Merge pull request #1195 from esben-semmle/js/firebase-express-requests

Approved by xiemaisi

Author: semmle-qlci

change-notes/1.21/analysis-javascript.md

@@ -5,6 +5,7 @@
 * Support for the following frameworks and libraries has been improved:
   - [koa](https://github.com/koajs/koa)
   - [socket.io](http://socket.io)
+  - [Firebase](https://firebase.google.com/)
 
 * The security queries now track data flow through Base64 decoders such as the Node.js `Buffer` class, the DOM function `atob`, and a number of npm packages intcluding [`abab`](https://www.npmjs.com/package/abab), [`atob`](https://www.npmjs.com/package/atob), [`btoa`](https://www.npmjs.com/package/btoa), [`base-64`](https://www.npmjs.com/package/base-64), [`js-base64`](https://www.npmjs.com/package/js-base64), [`Base64.js`](https://www.npmjs.com/package/Base64) and [`base64-js`](https://www.npmjs.com/package/base64-js).
 

javascript/ql/src/semmle/javascript/frameworks/Firebase.qll

@@ -215,6 +215,40 @@ module Firebase {
         result = getArgument(0)
       }
     }
+
+    /**
+     * A call to a Firebase method that sets up a route.
+     */
+    private class RouteSetup extends HTTP::Servers::StandardRouteSetup, CallExpr {
+      RouteSetup() { this = namespace().getAPropertyRead("https").getAMemberCall("onRequest").asExpr() }
+
+      override DataFlow::SourceNode getARouteHandler() {
+        result = getARouteHandler(DataFlow::TypeBackTracker::end())
+      }
+
+      private DataFlow::SourceNode getARouteHandler(DataFlow::TypeBackTracker t) {
+        t.start() and
+        result = getArgument(0).flow().getALocalSource()
+        or
+        exists(DataFlow::TypeBackTracker t2 | result = getARouteHandler(t2).backtrack(t2, t))
+      }
+
+      override Expr getServer() { none() }
+    }
+
+    /**
+     * A function used as a route handler.
+     */
+    private class RouteHandler extends Express::RouteHandler, HTTP::Servers::StandardRouteHandler,
+    DataFlow::ValueNode {
+      RouteHandler() { this = any(RouteSetup setup).getARouteHandler() }
+
+      override SimpleParameter getRouteHandlerParameter(string kind) {
+        kind = "request" and result = this.(DataFlow::FunctionNode).getParameter(0).getParameter() or
+        kind = "response" and result = this.(DataFlow::FunctionNode).getParameter(1).getParameter()
+      }
+    }
+
   }
 
   /**

javascript/ql/test/library-tests/frameworks/Firebase/RequestInputAccess.expected

@@ -0,0 +1 @@
+| tst.js:72:52:72:65 | req.params.foo |

javascript/ql/test/library-tests/frameworks/Firebase/RequestInputAccess.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RequestInputAccess ria
+select ria

javascript/ql/test/library-tests/frameworks/Firebase/ResponseSendArgument.expected

@@ -0,0 +1 @@
+| tst.js:72:52:72:65 | req.params.foo |

javascript/ql/test/library-tests/frameworks/Firebase/ResponseSendArgument.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::ResponseSendArgument send
+select send

javascript/ql/test/library-tests/frameworks/Firebase/RouteHandler.expected

@@ -0,0 +1 @@
+| tst.js:72:27:72:69 | (req, r ... foo); } |

javascript/ql/test/library-tests/frameworks/Firebase/RouteHandler.ql

@@ -0,0 +1,4 @@
+import javascript
+
+from HTTP::RouteHandler rh
+select rh

javascript/ql/test/library-tests/frameworks/Firebase/tst.js

@@ -68,3 +68,5 @@ class Box {
 let box1 = new Box(fb.database());
 let box2 = new Box(whatever());
 box2.x.ref(); // not a firebase ref
+
+functions.https.onRequest((req, res) => { res.send(req.params.foo); });