Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JS]: Adding express-validator support #18252

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
Open

[JS]: Adding express-validator support #18252

wants to merge 15 commits into from

Conversation

GeekMasher
Copy link
Member

@GeekMasher GeekMasher commented Dec 9, 2024
edited
Loading

This PR adds support for express-validator, a middleware for Express.js that provides a way to validate incoming requests.

This should reduce the false positives a number of users are seeing

Pull Request checklist

All query authors

Internal query authors only

  • Autofixes generated based on these changes are valid, only needed if this PR makes significant changes to .ql, .qll, or .qhelp files. See the documentation (internal access required).
  • Changes are validated at scale (internal access required).
  • Adding a new query? Consider also adding the query to autofix.

@GeekMasher GeekMasher marked this pull request as ready for review December 9, 2024 15:57
@GeekMasher GeekMasher requested a review from a team as a code owner December 9, 2024 15:57
asgerf
asgerf reviewed Dec 10, 2024
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test case file seems to be empty?

javascript/ql/lib/semmle/javascript/frameworks/ExpressValidator.qll Show resolved Hide resolved
@asgerf
Copy link
Contributor

asgerf commented Dec 17, 2024

The test output needs to be regenerated, otherwise looks good.

An interesting aspect of this library is that validators like isEmail() never actually reject the request; it's up to the user to call validationErrors and reject the request if there are any errors. The best is probably to treat them as sanitisers like you've done here, and then (in another PR) we could add a query to flag up cases where such validators are being without an appropriate check for validation errors.

@GeekMasher
Copy link
Member Author

I will fix up the PR today and hopefully get it out the door.

On the subject of the isEmail, do you want me to remove it, leave as is, or add support for the validation guard? I wasn't sure how I could add the validator guard clause so I left it out.

@asgerf
Copy link
Contributor

asgerf commented Dec 17, 2024

Just leave it in.

@GeekMasher
Copy link
Member Author

I've updated the tests but I would like to add more testing before merging

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 19, 2024
View reviewed changes
javascript/ql/test/library-tests/frameworks/ExpressValidator/Validators.ql
import testUtilities.InlineExpectationsTest

module TestConfig implements TestSig {
string getARelevantTag() { result = ["middleware", "secure"] }

Check warning

Code scanning / CodeQL

Dead code Warning test

This code is never used, and it's not publicly exported.
javascript/ql/test/library-tests/frameworks/ExpressValidator/Validators.ql
module TestConfig implements TestSig {
string getARelevantTag() { result = ["middleware", "secure"] }

predicate hasActualResult(Location location, string element, string tag, string value) {

Check warning

Code scanning / CodeQL

Dead code Warning test

This code is never used, and it's not publicly exported.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GeekMasher @asgerf