JS: Model json and jsonp methods

asgerf · asgerf · commit 132a8b8b53bd · 2025-09-12T08:51:23.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Express.qll b/javascript/ql/lib/semmle/javascript/frameworks/Express.qll
@@ -781,6 +781,40 @@ module Express {
     override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
   }
 
+  /**
+   * A call to `res.json()` or `res.jsonp()`.
+   *
+   * This sets the `content-type` header.
+   */
+  private class ResponseJsonCall extends DataFlow::MethodCallNode, Http::HeaderDefinition {
+    private ResponseSource response;
+
+    ResponseJsonCall() { this = response.ref().getAMethodCall(["json", "jsonp"]) }
+
+    override RouteHandler getRouteHandler() { result = response.getRouteHandler() }
+
+    override string getAHeaderName() { result = "content-type" }
+
+    override predicate defines(string headerName, string headerValue) {
+      // Note: for `jsonp` the actual content-type header will be `text/javascript` or similar, but to avoid
+      // generating a spurious HTML injection sink, we treat it as `application/json` here.
+      headerName = "content-type" and headerValue = "application/json"
+    }
+  }
+
+  /**
+   * An argument passed to the `json` or `json` method of an HTTP response object.
+   */
+  private class ResponseJsonCallArgument extends Http::ResponseSendArgument {
+    ResponseJsonCall call;
+
+    ResponseJsonCallArgument() { this = call.getArgument(0) }
+
+    override RouteHandler getRouteHandler() { result = call.getRouteHandler() }
+
+    override HeaderDefinition getAnAssociatedHeaderDefinition() { result = call }
+  }
+
   /**
    * An invocation of the `cookie` method on an HTTP response object.
    */
diff --git a/javascript/ql/test/library-tests/frameworks/Express/tests.expected b/javascript/ql/test/library-tests/frameworks/Express/tests.expected
@@ -674,6 +674,8 @@ test_ResponseBody
 | src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
 | src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
 | src/express.js:73:12:73:19 | req.path | src/express.js:71:23:75:1 | functio ... res);\\n} |
+| src/json.js:5:14:5:27 | req.query.data | src/json.js:4:23:6:1 | functio ... ata);\\n} |
+| src/json.js:9:15:9:28 | req.query.data | src/json.js:8:24:10:1 | functio ... ata);\\n} |
 | src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ...     }\\n} |
 | src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
 test_ResponseExpr
@@ -1005,6 +1007,8 @@ test_HeaderDefinition
 | src/express.js:66:3:66:42 | res.hea ... plain") | src/express.js:65:27:69:1 | functio ... res);\\n} |
 | src/express.js:72:3:72:41 | res.hea ... /html") | src/express.js:71:23:75:1 | functio ... res);\\n} |
 | src/inheritedFromNode.js:6:2:6:16 | res.setHeader() | src/inheritedFromNode.js:4:15:8:1 | functio ... .url;\\n} |
+| src/json.js:5:5:5:28 | res.jso ... y.data) | src/json.js:4:23:6:1 | functio ... ata);\\n} |
+| src/json.js:9:5:9:29 | res.jso ... y.data) | src/json.js:8:24:10:1 | functio ... ata);\\n} |
 | src/responseExprs.js:19:5:19:16 | res.append() | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} |
 | src/responseExprs.js:37:5:37:28 | f(res.a ... ppend() | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} |
 | src/responseExprs.js:37:7:37:18 | res.append() | src/responseExprs.js:16:30:42:1 | functio ...     }\\n} |
@@ -1163,6 +1167,8 @@ test_ResponseSendArgument
 | src/express.js:61:12:61:25 | req.params.foo | src/express.js:59:23:63:1 | functio ... res);\\n} |
 | src/express.js:67:12:67:25 | req.params.foo | src/express.js:65:27:69:1 | functio ... res);\\n} |
 | src/express.js:73:12:73:19 | req.path | src/express.js:71:23:75:1 | functio ... res);\\n} |
+| src/json.js:5:14:5:27 | req.query.data | src/json.js:4:23:6:1 | functio ... ata);\\n} |
+| src/json.js:9:15:9:28 | req.query.data | src/json.js:8:24:10:1 | functio ... ata);\\n} |
 | src/params.js:8:18:8:22 | value | src/params.js:4:18:12:1 | (req, r ...     }\\n} |
 | src/params.js:15:12:15:18 | "Hello" | src/params.js:14:24:16:1 | functio ... lo");\\n} |
 test_RouteSetup_getRouter
@@ -1366,6 +1372,8 @@ test_HeaderDefinition_defines
 | src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type | application/xml |
 | src/express.js:66:3:66:42 | res.hea ... plain") | content-type | text/plain |
 | src/express.js:72:3:72:41 | res.hea ... /html") | content-type | text/html |
+| src/json.js:5:5:5:28 | res.jso ... y.data) | content-type | application/json |
+| src/json.js:9:5:9:29 | res.jso ... y.data) | content-type | application/json |
 test_RouteHandlerExpr_getBody
 | src/advanced-routehandler-registration.js:51:9:51:60 | (req, r ... tever") | src/advanced-routehandler-registration.js:51:9:51:60 | (req, r ... tever") |
 | src/advanced-routehandler-registration.js:64:9:64:53 | (req, r ... q, res) | src/advanced-routehandler-registration.js:64:9:64:53 | (req, r ... q, res) |
@@ -2139,6 +2147,8 @@ test_HeaderDefinition_getAHeaderName
 | src/express.js:60:3:60:47 | res.hea ... n/xml") | content-type |
 | src/express.js:66:3:66:42 | res.hea ... plain") | content-type |
 | src/express.js:72:3:72:41 | res.hea ... /html") | content-type |
+| src/json.js:5:5:5:28 | res.jso ... y.data) | content-type |
+| src/json.js:9:5:9:29 | res.jso ... y.data) | content-type |
 test_RouteHandlerExpr_getAsSubRouter
 | src/csurf-example.js:13:17:13:19 | api | src/csurf-example.js:30:16:30:35 | new express.Router() |
 | src/express2.js:6:9:6:14 | router | src/express2.js:2:14:2:23 | e.Router() |
@@ -2155,6 +2165,8 @@ test_RouteHandler_getAResponseHeader
 | src/express.js:65:27:69:1 | functio ... res);\\n} | content-type | src/express.js:66:3:66:42 | res.hea ... plain") |
 | src/express.js:71:23:75:1 | functio ... res);\\n} | access-control-allow-credentials | src/express.js:12:3:12:54 | arg.hea ... , true) |
 | src/express.js:71:23:75:1 | functio ... res);\\n} | content-type | src/express.js:72:3:72:41 | res.hea ... /html") |
+| src/json.js:4:23:6:1 | functio ... ata);\\n} | content-type | src/json.js:5:5:5:28 | res.jso ... y.data) |
+| src/json.js:8:24:10:1 | functio ... ata);\\n} | content-type | src/json.js:9:5:9:29 | res.jso ... y.data) |
 test_RouteSetup_getARouteHandlerExpr
 | src/advanced-routehandler-registration.js:10:3:10:24 | app.get ... es0[p]) | src/advanced-routehandler-registration.js:10:14:10:23 | routes0[p] |
 | src/advanced-routehandler-registration.js:19:3:19:18 | app.use(handler) | src/advanced-routehandler-registration.js:19:11:19:17 | handler |
