Replace complex wrapper classes with MaD

Napalys · Napalys · commit e0436928f61d · 2025-08-21T11:09:05.000Z
diff --git a/javascript/ql/lib/ext/apollo-server.model.yml b/javascript/ql/lib/ext/apollo-server.model.yml
@@ -10,6 +10,7 @@ extensions:
       extensible: sinkModel
     data:
       - ["@apollo/server", "Member[gql].Argument[0]", "sql-injection"]
+      - ["@apollo/server", "Member[ApolloServer,ApolloServerBase].Argument[0].Member[cors].Member[origin]", "cors-misconfiguration"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/ql/lib/ext/cors.model.yml b/javascript/ql/lib/ext/cors.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["cors", "Argument[0].Member[origin]", "cors-misconfiguration"]
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll b/javascript/ql/lib/semmle/javascript/frameworks/Cors.qll
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
@@ -5,7 +5,6 @@
  */
 
 import javascript
-private import semmle.javascript.frameworks.Cors
 
 module CorsMisconfigurationForCredentials {
   /**
@@ -88,46 +87,13 @@ module CorsMisconfigurationForCredentials {
   }
 
   /**
-   * The value of cors origin when initializing the application.
+   * The value of cors origin configuration.
    */
-  class CorsApolloServer extends Sink, DataFlow::ValueNode {
-    CorsApolloServer() {
-      exists(API::NewNode agql |
-        agql = ModelOutput::getATypeNode("ApolloServer").getAnInstantiation() and
-        this =
-          agql.getOptionArgument(0, "cors").getALocalSource().getAPropertyWrite("origin").getRhs()
-      )
-    }
-
-    override Http::HeaderDefinition getCredentialsHeader() { none() }
-  }
-
-  /**
-   * The value of cors origin when initializing the application.
-   */
-  class ExpressCors extends Sink, DataFlow::ValueNode {
-    ExpressCors() {
-      exists(CorsConfiguration config | this = config.getCorsConfiguration().getOrigin())
+  class CorsOriginSink extends Sink, DataFlow::ValueNode {
+    CorsOriginSink() {
+      this = ModelOutput::getASinkNode("cors-misconfiguration").asSink()
     }
 
     override Http::HeaderDefinition getCredentialsHeader() { none() }
   }
-
-  /**
-   * An express route setup configured with the `cors` package.
-   */
-  class CorsConfiguration extends DataFlow::MethodCallNode {
-    Cors::Cors corsConfig;
-
-    CorsConfiguration() {
-      exists(Express::RouteSetup setup | this = setup |
-        if setup.isUseCall()
-        then corsConfig = setup.getArgument(0)
-        else corsConfig = setup.getArgument(any(int i | i > 0))
-      )
-    }
-
-    /** Gets the expression that configures `cors` on this route setup. */
-    Cors::Cors getCorsConfiguration() { result = corsConfig }
-  }
 }
