JS: Use type info to recognize routers

asger-semmle · asger-semmle · commit 744f0b1aa384 · 2019-09-04T11:43:21.000+01:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -39,16 +39,23 @@ module Express {
     router.flowsTo(e)
   }
 
+  /**
+   * Holds if `e` may refer to a router object.
+   */
+  private predicate isRouter(Expr e) {
+    isRouter(e, _)
+    or
+    e.getType().hasUnderlyingType("express-serve-static-core", "Router")
+  }
+
   /**
    * An expression that refers to a route.
    */
   class RouteExpr extends MethodCallExpr {
-    RouterDefinition router;
-
-    RouteExpr() { isRouter(this, router) }
+    RouteExpr() { isRouter(this) }
 
-    /** Gets the router from which this route was created. */
-    RouterDefinition getRouter() { result = router }
+    /** Gets the router from which this route was created, if it is known. */
+    RouterDefinition getRouter() { isRouter(this, result) }
   }
 
   /**
@@ -68,18 +75,16 @@ module Express {
    * A call to an Express router method that sets up a route.
    */
   class RouteSetup extends HTTP::Servers::StandardRouteSetup, MethodCallExpr {
-    RouterDefinition router;
-
     RouteSetup() {
-      isRouter(getReceiver(), router) and
+      isRouter(getReceiver()) and
       getMethodName() = routeSetupMethodName()
     }
 
     /** Gets the path associated with the route. */
     string getPath() { getArgument(0).mayHaveStringValue(result) }
 
     /** Gets the router on which handlers are being registered. */
-    RouterDefinition getRouter() { result = router }
+    RouterDefinition getRouter() { isRouter(getReceiver(), result) }
 
     /** Holds if this is a call `use`, such as `app.use(handler)`. */
     predicate isUseCall() { getMethodName() = "use" }
