support direct callbacks to require("net").createServer

erik-krogh · erik-krogh · commit d5097d820d23 · 2020-09-09T09:46:17.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll b/javascript/ql/src/semmle/javascript/frameworks/NodeJSLib.qll
@@ -1068,8 +1068,10 @@ module NodeJSLib {
   /**
    * An instance of net.createServer(), which creates a new TCP/IPC server.
    */
-  private class NodeJSNetServer extends DataFlow::SourceNode {
-    NodeJSNetServer() { this = DataFlow::moduleMember("net", "createServer").getAnInvocation() }
+  class NodeJSNetServer extends DataFlow::InvokeNode {
+    NodeJSNetServer() {
+      this = DataFlow::moduleMember(["net", "tls"], "createServer").getAnInvocation()
+    }
 
     private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {
       t.start() and result = this
@@ -1096,6 +1098,8 @@ module NodeJSLib {
       |
         this = call.getCallback(1).getParameter(0)
       )
+      or
+      this = server.getCallback([0, 1]).getParameter(0)
     }
 
     DataFlow::SourceNode ref() { result = EventEmitter::trackEventEmitter(this) }
diff --git a/javascript/ql/test/library-tests/frameworks/NodeJSLib/createServer.js b/javascript/ql/test/library-tests/frameworks/NodeJSLib/createServer.js
@@ -2,3 +2,14 @@ var https = require('https');
 https.createServer(function (req, res) {});
 https.createServer(o, function (req, res) {});
 require('http2').createServer((req, res) => {});
+
+require("tls").createServer((socket) => {
+    socket.on("data", (data) => {})
+});
+
+const net = require('net');
+const tls = require('tls');
+
+const server = (isSecure ? tls : net).createServer(options, (socket) => {
+    socket.on("data", (data) => {})
+});
diff --git a/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected b/javascript/ql/test/library-tests/frameworks/NodeJSLib/tests.expected
@@ -163,6 +163,8 @@ test_ClientRequest_getADataNode
 | src/http.js:27:16:27:73 | http.re ... POST'}) | src/http.js:50:16:50:22 | 'stuff' |
 | src/http.js:27:16:27:73 | http.re ... POST'}) | src/http.js:51:14:51:25 | 'more stuff' |
 test_RemoteFlowSources
+| createServer.js:7:24:7:27 | data |
+| createServer.js:14:24:14:27 | data |
 | src/http.js:6:26:6:32 | req.url |
 | src/http.js:8:3:8:20 | req.headers.cookie |
 | src/http.js:9:3:9:17 | req.headers.foo |

Original file line number	Diff line number	Diff line change
`@@ -1068,8 +1068,10 @@ module NodeJSLib {`
`1068`	`1068`	`/**`
`1069`	`1069`	`* An instance of net.createServer(), which creates a new TCP/IPC server.`
`1070`	`1070`	`*/`
`1071`		`- private class NodeJSNetServer extends DataFlow::SourceNode {`
`1072`		`- NodeJSNetServer() { this = DataFlow::moduleMember("net", "createServer").getAnInvocation() }`
	`1071`	`+ class NodeJSNetServer extends DataFlow::InvokeNode {`
	`1072`	`+ NodeJSNetServer() {`
	`1073`	`+ this = DataFlow::moduleMember(["net", "tls"], "createServer").getAnInvocation()`
	`1074`	`+ }`
`1073`	`1075`
`1074`	`1076`	`private DataFlow::SourceNode ref(DataFlow::TypeTracker t) {`
`1075`	`1077`	`t.start() and result = this`
`@@ -1096,6 +1098,8 @@ module NodeJSLib {`
`1096`	`1098`	`\|`
`1097`	`1099`	`this = call.getCallback(1).getParameter(0)`
`1098`	`1100`	`)`
	`1101`	`+ or`
	`1102`	`+ this = server.getCallback([0, 1]).getParameter(0)`
`1099`	`1103`	`}`
`1100`	`1104`
`1101`	`1105`	`DataFlow::SourceNode ref() { result = EventEmitter::trackEventEmitter(this) }`