JS: treat the last argument to https.createServer as a route handler

Author: Esben Sparre Andreasen

change-notes/1.21/analysis-javascript.md

@@ -4,6 +4,7 @@
 
 * Support for the following frameworks and libraries has been improved:
   - [socket.io](http://socket.io)
+  - [Node.js](http://nodejs.org)
 
 * The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).
 

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -180,7 +180,7 @@ module NodeJSLib {
 
     RouteSetup() {
       server.flowsTo(this) and
-      handler = getArgument(0)
+      handler = getLastArgument()
       or
       server.flowsTo(getReceiver()) and
       this.(MethodCallExpr).getMethodName().regexpMatch("on(ce)?") and
@@ -663,7 +663,7 @@ module NodeJSLib {
 
     RouteSetupCandidate() {
       getMethodName() = "createServer" and
-      arg = getArgument(0)
+      arg = getLastArgument()
       or
       getMethodName().regexpMatch("on(ce)?") and
       getArgument(0).mayHaveStringValue("request") and

javascript/ql/test/library-tests/frameworks/NodeJSLib/createServer.js

@@ -0,0 +1,3 @@
+var https = require('https');
+https.createServer(function (req, res) {});
+https.createServer(o, function (req, res) {});

javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected

@@ -1,4 +1,6 @@
 test_isCreateServer
+| createServer.js:2:1:2:42 | https.c ... es) {}) |
+| createServer.js:3:1:3:45 | https.c ... es) {}) |
 | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) |
 | src/http.js:12:1:16:2 | http.cr ... r");\\n}) |
 | src/http.js:57:1:57:31 | http.cr ... dler()) |
@@ -47,6 +49,8 @@ test_HeaderDefinition
 | src/https.js:7:3:7:42 | res.wri ... rget }) | src/https.js:4:33:10:1 | functio ... .foo;\\n} |
 | src/https.js:13:3:13:44 | res.set ... /html') | src/https.js:12:20:16:1 | functio ... ar");\\n} |
 test_RouteSetup_getServer
+| createServer.js:2:1:2:42 | https.c ... es) {}) | createServer.js:2:1:2:42 | https.c ... es) {}) |
+| createServer.js:3:1:3:45 | https.c ... es) {}) | createServer.js:3:1:3:45 | https.c ... es) {}) |
 | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) |
 | src/http.js:12:1:16:2 | http.cr ... r");\\n}) | src/http.js:12:1:16:2 | http.cr ... r");\\n}) |
 | src/http.js:57:1:57:31 | http.cr ... dler()) | src/http.js:57:1:57:31 | http.cr ... dler()) |
@@ -66,6 +70,8 @@ test_HeaderDefinition_getAHeaderName
 | src/https.js:7:3:7:42 | res.wri ... rget }) | location |
 | src/https.js:13:3:13:44 | res.set ... /html') | content-type |
 test_ServerDefinition
+| createServer.js:2:1:2:42 | https.c ... es) {}) |
+| createServer.js:3:1:3:45 | https.c ... es) {}) |
 | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) |
 | src/http.js:12:1:16:2 | http.cr ... r");\\n}) |
 | src/http.js:57:1:57:31 | http.cr ... dler()) |
@@ -95,6 +101,8 @@ test_RouteHandler_getAResponseExpr
 | src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:14:3:14:5 | res |
 | src/https.js:12:20:16:1 | functio ... ar");\\n} | src/https.js:15:3:15:5 | res |
 test_ServerDefinition_getARouteHandler
+| createServer.js:2:1:2:42 | https.c ... es) {}) | createServer.js:2:20:2:41 | functio ... res) {} |
+| createServer.js:3:1:3:45 | https.c ... es) {}) | createServer.js:3:23:3:44 | functio ... res) {} |
 | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
 | src/http.js:12:1:16:2 | http.cr ... r");\\n}) | src/http.js:12:19:16:1 | functio ... ar");\\n} |
 | src/http.js:57:1:57:31 | http.cr ... dler()) | src/http.js:55:12:55:30 | function(req,res){} |
@@ -110,6 +118,8 @@ test_ResponseSendArgument
 | src/https.js:14:13:14:17 | "foo" | src/https.js:12:20:16:1 | functio ... ar");\\n} |
 | src/https.js:15:11:15:15 | "bar" | src/https.js:12:20:16:1 | functio ... ar");\\n} |
 test_RouteSetup_getARouteHandler
+| createServer.js:2:1:2:42 | https.c ... es) {}) | createServer.js:2:20:2:41 | functio ... res) {} |
+| createServer.js:3:1:3:45 | https.c ... es) {}) | createServer.js:3:23:3:44 | functio ... res) {} |
 | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) | src/http.js:4:32:10:1 | functio ... .foo;\\n} |
 | src/http.js:12:1:16:2 | http.cr ... r");\\n}) | src/http.js:12:19:16:1 | functio ... ar");\\n} |
 | src/http.js:57:1:57:31 | http.cr ... dler()) | src/http.js:55:12:55:30 | function(req,res){} |
@@ -137,6 +147,8 @@ test_RemoteFlowSources
 | src/https.js:8:3:8:20 | req.headers.cookie |
 | src/https.js:9:3:9:17 | req.headers.foo |
 test_RouteHandler
+| createServer.js:2:20:2:41 | functio ... res) {} | createServer.js:2:1:2:42 | https.c ... es) {}) |
+| createServer.js:3:23:3:44 | functio ... res) {} | createServer.js:3:1:3:45 | https.c ... es) {}) |
 | src/http.js:4:32:10:1 | functio ... .foo;\\n} | src/http.js:4:14:10:2 | http.cr ... foo;\\n}) |
 | src/http.js:12:19:16:1 | functio ... ar");\\n} | src/http.js:12:1:16:2 | http.cr ... r");\\n}) |
 | src/http.js:55:12:55:30 | function(req,res){} | src/http.js:57:1:57:31 | http.cr ... dler()) |