@ -41,14 +41,10 @@
 | response-object.js:9:18:9:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:10:18:10:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:11:18:11:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:13:18:13:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:14:18:14:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:16:18:16:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:17:18:17:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:20:18:20:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:23:18:23:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:26:18:26:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
-| response-object.js:30:18:30:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:34:18:34:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | response-object.js:38:18:38:21 | data | Cross-site scripting vulnerability due to $@. | response-object.js:7:18:7:25 | req.body | user-provided value |
 | tst2.js:7:12:7:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:6:9:6:9 | p | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/response-object.js b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/response-object.js
@@ -10,14 +10,14 @@ express().get('/foo', (req) => {
     new Response(data, {}); // $ Alert
     new Response(data, { headers: null }); // $ Alert
 
-    new Response(data, { headers: { 'content-type': 'text/plain'}}); // $ SPURIOUS: Alert
+    new Response(data, { headers: { 'content-type': 'text/plain'}});
     new Response(data, { headers: { 'content-type': 'text/html'}}); // $ Alert
 
-    new Response(data, { headers: { 'Content-Type': 'text/plain'}}); // $ SPURIOUS: Alert
+    new Response(data, { headers: { 'Content-Type': 'text/plain'}});
     new Response(data, { headers: { 'Content-Type': 'text/html'}}); // $ Alert
 
     const headers1 = new Headers({ 'content-type': 'text/plain'});
-    new Response(data, { headers: headers1 }); // $ SPURIOUS: Alert
+    new Response(data, { headers: headers1 });
 
     const headers2 = new Headers({ 'content-type': 'text/html'});
     new Response(data, { headers: headers2 }); // $ Alert
@@ -27,7 +27,7 @@ express().get('/foo', (req) => {
 
     const headers4 = new Headers();
     headers4.set('content-type', 'text/plain');
-    new Response(data, { headers: headers4 }); // $ SPURIOUS: Alert
+    new Response(data, { headers: headers4 });
 
     const headers5 = new Headers();
     headers5.set('content-type', 'text/html');

Original file line number	Diff line number	Diff line change
`@@ -93,4 +93,8 @@ private class ResponseSink extends Http::ResponseSendArgument {`
`93`	`93`	`ResponseSink() { this = response.getArgument(0) }`
`94`	`94`
`95`	`95`	`override Http::RouteHandler getRouteHandler() { none() }`
	`96`	`+`
	`97`	`+ override ResponseArgumentHeaders getAnAssociatedHeaderDefinition() {`
	`98`	`+ result.getResponse() = response`
	`99`	`+ }`
`96`	`100`	`}`