From c9da7994a7666c4e3df5e6e6e0dac8b3c4c4f9b3 Mon Sep 17 00:00:00 2001 From: Napalys Date: Mon, 31 Mar 2025 13:50:56 +0200 Subject: [PATCH 1/4] Added test cases with missing alerts for `Request` and `NextRequest`. --- .../Request/app/api/proxy/route.serverSide.ts | 5 +++++ .../Request/app/api/proxy/route2.serverSide.ts | 8 ++++++++ .../Security/CWE-918/Request/package.json | 13 +++++++++++++ 3 files changed, 26 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts create mode 100644 javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts create mode 100644 javascript/ql/test/query-tests/Security/CWE-918/Request/package.json diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts new file mode 100644 index 000000000000..bfee2442afb0 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts @@ -0,0 +1,5 @@ +export async function POST(req: Request) { + const { url } = await req.json(); // $ MISSING: Source[js/request-forgery] + const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery] + return new Response(res.body, { headers: res.headers }); +} diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts new file mode 100644 index 000000000000..7b212a73542c --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts @@ -0,0 +1,8 @@ +import { NextRequest, NextResponse } from 'next/server'; + +export async function POST(req: NextRequest) { + const { url } = await req.json(); // $ MISSING: Source[js/request-forgery] + const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery] + const data = await res.text(); + return new NextResponse(data, { headers: res.headers }); +} diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json b/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json new file mode 100644 index 000000000000..329c7acb8239 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/package.json @@ -0,0 +1,13 @@ +{ + "name": "next-edge-proxy-app", + "version": "0.1.0", + "private": true, + "scripts": { + "dev": "next dev", + "build": "next build", + "start": "next start" + }, + "dependencies": { + "next": "15.1.7" + } +} From 050da9fb8731f29ce0a7fda58bf4def0a8fb43ce Mon Sep 17 00:00:00 2001 From: Napalys Date: Mon, 31 Mar 2025 13:57:43 +0200 Subject: [PATCH 2/4] Enhance Next.js API endpoint handling for compatibility with both Pages and App Router structures. --- .../lib/semmle/javascript/frameworks/Next.qll | 58 ++++++++++++++++++- .../Request/app/api/proxy/route.serverSide.ts | 4 +- .../app/api/proxy/route2.serverSide.ts | 4 +- .../Security/CWE-918/RequestForgery.expected | 20 +++++++ 4 files changed, 80 insertions(+), 6 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index 8fce608a9704..6333c9442d85 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -213,10 +213,12 @@ module NextJS { /** * Gets a folder that contains API endpoints for a Next.js application. * These API endpoints act as Express-like route-handlers. + * It matches both the Pages Router (`pages/api/`) Next.js 12 or earlier and + * the App Router (`app/api/`) Next.js 13+ structures. */ Folder apiFolder() { - result = getANextPackage().getFile().getParentContainer().getFolder("pages").getFolder("api") - or + result = + getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or result = apiFolder().getAFolder() } @@ -271,4 +273,56 @@ module NextJS { override string getCredentialsKind() { result = "jwt key" } } } + + /** + * A route handler for Next.js 13+ App Router API endpoints, which are defined by exporting + * HTTP method functions (like `GET`, `POST`, `PUT`, `DELETE`) from route.js files inside + * the `app/api/` directory. + */ + class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler { + NextAppRouteHandler() { + exists(Module mod | mod.getFile().getParentContainer() = apiFolder() | + this = mod.getAnExportedValue(any(Http::RequestMethodName m)).getAFunctionValue() and + ( + this.getParameter(0).hasUnderlyingType("next/server", "NextRequest") + or + this.getParameter(0).hasUnderlyingType("Request") + ) + ) + } + + /** + * Gets the request parameter, which is either a `NextRequest` object (from `next/server`) or a standard web `Request` object. + */ + DataFlow::SourceNode getRequest() { result = this.getParameter(0) } + } + + /** + * A source of user-controlled data from a `NextRequest` object (from `next/server`) or a standard web `Request` object + * in a Next.js App Router route handler. + */ + class NextAppRequestSource extends Http::RequestInputAccess { + NextAppRouteHandler handler; + string kind; + + NextAppRequestSource() { + ( + this = + handler.getRequest().getAMethodCall(["json", "formData", "blob", "arrayBuffer", "text"]) + or + this = handler.getRequest().getAPropertyRead("body") + ) and + kind = "body" + or + this = handler.getRequest().getAPropertyRead(["url", "nextUrl"]) and kind = "url" + or + this = handler.getRequest().getAPropertyRead("headers") and kind = "headers" + } + + override string getKind() { result = kind } + + override Http::RouteHandler getRouteHandler() { result = handler } + + override string getSourceType() { result = "Next.js App Router request" } + } } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts index bfee2442afb0..f3d05b7e5aa2 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts @@ -1,5 +1,5 @@ export async function POST(req: Request) { - const { url } = await req.json(); // $ MISSING: Source[js/request-forgery] - const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery] + const { url } = await req.json(); // $ Source[js/request-forgery] + const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] return new Response(res.body, { headers: res.headers }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts index 7b212a73542c..051ba67e401f 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts +++ b/javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts @@ -1,8 +1,8 @@ import { NextRequest, NextResponse } from 'next/server'; export async function POST(req: NextRequest) { - const { url } = await req.json(); // $ MISSING: Source[js/request-forgery] - const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery] + const { url } = await req.json(); // $ Source[js/request-forgery] + const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery] const data = await res.text(); return new NextResponse(data, { headers: res.headers }); } diff --git a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected index 78b02c5f7db4..b8436fa6722e 100644 --- a/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected +++ b/javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected @@ -1,4 +1,6 @@ #select +| Request/app/api/proxy/route2.serverSide.ts:5:21:5:30 | fetch(url) | Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | The $@ of this request depends on a $@. | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | URL | Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | user-provided value | +| Request/app/api/proxy/route.serverSide.ts:3:21:3:30 | fetch(url) | Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | The $@ of this request depends on a $@. | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | URL | Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | user-provided value | | apollo.serverSide.ts:8:39:8:64 | get(fil ... => {}) | apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:8:43:8:50 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:8:43:8:50 | file.url | URL | apollo.serverSide.ts:7:36:7:44 | { files } | user-provided value | | apollo.serverSide.ts:18:37:18:62 | get(fil ... => {}) | apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:18:41:18:48 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:18:41:18:48 | file.url | URL | apollo.serverSide.ts:17:34:17:42 | { files } | user-provided value | | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | The $@ of this request depends on a $@. | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | endpoint | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | user-provided value | @@ -27,6 +29,14 @@ | serverSide.js:125:5:128:6 | axios({ ... \\n }) | serverSide.js:123:29:123:35 | req.url | serverSide.js:127:14:127:20 | tainted | The $@ of this request depends on a $@. | serverSide.js:127:14:127:20 | tainted | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | | serverSide.js:131:5:131:20 | axios.get(myUrl) | serverSide.js:123:29:123:35 | req.url | serverSide.js:131:15:131:19 | myUrl | The $@ of this request depends on a $@. | serverSide.js:131:15:131:19 | myUrl | URL | serverSide.js:123:29:123:35 | req.url | user-provided value | edges +| Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | provenance | | +| Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | provenance | | +| Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | provenance | | +| Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | provenance | | +| Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | Request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | provenance | | +| Request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | provenance | | +| Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | provenance | | +| Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | provenance | | | apollo.serverSide.ts:7:36:7:44 | files | apollo.serverSide.ts:8:13:8:17 | files | provenance | | | apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:7:36:7:44 | files | provenance | | | apollo.serverSide.ts:8:13:8:17 | files | apollo.serverSide.ts:8:28:8:31 | file | provenance | | @@ -91,6 +101,16 @@ edges | serverSide.js:130:9:130:45 | myUrl | serverSide.js:131:15:131:19 | myUrl | provenance | | | serverSide.js:130:37:130:43 | tainted | serverSide.js:130:9:130:45 | myUrl | provenance | | nodes +| Request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | semmle.label | { url } | +| Request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | semmle.label | url | +| Request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | semmle.label | await req.json() | +| Request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | semmle.label | req.json() | +| Request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | semmle.label | url | +| Request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | semmle.label | { url } | +| Request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | semmle.label | url | +| Request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | semmle.label | await req.json() | +| Request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | semmle.label | req.json() | +| Request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | semmle.label | url | | apollo.serverSide.ts:7:36:7:44 | files | semmle.label | files | | apollo.serverSide.ts:7:36:7:44 | { files } | semmle.label | { files } | | apollo.serverSide.ts:8:13:8:17 | files | semmle.label | files | From d7691eaedd5259f008138af0b1d9cf3cbce1a38e Mon Sep 17 00:00:00 2001 From: Napalys Date: Tue, 1 Apr 2025 14:14:27 +0200 Subject: [PATCH 3/4] Added test cases for `NextResponse` and `Response` --- .../CWE-079/ReflectedXss/app/api/route.ts | 30 +++++++++++++++++++ .../ReflectedXss/app/api/routeNextRequest.ts | 7 +++++ 2 files changed, 37 insertions(+) create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts create mode 100644 javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts new file mode 100644 index 000000000000..a863c8c191ca --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts @@ -0,0 +1,30 @@ +export async function POST(req: Request) { + const body = await req.json(); // $ MISSING: Source + + new Response(body, {headers: { 'Content-Type': 'application/json' }}); // This is okay, since content type is set to application/json + new Response(body, {headers: { 'Content-Type': 'text/html' }}); // $ MISSING: Alert + + const headers2 = new Headers(req.headers); + headers2.append('Content-Type', 'application/json'); + new Response(body, { headers: headers2 }); // This is okay, since content type is set to application/json + + const headers3 = new Headers(req.headers); + headers3.append('Content-Type', 'text/html'); + new Response(body, { headers: headers3 }); // $ MISSING: Alert + + const headers4 = new Headers({ + ...Object.fromEntries(req.headers), + 'Content-Type': 'application/json' + }); + new Response(body, { headers: headers4 }); // This is okay, since content type is set to application/json + + const headers5 = new Headers({ + ...Object.fromEntries(req.headers), + 'Content-Type': 'text/html' + }); + new Response(body, { headers: headers5 }); // $ MISSING: Alert + + const headers = new Headers(req.headers); + headers.set('Content-Type', 'text/html'); + return new Response(body, { headers }); // $ MISSING: Alert +} diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts new file mode 100644 index 000000000000..65a1b57488c6 --- /dev/null +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts @@ -0,0 +1,7 @@ +import { NextRequest, NextResponse } from 'next/server'; + +export async function POST(req: NextRequest) { + const data = await req.json(); // $ MISSING: Source + new NextResponse(data, {headers: { 'Content-Type': 'text/html' }}); // $ MISSING: Alert + return new NextResponse(data, { headers: req.headers }); // $ MISSING: Alert +} From ca5a834a2356ecd161243b0bfa68423ae66d63da Mon Sep 17 00:00:00 2001 From: Napalys Date: Tue, 1 Apr 2025 14:44:27 +0200 Subject: [PATCH 4/4] Modeled `Response` and `NextResponse` as potential sinks. --- .../lib/semmle/javascript/frameworks/Next.qll | 41 +++++++++++++++++++ .../dataflow/ReflectedXssCustomizations.qll | 35 ++++++++++++++++ .../ReflectedXss/ReflectedXss.expected | 28 +++++++++++++ .../ReflectedXssWithCustomSanitizer.expected | 6 +++ .../CWE-079/ReflectedXss/app/api/route.ts | 10 ++--- .../ReflectedXss/app/api/routeNextRequest.ts | 6 +-- 6 files changed, 118 insertions(+), 8 deletions(-) diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll index 6333c9442d85..0ce1f3d6c068 100644 --- a/javascript/ql/lib/semmle/javascript/frameworks/Next.qll +++ b/javascript/ql/lib/semmle/javascript/frameworks/Next.qll @@ -3,6 +3,7 @@ */ import javascript +import semmle.javascript.security.dataflow.ReflectedXssCustomizations /** * Provides classes and predicates modeling [Next.js](https://www.npmjs.com/package/next). @@ -325,4 +326,44 @@ module NextJS { override string getSourceType() { result = "Next.js App Router request" } } + + /** + * Gets the headers value from the options object passed to a Next.js Response constructor. + */ + DataFlow::Node getContentTypeHeadersForResponse(DataFlow::InvokeNode responseNode) { + exists(DataFlow::ObjectLiteralNode options | + options.flowsTo(responseNode.getArgument(1)) and + result = options.getAPropertyWrite("headers").getRhs() + ) + } + + /** + * A sink representing response content in Next.js API routes that may be vulnerable + * to XSS attacks. + * + * This class identifies responses created with the standard `Response` constructor + * or Next.js `NextResponse`. + */ + class WebApiResponseSink extends Http::ResponseSendArgument { + WebApiResponseSink() { + exists( + DataFlow::InvokeNode response, DataFlow::ObjectLiteralNode options, DataFlow::Node headers + | + response = + [ + DataFlow::globalVarRef("Response").getAnInstantiation(), + API::moduleImport("next/server").getMember("NextResponse").getAnInstantiation() + ] and + this = response.getArgument(0) and + options.flowsTo(response.getArgument(1)) and + headers = getContentTypeHeadersForResponse(response) and + not exists(DataFlow::Node goodHeaders | + goodHeaders = ReflectedXss::getGoodContentHeaders() and + goodHeaders.getALocalSource().flowsTo(headers) + ) + ) + } + + override Http::RouteHandler getRouteHandler() { none() } + } } diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll index 6ddedd4f727b..249b185343e4 100644 --- a/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll +++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll @@ -136,6 +136,41 @@ module ReflectedXss { } } + /** + * Gets a data flow node representing headers that set content-type to a value + * that is not susceptible to XSS attacks. + */ + DataFlow::Node getGoodContentHeaders() { + // Case 1: Direct object literal with content-type `headers: { 'Content-Type': 'goodType' }` + exists(DataFlow::ObjectLiteralNode headersObj, string name, string contentType | + result = headersObj and + name.toLowerCase() = "content-type" and + headersObj.getAPropertyWrite(name).getRhs().mayHaveStringValue(contentType) and + not contentType.toLowerCase().matches(xssUnsafeContentType() + "%") + ) + or + // Case 2: Headers with set/append methods `headers.append('Content-Type', 'goodType')` + exists(DataFlow::MethodCallNode call, string contentType | + call.getMethodName() = ["set", "append"] and + call.getReceiver().getALocalSource() = result and + call.getArgument(0).mayHaveStringValue(any(string s | s.toLowerCase() = "content-type")) and + call.getArgument(1).mayHaveStringValue(contentType) and + not contentType.toLowerCase().matches(xssUnsafeContentType() + "%") + ) + or + // Case 3: New Headers with initial content-type `new Headers({ 'Content-Type': 'goodType' })` + exists( + NewExpr headersNew, DataFlow::ObjectLiteralNode headersInit, string name, string contentType + | + result.asExpr() = headersNew and + headersNew.getCalleeName() = "Headers" and + headersInit.flowsTo(DataFlow::valueNode(headersNew.getArgument(0))) and + name.toLowerCase() = "content-type" and + headersInit.getAPropertyWrite(name).getRhs().mayHaveStringValue(contentType) and + not contentType.toLowerCase().matches(xssUnsafeContentType() + "%") + ) + } + private class SinkFromModel extends Sink { SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() } } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected index d85a90e4026a..81228aab07cd 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected @@ -27,6 +27,12 @@ | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value | | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value | +| app/api/route.ts:5:18:5:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:13:18:13:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:25:18:25:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:29:25:29:28 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/routeNextRequest.ts:5:20:5:23 | data | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:5:20:5:23 | data | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/api/routeNextRequest.ts:6:27:6:30 | data | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:6:27:6:30 | data | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | @@ -119,6 +125,16 @@ edges | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:27 | url | provenance | | | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | provenance | | | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | provenance | | +| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:5:18:5:21 | body | provenance | | +| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:13:18:13:21 | body | provenance | | +| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:25:18:25:21 | body | provenance | | +| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:29:25:29:28 | body | provenance | | +| app/api/route.ts:2:18:2:33 | await req.json() | app/api/route.ts:2:11:2:33 | body | provenance | | +| app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:2:18:2:33 | await req.json() | provenance | | +| app/api/routeNextRequest.ts:4:9:4:31 | data | app/api/routeNextRequest.ts:5:20:5:23 | data | provenance | | +| app/api/routeNextRequest.ts:4:9:4:31 | data | app/api/routeNextRequest.ts:6:27:6:30 | data | provenance | | +| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:31 | data | provenance | | +| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance | | | etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response | provenance | | | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:53 | response | provenance | | | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil | provenance | | @@ -290,6 +306,18 @@ nodes | ReflectedXssGood3.js:135:15:135:27 | req.params.id | semmle.label | req.params.id | | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | semmle.label | escapeHtml3(url) | | ReflectedXssGood3.js:139:24:139:26 | url | semmle.label | url | +| app/api/route.ts:2:11:2:33 | body | semmle.label | body | +| app/api/route.ts:2:18:2:33 | await req.json() | semmle.label | await req.json() | +| app/api/route.ts:2:24:2:33 | req.json() | semmle.label | req.json() | +| app/api/route.ts:5:18:5:21 | body | semmle.label | body | +| app/api/route.ts:13:18:13:21 | body | semmle.label | body | +| app/api/route.ts:25:18:25:21 | body | semmle.label | body | +| app/api/route.ts:29:25:29:28 | body | semmle.label | body | +| app/api/routeNextRequest.ts:4:9:4:31 | data | semmle.label | data | +| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | semmle.label | await req.json() | +| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | semmle.label | req.json() | +| app/api/routeNextRequest.ts:5:20:5:23 | data | semmle.label | data | +| app/api/routeNextRequest.ts:6:27:6:30 | data | semmle.label | data | | etherpad.js:9:5:9:53 | response | semmle.label | response | | etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp | | etherpad.js:11:12:11:19 | response | semmle.label | response | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected index fb0748b3acdd..b44a1d0ea492 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected @@ -26,6 +26,12 @@ | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value | | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value | | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value | +| app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value | +| app/api/routeNextRequest.ts:5:20:5:23 | data | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | +| app/api/routeNextRequest.ts:6:27:6:30 | data | Cross-site scripting vulnerability due to $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value | | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value | | live-server.js:6:13:6:50 | ` ... /html>` | Cross-site scripting vulnerability due to $@. | live-server.js:4:21:4:27 | req.url | user-provided value | diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts index a863c8c191ca..755f1421308a 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/route.ts @@ -1,8 +1,8 @@ export async function POST(req: Request) { - const body = await req.json(); // $ MISSING: Source + const body = await req.json(); // $ Source new Response(body, {headers: { 'Content-Type': 'application/json' }}); // This is okay, since content type is set to application/json - new Response(body, {headers: { 'Content-Type': 'text/html' }}); // $ MISSING: Alert + new Response(body, {headers: { 'Content-Type': 'text/html' }}); // $ Alert const headers2 = new Headers(req.headers); headers2.append('Content-Type', 'application/json'); @@ -10,7 +10,7 @@ export async function POST(req: Request) { const headers3 = new Headers(req.headers); headers3.append('Content-Type', 'text/html'); - new Response(body, { headers: headers3 }); // $ MISSING: Alert + new Response(body, { headers: headers3 }); // $ Alert const headers4 = new Headers({ ...Object.fromEntries(req.headers), @@ -22,9 +22,9 @@ export async function POST(req: Request) { ...Object.fromEntries(req.headers), 'Content-Type': 'text/html' }); - new Response(body, { headers: headers5 }); // $ MISSING: Alert + new Response(body, { headers: headers5 }); // $ Alert const headers = new Headers(req.headers); headers.set('Content-Type', 'text/html'); - return new Response(body, { headers }); // $ MISSING: Alert + return new Response(body, { headers }); // $ Alert } diff --git a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts index 65a1b57488c6..d495a5aae523 100644 --- a/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts +++ b/javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/app/api/routeNextRequest.ts @@ -1,7 +1,7 @@ import { NextRequest, NextResponse } from 'next/server'; export async function POST(req: NextRequest) { - const data = await req.json(); // $ MISSING: Source - new NextResponse(data, {headers: { 'Content-Type': 'text/html' }}); // $ MISSING: Alert - return new NextResponse(data, { headers: req.headers }); // $ MISSING: Alert + const data = await req.json(); // $ Source + new NextResponse(data, {headers: { 'Content-Type': 'text/html' }}); // $ Alert + return new NextResponse(data, { headers: req.headers }); // $ Alert }