Modeled Response and NextResponse as potential sinks.

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -3,6 +3,7 @@
  */
 
 import javascript
+import semmle.javascript.security.dataflow.ReflectedXssCustomizations
 
 /**
  * Provides classes and predicates modeling [Next.js](https://www.npmjs.com/package/next).
@@ -324,4 +325,44 @@ module NextJS {
 
     override string getSourceType() { result = "Next.js App Router request" }
   }
+
+  /**
+   * Gets the headers value from the options object passed to a Next.js Response constructor.
+   */
+  DataFlow::Node getContentTypeHeadersForResponse(DataFlow::InvokeNode responseNode) {
+    exists(DataFlow::ObjectLiteralNode options |
+      options.flowsTo(responseNode.getArgument(1)) and
+      result = options.getAPropertyWrite("headers").getRhs()
+    )
+  }
+
+  /**
+   * A sink representing response content in Next.js API routes that may be vulnerable
+   * to XSS attacks.
+   *
+   * This class identifies responses created with the standard `Response` constructor
+   * or Next.js `NextResponse`.
+   */
+  class WebApiResponseSink extends Http::ResponseSendArgument {
+    DataFlow::Node headers;
+
+    WebApiResponseSink() {
+      exists(DataFlow::InvokeNode response, DataFlow::ObjectLiteralNode options |
+        response =
+          [
+            DataFlow::globalVarRef("Response").getAnInstantiation(),
+            API::moduleImport("next/server").getMember("NextResponse").getAnInstantiation()
+          ] and
+        this = response.getArgument(0) and
+        options.flowsTo(response.getArgument(1)) and
+        headers = getContentTypeHeadersForResponse(response) and
+        not exists(DataFlow::Node goodHeaders |
+          goodHeaders = ReflectedXss::getGoodContentHeaders() and
+          goodHeaders.getALocalSource().flowsTo(headers)
+        )
+      )
+    }
+
+    override Http::RouteHandler getRouteHandler() { none() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll

@@ -136,6 +136,41 @@ module ReflectedXss {
     }
   }
 
+  /**
+   * Gets a data flow node representing headers that set content-type to a value
+   * that is not susceptible to XSS attacks.
+   */
+  DataFlow::Node getGoodContentHeaders() {
+    // Case 1: Direct object literal with content-type `headers: { 'Content-Type': 'goodType' }`
+    exists(DataFlow::ObjectLiteralNode headersObj, string name, string contentType |
+      result = headersObj and
+      name.toLowerCase() = "content-type" and
+      headersObj.getAPropertyWrite(name).getRhs().mayHaveStringValue(contentType) and
+      not contentType.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+    or
+    // Case 2: Headers with set/append methods `headers.append('Content-Type', 'goodType')`
+    exists(DataFlow::MethodCallNode call, string contentType |
+      call.getMethodName() = ["set", "append"] and
+      call.getReceiver().getALocalSource() = result and
+      call.getArgument(0).mayHaveStringValue(any(string s | s.toLowerCase() = "content-type")) and
+      call.getArgument(1).mayHaveStringValue(contentType) and
+      not contentType.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+    or
+    // Case 3: New Headers with initial content-type `new Headers({ 'Content-Type': 'goodType' })`
+    exists(
+      NewExpr headersNew, DataFlow::ObjectLiteralNode headersInit, string name, string contentType
+    |
+      result.asExpr() = headersNew and
+      headersNew.getCalleeName() = "Headers" and
+      headersInit.flowsTo(DataFlow::valueNode(headersNew.getArgument(0))) and
+      name.toLowerCase() = "content-type" and
+      headersInit.getAPropertyWrite(name).getRhs().mayHaveStringValue(contentType) and
+      not contentType.toLowerCase().matches(xssUnsafeContentType() + "%")
+    )
+  }
+
   private class SinkFromModel extends Sink {
     SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
   }

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -27,6 +27,12 @@
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
+| app/api/route.ts:5:18:5:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:13:18:13:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:25:18:25:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:29:25:29:28 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/routeNextRequest.ts:5:20:5:23 | data | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:5:20:5:23 | data | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
+| app/api/routeNextRequest.ts:6:27:6:30 | data | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:6:27:6:30 | data | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
@@ -119,6 +125,16 @@ edges
 | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:27 | url | provenance |  |
 | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | provenance |  |
 | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | provenance |  |
+| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:5:18:5:21 | body | provenance |  |
+| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:13:18:13:21 | body | provenance |  |
+| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:25:18:25:21 | body | provenance |  |
+| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:29:25:29:28 | body | provenance |  |
+| app/api/route.ts:2:18:2:33 | await req.json() | app/api/route.ts:2:11:2:33 | body | provenance |  |
+| app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:2:18:2:33 | await req.json() | provenance |  |
+| app/api/routeNextRequest.ts:4:9:4:31 | data | app/api/routeNextRequest.ts:5:20:5:23 | data | provenance |  |
+| app/api/routeNextRequest.ts:4:9:4:31 | data | app/api/routeNextRequest.ts:6:27:6:30 | data | provenance |  |
+| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:31 | data | provenance |  |
+| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance |  |
 | etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response | provenance |  |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:53 | response | provenance |  |
 | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil | provenance |  |
@@ -290,6 +306,18 @@ nodes
 | ReflectedXssGood3.js:135:15:135:27 | req.params.id | semmle.label | req.params.id |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | semmle.label | escapeHtml3(url) |
 | ReflectedXssGood3.js:139:24:139:26 | url | semmle.label | url |
+| app/api/route.ts:2:11:2:33 | body | semmle.label | body |
+| app/api/route.ts:2:18:2:33 | await req.json() | semmle.label | await req.json() |
+| app/api/route.ts:2:24:2:33 | req.json() | semmle.label | req.json() |
+| app/api/route.ts:5:18:5:21 | body | semmle.label | body |
+| app/api/route.ts:13:18:13:21 | body | semmle.label | body |
+| app/api/route.ts:25:18:25:21 | body | semmle.label | body |
+| app/api/route.ts:29:25:29:28 | body | semmle.label | body |
+| app/api/routeNextRequest.ts:4:9:4:31 | data | semmle.label | data |
+| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | semmle.label | await req.json() |
+| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | semmle.label | req.json() |
+| app/api/routeNextRequest.ts:5:20:5:23 | data | semmle.label | data |
+| app/api/routeNextRequest.ts:6:27:6:30 | data | semmle.label | data |
 | etherpad.js:9:5:9:53 | response | semmle.label | response |
 | etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp |
 | etherpad.js:11:12:11:19 | response | semmle.label | response |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -26,6 +26,12 @@
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
+| app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
+| app/api/routeNextRequest.ts:5:20:5:23 | data | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
+| app/api/routeNextRequest.ts:6:27:6:30 | data | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | live-server.js:6:13:6:50 | `<html> ... /html>` | Cross-site scripting vulnerability due to $@. | live-server.js:4:21:4:27 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts

@@ -1,16 +1,16 @@
 export async function POST(req: Request) {
-    const body = await req.json(); // $ MISSING: Source
+    const body = await req.json(); // $ Source
 
     new Response(body, {headers: { 'Content-Type': 'application/json' }}); // This is okay, since content type is set to application/json
-    new Response(body, {headers: { 'Content-Type': 'text/html' }});  // $ MISSING: Alert
+    new Response(body, {headers: { 'Content-Type': 'text/html' }});  // $ Alert
 
     const headers2 = new Headers(req.headers);
     headers2.append('Content-Type', 'application/json');
     new Response(body, { headers: headers2 }); // This is okay, since content type is set to application/json
 
     const headers3 = new Headers(req.headers);
     headers3.append('Content-Type', 'text/html');
-    new Response(body, { headers: headers3 }); // $ MISSING: Alert
+    new Response(body, { headers: headers3 }); // $ Alert
 
     const headers4 = new Headers({
         ...Object.fromEntries(req.headers),
@@ -22,9 +22,9 @@ export async function POST(req: Request) {
         ...Object.fromEntries(req.headers),
         'Content-Type': 'text/html'
     });
-    new Response(body, { headers: headers5 }); // $ MISSING: Alert
+    new Response(body, { headers: headers5 }); // $ Alert
 
     const headers = new Headers(req.headers);
     headers.set('Content-Type', 'text/html');
-    return new Response(body, { headers }); // $ MISSING: Alert
+    return new Response(body, { headers }); // $ Alert
 }

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts

@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 export async function POST(req: NextRequest) {
-  const data = await req.json(); // $ MISSING: Source
-  new NextResponse(data, {headers: { 'Content-Type': 'text/html' }});  // $ MISSING: Alert
-  return new NextResponse(data, { headers: req.headers });  // $ MISSING: Alert
+  const data = await req.json(); // $ Source
+  new NextResponse(data, {headers: { 'Content-Type': 'text/html' }});  // $ Alert
+  return new NextResponse(data, { headers: req.headers });  // $ Alert
 }