JS: Factor RequestHeaderAccess into separate class

Author: asger-semmle

javascript/ql/src/Security/CWE-640/HostHeaderPoisoningInEmailGeneration.ql

@@ -14,7 +14,7 @@ class TaintedHostHeader extends TaintTracking::Configuration {
   TaintedHostHeader() { this = "TaintedHostHeader" }
 
   override predicate isSource(DataFlow::Node node) {
-    exists (HTTP::RequestInputAccess input | node = input |
+    exists (HTTP::RequestHeaderAccess input | node = input |
       input.getKind() = "header" and
       input.getAHeaderName() = "host")
   }

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -471,41 +471,52 @@ module Express {
           propName = "originalUrl"
         )
         or
+        // `req.cookies`
+        kind = "cookie" and
+        this.(DataFlow::PropRef).accesses(request, "cookies")
+      )
+      or
+      exists (RequestHeaderAccess access | this = access |
+        rh = access.getRouteHandler() and
+        kind = "header")
+    }
+
+    override RouteHandler getRouteHandler() {
+      result = rh
+    }
+
+    override string getKind() {
+      result = kind
+    }
+  }
+
+  /**
+   * An access to a header on an Express request.
+   */
+  private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
+    RouteHandler rh;
+
+    RequestHeaderAccess() {
+      exists (DataFlow::Node request | request = DataFlow::valueNode(rh.getARequestExpr()) |
         exists (string methodName |
           // `req.get(...)` or `req.header(...)`
-          kind = "header" and
           this.(DataFlow::MethodCallNode).calls(request, methodName) |
           methodName = "get" or
           methodName = "header"
         )
         or
         exists (DataFlow::PropRead headers |
           // `req.headers.name`
-          kind = "header" and
           headers.accesses(request, "headers") and
           this = headers.getAPropertyRead())
         or
         exists (string propName | propName = "host" or propName = "hostname" |
           // `req.host` and `req.hostname` are derived from headers
-          kind = "header" and
           this.(DataFlow::PropRead).accesses(request, propName))
-        or
-        // `req.cookies`
-        kind = "cookie" and
-        this.(DataFlow::PropRef).accesses(request, "cookies")
       )
     }
 
-    override RouteHandler getRouteHandler() {
-      result = rh
-    }
-
-    override string getKind() {
-      result = kind
-    }
-
     override string getAHeaderName() {
-      kind = "header" and
       exists (string name |
         name = this.(DataFlow::PropRead).getPropertyName()
         or
@@ -516,6 +527,14 @@ module Express {
         else
           result = name.toLowerCase())
     }
+
+    override RouteHandler getRouteHandler() {
+      result = rh
+    }
+
+    override string getKind() {
+      result = "header"
+    }
   }
 
   /**
@@ -613,9 +632,9 @@ module Express {
       astNode.getMethodName() = any(string n | n = "set" or n = "header") and
       astNode.getNumArgument() = 1
     }
-    
+
     /**
-     * Gets a reference to the multiple headers object that is to be set. 
+     * Gets a reference to the multiple headers object that is to be set.
      */
     private DataFlow::SourceNode getAHeaderSource() {
       result.flowsToExpr(astNode.getArgument(0))
@@ -631,12 +650,12 @@ module Express {
     override RouteHandler getRouteHandler() {
       result = rh
     }
-    
+
     override Expr getNameExpr() {
-      exists (DataFlow::PropWrite write  | 
+      exists (DataFlow::PropWrite write  |
         getAHeaderSource().flowsTo(write.getBase()) and
         result = write.getPropertyNameExpr()
-      )      
+      )
     }
   }
 

javascript/ql/src/semmle/javascript/frameworks/HTTP.qll

@@ -72,9 +72,9 @@ module HTTP {
      * Holds if the header with (lower-case) name `headerName` is set to the value of `headerValue`.
      */
     abstract predicate definesExplicitly(string headerName, Expr headerValue);
-    
+
     /**
-     * Returns the expression used to compute the header name. 
+     * Returns the expression used to compute the header name.
      */
     abstract Expr getNameExpr();
   }
@@ -354,9 +354,9 @@ module HTTP {
         headerName = getNameExpr().getStringValue().toLowerCase() and
         headerValue = astNode.getArgument(1)
       }
-      
+
       override Expr getNameExpr() {
-      	 result = astNode.getArgument(0)
+         result = astNode.getArgument(0)
       }
 
     }
@@ -399,15 +399,19 @@ module HTTP {
      * Note that this predicate is functional.
      */
     abstract string getKind();
+  }
 
+  /**
+   * An access to a header on an incoming HTTP request.
+   */
+  abstract class RequestHeaderAccess extends RequestInputAccess {
     /**
      * Gets the lower-case name of an HTTP header from which this input is derived,
      * if this can be determined.
      *
-     * When the input is not derived from a header, or the header name is
-     * unknown, this has no result.
+     * When the name of the header is unknown, this has no result.
      */
-    string getAHeaderName() { none() }
+    abstract string getAHeaderName();
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/Hapi.qll

@@ -121,20 +121,17 @@ module Hapi {
           this.asExpr().(PropAccess).accesses(url, "path")
         )
         or
-        exists (PropAccess headers |
-          // `request.headers.<name>`
-          kind = "header" and
-          headers.accesses(request, "headers")  and
-          this.asExpr().(PropAccess).accesses(headers, _)
-        )
-        or
         exists (PropAccess state |
           // `request.state.<name>`
           kind = "cookie" and
           state.accesses(request, "state")  and
           this.asExpr().(PropAccess).accesses(state, _)
         )
       )
+      or
+      exists (RequestHeaderAccess access | this = access |
+        rh = access.getRouteHandler() and
+        kind = "header")
     }
 
     override RouteHandler getRouteHandler() {
@@ -144,11 +141,35 @@ module Hapi {
     override string getKind() {
       result = kind
     }
+  }
+
+  /**
+   * An access to an HTTP header on a Hapi request.
+   */
+  private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
+    RouteHandler rh;
+
+    RequestHeaderAccess() {
+      exists (Expr request | request = rh.getARequestExpr() |
+        exists (PropAccess headers |
+          // `request.headers.<name>`
+          headers.accesses(request, "headers")  and
+          this.asExpr().(PropAccess).accesses(headers, _)
+        )
+      )
+    }
 
     override string getAHeaderName() {
-      kind = "header" and
       result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
     }
+
+    override RouteHandler getRouteHandler() {
+      result = rh
+    }
+
+    override string getKind() {
+      result = "header"
+    }
   }
 
   /**

javascript/ql/src/semmle/javascript/frameworks/Koa.qll

@@ -182,19 +182,6 @@ module Koa {
           propName = "originalUrl" or
           propName = "href"
         )
-        or
-        exists (string propName, PropAccess headers |
-          // `ctx.request.header.<name>`, `ctx.request.headers.<name>`
-          kind = "header" and
-          headers.accesses(request, propName) and
-          this.asExpr().(PropAccess).accesses(headers, _) |
-          propName = "header" or
-          propName = "headers"
-        )
-        or
-        // `ctx.request.get(<name>)`
-        kind = "header" and
-        this.asExpr().(MethodCallExpr).calls(request, "get")
       )
       or
       exists (PropAccess cookies |
@@ -203,6 +190,10 @@ module Koa {
         cookies.accesses(rh.getAContextExpr(), "cookies") and
         this.asExpr().(MethodCallExpr).calls(cookies, "get")
       )
+      or
+      exists (RequestHeaderAccess access | access = this |
+        rh = access.getRouteHandler() and
+        kind = "header")
     }
 
     override RouteHandler getRouteHandler() {
@@ -212,17 +203,44 @@ module Koa {
     override string getKind() {
       result = kind
     }
+  }
 
-    override string getAHeaderName() {
-      kind = "header" and
-      (
-        result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+  /**
+   * An access to an HTTP header on a Koa request.
+   */
+  private class RequestHeaderAccess extends HTTP::RequestHeaderAccess {
+    RouteHandler rh;
+
+    RequestHeaderAccess() {
+      exists (Expr request | request = rh.getARequestExpr() |
+        exists (string propName, PropAccess headers |
+          // `ctx.request.header.<name>`, `ctx.request.headers.<name>`
+          headers.accesses(request, propName) and
+          this.asExpr().(PropAccess).accesses(headers, _) |
+          propName = "header" or
+          propName = "headers"
+        )
         or
-        exists (string name |
-          this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name) and
-          result = name.toLowerCase())
+        // `ctx.request.get(<name>)`
+        this.asExpr().(MethodCallExpr).calls(request, "get")
       )
     }
+
+    override string getAHeaderName() {
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+      or
+      exists (string name |
+        this.(DataFlow::CallNode).getArgument(0).mayHaveStringValue(name) and
+        result = name.toLowerCase())
+    }
+
+    override RouteHandler getRouteHandler() {
+      result = rh
+    }
+
+    override string getKind() {
+      result = "header"
+    }
   }
 
   /**