JS: model Koa redirects

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/frameworks/Koa.qll

@@ -291,4 +291,20 @@ module Koa {
 
     override RouteHandler getRouteHandler() { result = rh }
   }
+
+  /**
+   * An invocation of the `redirect` method of an HTTP response object.
+   */
+  private class RedirectInvocation extends HTTP::RedirectInvocation, MethodCallExpr {
+    RouteHandler rh;
+
+    RedirectInvocation() {
+      this.(MethodCallExpr).calls(rh.getAResponseOrContextExpr(), "redirect")
+    }
+
+    override Expr getUrlArgument() { result = getArgument(0) }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
 }

javascript/ql/test/library-tests/frameworks/koa/tests.expected

@@ -161,3 +161,5 @@ test_ContextExpr
 | src/koa.js:43:2:43:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
 | src/koa.js:44:2:44:4 | ctx | src/koa.js:30:10:45:1 | async c ... url);\\n} |
 test_RedirectInvocation
+| src/koa.js:43:2:43:18 | ctx.redirect(url) | src/koa.js:43:15:43:17 | url | src/koa.js:30:10:45:1 | async c ... url);\\n} |
+| src/koa.js:44:2:44:27 | ctx.res ... ct(url) | src/koa.js:44:24:44:26 | url | src/koa.js:30:10:45:1 | async c ... url);\\n} |

javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/ServerSideUrlRedirect.expected

@@ -22,6 +22,12 @@ nodes
 | express.js:135:23:135:37 | req.params.user |
 | express.js:136:16:136:36 | 'u' + r ... ms.user |
 | express.js:136:22:136:36 | req.params.user |
+| koa.js:6:6:6:27 | url |
+| koa.js:6:12:6:27 | ctx.query.target |
+| koa.js:7:15:7:17 | url |
+| koa.js:8:15:8:26 | `${url}${x}` |
+| koa.js:8:18:8:20 | url |
+| koa.js:14:16:14:18 | url |
 | node.js:6:7:6:52 | target |
 | node.js:6:16:6:39 | url.par ... , true) |
 | node.js:6:16:6:45 | url.par ... ).query |
@@ -60,6 +66,24 @@ edges
 | express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user |
 | express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' +  ... ms.user |
 | express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user |
+| koa.js:6:6:6:27 | url | koa.js:7:15:7:17 | url |
+| koa.js:6:6:6:27 | url | koa.js:8:18:8:20 | url |
+| koa.js:6:6:6:27 | url | koa.js:10:40:10:42 | url |
+| koa.js:6:6:6:27 | url | koa.js:10:40:10:42 | url |
+| koa.js:6:6:6:27 | url | koa.js:10:51:10:51 | url |
+| koa.js:6:6:6:27 | url | koa.js:11:6:11:8 | url |
+| koa.js:6:6:6:27 | url | koa.js:14:16:14:18 | url |
+| koa.js:6:12:6:27 | ctx.query.target | koa.js:6:6:6:27 | url |
+| koa.js:8:18:8:20 | url | koa.js:8:15:8:26 | `${url}${x}` |
+| koa.js:10:40:10:42 | url | koa.js:10:51:10:51 | url |
+| koa.js:10:40:10:42 | url | koa.js:10:51:10:51 | url |
+| koa.js:10:40:10:42 | url | koa.js:11:6:11:8 | url |
+| koa.js:10:40:10:42 | url | koa.js:11:6:11:8 | url |
+| koa.js:10:40:10:42 | url | koa.js:14:16:14:18 | url |
+| koa.js:10:40:10:42 | url | koa.js:14:16:14:18 | url |
+| koa.js:10:51:10:51 | url | koa.js:11:6:11:8 | url |
+| koa.js:10:51:10:51 | url | koa.js:14:16:14:18 | url |
+| koa.js:11:6:11:8 | url | koa.js:14:16:14:18 | url |
 | node.js:6:7:6:52 | target | node.js:7:34:7:39 | target |
 | node.js:6:16:6:39 | url.par ... , true) | node.js:6:16:6:45 | url.par ... ).query |
 | node.js:6:16:6:45 | url.par ... ).query | node.js:6:16:6:52 | url.par ... .target |
@@ -95,6 +119,9 @@ edges
 | express.js:134:16:134:36 | '/' + r ... ms.user | express.js:134:22:134:36 | req.params.user | express.js:134:16:134:36 | '/' + r ... ms.user | Untrusted URL redirection due to $@. | express.js:134:22:134:36 | req.params.user | user-provided value |
 | express.js:135:16:135:37 | '//' +  ... ms.user | express.js:135:23:135:37 | req.params.user | express.js:135:16:135:37 | '//' +  ... ms.user | Untrusted URL redirection due to $@. | express.js:135:23:135:37 | req.params.user | user-provided value |
 | express.js:136:16:136:36 | 'u' + r ... ms.user | express.js:136:22:136:36 | req.params.user | express.js:136:16:136:36 | 'u' + r ... ms.user | Untrusted URL redirection due to $@. | express.js:136:22:136:36 | req.params.user | user-provided value |
+| koa.js:7:15:7:17 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:7:15:7:17 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
+| koa.js:8:15:8:26 | `${url}${x}` | koa.js:6:12:6:27 | ctx.query.target | koa.js:8:15:8:26 | `${url}${x}` | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
+| koa.js:14:16:14:18 | url | koa.js:6:12:6:27 | ctx.query.target | koa.js:14:16:14:18 | url | Untrusted URL redirection due to $@. | koa.js:6:12:6:27 | ctx.query.target | user-provided value |
 | node.js:7:34:7:39 | target | node.js:6:26:6:32 | req.url | node.js:7:34:7:39 | target | Untrusted URL redirection due to $@. | node.js:6:26:6:32 | req.url | user-provided value |
 | node.js:15:34:15:45 | '/' + target | node.js:11:26:11:32 | req.url | node.js:15:34:15:45 | '/' + target | Untrusted URL redirection due to $@. | node.js:11:26:11:32 | req.url | user-provided value |
 | node.js:32:34:32:55 | target  ... =" + me | node.js:29:26:29:32 | req.url | node.js:32:34:32:55 | target  ... =" + me | Untrusted URL redirection due to $@. | node.js:29:26:29:32 | req.url | user-provided value |

javascript/ql/test/query-tests/Security/CWE-601/ServerSideUrlRedirect/koa.js

@@ -0,0 +1,24 @@
+const Koa = require('koa');
+const url = require('url');
+const app = new Koa();
+
+app.use(async ctx => {
+	var url = ctx.query.target;
+	ctx.redirect(url); // NOT OK
+	ctx.redirect(`${url}${x}`); // NOT OK
+
+	var isCrossDomainRedirect = url.parse(url || '', false, true).hostname;
+	if(!url || isCrossDomainRedirect) {
+		ctx.redirect('/'); // OK
+	} else {
+		ctx.redirect(url); // NOT OK
+	}
+
+	if(!url || isCrossDomainRedirect || ! url.match(VALID)) {
+		ctx.redirect('/'); // OK
+	} else {
+		ctx.redirect(url); // OK
+	}
+});
+
+app.listen(3000);