treat all writes to Authorization as a CredentialsExpr

erik-krogh · erik-krogh · commit 28a19006129d · 2020-06-03T13:55:49.000+02:00
diff --git a/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll b/javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll
@@ -260,6 +260,23 @@ module ClientRequest {
     }
   }
 
+  /** An expression that is used as a credential in a request. */
+  private class AuthorizationHeader extends CredentialsExpr {
+    AuthorizationHeader() {
+      exists(DataFlow::PropWrite write | write.getPropertyName() = "Authorization" |
+        this = write.getRhs().asExpr()
+      )
+      or
+      exists(DataFlow::MethodCallNode call | call.getMethodName() = ["append", "set"] |
+        call.getNumArgument() = 2 and
+        call.getArgument(0).mayHaveStringValue("Authorization") and
+        this = call.getArgument(1).asExpr()
+      )
+    }
+
+    override string getCredentialsKind() { result = "authorization headers" }
+  }
+
   /**
    * Provides predicates for working with `fetch` and its platform-specific instances as a single module.
    */
@@ -273,36 +290,6 @@ module ClientRequest {
       result = DataFlow::globalVarRef("fetch") // https://fetch.spec.whatwg.org/#fetch-api
     }
 
-    /**
-     * Gets an instance of the `Headers` class.
-     */
-    private DataFlow::NewNode header() {
-      result = moduleImport().getAConstructorInvocation("Headers")
-      or
-      result = DataFlow::globalVarRef("Headers").getAnInstantiation() // https://fetch.spec.whatwg.org/#headers-class
-    }
-
-    /** An expression that is used as a credential in a fetch-request. */
-    private class FetchAuthorization extends CredentialsExpr {
-      FetchAuthorization() {
-        exists(DataFlow::Node headerObject |
-          headerObject = header().getArgument(0)
-          or
-          headerObject = moduleImport().getACall().getOptionArgument(1, "headers")
-        |
-          this = headerObject.getALocalSource().getAPropertyWrite("Authorization").getRhs().asExpr()
-        )
-        or
-        exists(DataFlow::MethodCallNode appendCall |
-          appendCall = header().getAMethodCall(["append", "set"]) and
-          appendCall.getArgument(0).mayHaveStringValue("Authorization") and
-          this = appendCall.getArgument(1).asExpr()
-        )
-      }
-
-      override string getCredentialsKind() { result = "authorization headers" }
-    }
-
     /**
      * A model of a URL request made using an implementation of the `fetch` API.
      */
