JS: add HTTP::RequestInputAccess.getAHeaderName()

Author: asger-semmle

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -503,6 +503,19 @@ module Express {
     override string getKind() {
       result = kind
     }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      exists (string name |
+        name = this.(DataFlow::PropRead).getPropertyName()
+        or
+        this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name)
+        |
+        if name = "hostname" then
+          result = "host"
+        else
+          result = name.toLowerCase())
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/HTTP.qll

@@ -399,8 +399,17 @@ module HTTP {
      * Note that this predicate is functional.
      */
     abstract string getKind();
+
+    /**
+     * Gets the lower-case name of an HTTP header from which this input is derived,
+     * if this can be determined.
+     *
+     * When the input is not derived from a header, or the header name is
+     * unknown, this has no result.
+     */
+    string getAHeaderName() { none() }
   }
-  
+
   /**
    * A node that looks like a route setup on a server.
    *

javascript/ql/src/semmle/javascript/frameworks/Hapi.qll

@@ -144,6 +144,11 @@ module Hapi {
     override string getKind() {
       result = kind
     }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/Koa.qll

@@ -212,6 +212,17 @@ module Koa {
     override string getKind() {
       result = kind
     }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      (
+        result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+        or
+        exists (string name |
+          this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name) and
+          result = name.toLowerCase())
+      )
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll

@@ -161,6 +161,11 @@ module NodeJSLib {
     override string getKind() {
       result = kind
     }
+
+    override string getAHeaderName() {
+      kind = "header" and
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+    }
   }
 
   class RouteSetup extends CallExpr, HTTP::Servers::StandardRouteSetup {

javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.expected

@@ -0,0 +1,5 @@
+| src/express.js:28:3:28:16 | req.get("foo") | foo |
+| src/express.js:29:3:29:19 | req.header("bar") | bar |
+| src/express.js:47:3:47:17 | req.headers.baz | baz |
+| src/express.js:48:3:48:10 | req.host | host |
+| src/express.js:49:3:49:14 | req.hostname | host |

javascript/ql/test/library-tests/frameworks/Express/HeaderAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestInputAccess access
+select access, access.getAHeaderName()

javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.expected

@@ -0,0 +1,2 @@
+| src/http.js:9:3:9:17 | req.headers.foo | foo |
+| src/https.js:9:3:9:17 | req.headers.foo | foo |

javascript/ql/test/library-tests/frameworks/NodeJSLib/HeaderAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestInputAccess access
+select access, access.getAHeaderName()

javascript/ql/test/library-tests/frameworks/hapi/HeaderAccess.expected

@@ -0,0 +1 @@
+| src/hapi.js:25:3:25:21 | request.headers.baz | baz |