Replace complex wrapper classes with MaD

Napalys · Napalys · commit 4dac80a998ee · 2025-09-04T12:19:22.000Z
diff --git a/javascript/ql/lib/ext/apollo-server.model.yml b/javascript/ql/lib/ext/apollo-server.model.yml
@@ -10,6 +10,7 @@ extensions:
       extensible: sinkModel
     data:
       - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+      - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].Member[cors].Member[origin]", "cors-misconfiguration"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/ql/lib/ext/cors.model.yml b/javascript/ql/lib/ext/cors.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["cors", "Argument[0].Member[origin]", "cors-misconfiguration"]
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll b/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll
diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll
@@ -5,7 +5,6 @@
  */
 
 import javascript
-private import semmle.javascript.frameworks.Cors
 
 /** Module containing sources, sinks, and sanitizers for overly permissive CORS configurations. */
 module CorsPermissiveConfiguration {
@@ -73,40 +72,7 @@ module CorsPermissiveConfiguration {
   /**
    * The value of cors origin when initializing the application.
    */
-  class CorsApolloServer extends Sink, DataFlow::ValueNode {
-    CorsApolloServer() {
-      exists(API::NewNode agql |
-        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
-        this =
-          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
-      )
-    }
-  }
-
-  /**
-   * The value of cors origin when initializing the application.
-   */
-  class ExpressCors extends Sink, DataFlow::ValueNode {
-    ExpressCors() {
-      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
-    }
-  }
-
-  /**
-   * An express route setup configured with the `cors` package.
-   */
-  class CorsConfiguration extends DataFlow::MethodCallNode {
-    Cors::Cors corsConfig;
-
-    CorsConfiguration() {
-      exists(Express::RouteSetup setup | this = setup |
-        if setup.isUseCall()
-        then corsConfig = setup.getArgument(0)
-        else corsConfig = setup.getArgument(any(int i | i > 0))
-      )
-    }
-
-    /** Gets the expression that configures `cors` on this route setup. */
-    Cors::Cors getCorsConfiguration() { result = corsConfig }
+  class CorsOriginSink extends Sink, DataFlow::ValueNode {
+    CorsOriginSink() { this = ModelOutput::getASinkNode("cors-misconfiguration").asSink() }
   }
 }
diff --git a/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll b/javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll
@@ -27,9 +27,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink, FlowState state) {
-    sink instanceof CorsApolloServer and state = [FlowState::taint(), FlowState::trueOrNull()]
-    or
-    sink instanceof ExpressCors and state = [FlowState::taint(), FlowState::wildcard()]
+    sink instanceof CorsOriginSink and
+    state = [FlowState::taint(), FlowState::trueOrNull(), FlowState::wildcard()]
   }
 
   predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
diff --git a/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected b/javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.expected
@@ -1,3 +1,11 @@
+#select
+| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
+| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
+| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
+| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |
+| express-test.js:33:17:33:27 | user_origin | express-test.js:10:42:10:45 | true | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:42:10:45 | true | too permissive or user controlled value |
 edges
 | apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
 | apollo-test.js:8:9:8:59 | user_origin | apollo-test.js:26:25:26:35 | user_origin | provenance |  |
@@ -6,8 +14,11 @@ edges
 | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | apollo-test.js:8:42:8:45 | true | apollo-test.js:8:23:8:46 | url.par ... , true) | provenance |  |
 | express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:9:10:59 | user_origin | express-test.js:33:17:33:27 | user_origin | provenance |  |
+| express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
 | express-test.js:10:23:10:46 | url.par ... , true) | express-test.js:10:9:10:59 | user_origin | provenance |  |
 | express-test.js:10:33:10:39 | req.url | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
+| express-test.js:10:42:10:45 | true | express-test.js:10:23:10:46 | url.par ... , true) | provenance |  |
 nodes
 | apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
 | apollo-test.js:8:9:8:59 | user_origin | semmle.label | user_origin |
@@ -20,15 +31,12 @@ nodes
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | apollo-test.js:26:25:26:35 | user_origin | semmle.label | user_origin |
 | express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:9:10:59 | user_origin | semmle.label | user_origin |
+| express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:23:10:46 | url.par ... , true) | semmle.label | url.par ... , true) |
 | express-test.js:10:33:10:39 | req.url | semmle.label | req.url |
+| express-test.js:10:42:10:45 | true | semmle.label | true |
 | express-test.js:26:17:26:19 | '*' | semmle.label | '*' |
 | express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
+| express-test.js:33:17:33:27 | user_origin | semmle.label | user_origin |
 subpaths
-#select
-| apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | apollo-test.js:11:25:11:28 | true | CORS Origin misconfiguration due to a $@. | apollo-test.js:11:25:11:28 | true | too permissive or user controlled value |
-| apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | apollo-test.js:21:25:21:28 | null | CORS Origin misconfiguration due to a $@. | apollo-test.js:21:25:21:28 | null | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:33:8:39 | req.url | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:33:8:39 | req.url | too permissive or user controlled value |
-| apollo-test.js:26:25:26:35 | user_origin | apollo-test.js:8:42:8:45 | true | apollo-test.js:26:25:26:35 | user_origin | CORS Origin misconfiguration due to a $@. | apollo-test.js:8:42:8:45 | true | too permissive or user controlled value |
-| express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | express-test.js:26:17:26:19 | '*' | CORS Origin misconfiguration due to a $@. | express-test.js:26:17:26:19 | '*' | too permissive or user controlled value |
-| express-test.js:33:17:33:27 | user_origin | express-test.js:10:33:10:39 | req.url | express-test.js:33:17:33:27 | user_origin | CORS Origin misconfiguration due to a $@. | express-test.js:10:33:10:39 | req.url | too permissive or user controlled value |
diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll
@@ -39,7 +39,7 @@ module KindValidation<KindValidationConfigSig Config> {
           "response-splitting", "trust-boundary-violation", "template-injection", "url-forward",
           "xslt-injection",
           // JavaScript-only currently, but may be shared in the future
-          "mongodb.sink",
+          "cors-misconfiguration", "mongodb.sink",
           // Swift-only currently, but may be shared in the future
           "database-store", "format-string", "hash-iteration-count", "predicate-injection",
           "preferences-store", "tls-protocol-version", "transmission", "webview-fetch", "xxe",

Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,8 @@ module CorsPermissiveConfigurationConfig implements DataFlow::StateConfigSig {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`predicate isSink(DataFlow::Node sink, FlowState state) {`
`30`		`- sink instanceof CorsApolloServer and state = [FlowState::taint(), FlowState::trueOrNull()]`
`31`		`- or`
`32`		`- sink instanceof ExpressCors and state = [FlowState::taint(), FlowState::wildcard()]`
	`30`	`+ sink instanceof CorsOriginSink and`
	`31`	`+ state = [FlowState::taint(), FlowState::trueOrNull(), FlowState::wildcard()]`
`33`	`32`	`}`
`34`	`33`
`35`	`34`	`predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }`