Enhance Next.js API endpoint handling for compatibility with both Pages and App Router structures.

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -213,10 +213,12 @@ module NextJS {
   /**
    * Gets a folder that contains API endpoints for a Next.js application.
    * These API endpoints act as Express-like route-handlers.
+   * It matches both the Pages Router (`pages/api/`) Next.js 12 or earlier and
+   * the App Router (`app/api/`) Next.js 13+ structures.
    */
   Folder apiFolder() {
-    result = getANextPackage().getFile().getParentContainer().getFolder("pages").getFolder("api")
-    or
+    result =
+      getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or
     result = apiFolder().getAFolder()
   }
 
@@ -271,4 +273,56 @@ module NextJS {
       override string getCredentialsKind() { result = "jwt key" }
     }
   }
+
+  /**
+   * A route handler for Next.js 13+ App Router API endpoints, which are defined by exporting
+   * HTTP method functions (like `GET`, `POST`, `PUT`, `DELETE`) from route.js files inside
+   * the `app/api/` directory.
+   */
+  class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler {
+    NextAppRouteHandler() {
+      exists(Module mod | mod.getFile().getParentContainer() = apiFolder() |
+        this = mod.getAnExportedValue(any(Http::RequestMethodName m)).getAFunctionValue() and
+        (
+          this.getParameter(0).hasUnderlyingType("next/server", "NextRequest")
+          or
+          this.getParameter(0).hasUnderlyingType("Request")
+        )
+      )
+    }
+
+    /**
+     * Gets the request parameter, which is either a `NextRequest` object (from `next/server`) or a standard web `Request` object.
+     */
+    DataFlow::SourceNode getRequest() { result = this.getParameter(0) }
+  }
+
+  /**
+   * A source of user-controlled data from a `NextRequest` object (from `next/server`) or a standard web `Request` object
+   * in a Next.js App Router route handler.
+   */
+  class NextAppRequestSource extends Http::RequestInputAccess {
+    NextAppRouteHandler handler;
+    string kind;
+
+    NextAppRequestSource() {
+      (
+        this =
+          handler.getRequest().getAMethodCall(["json", "formData", "blob", "arrayBuffer", "text"])
+        or
+        this = handler.getRequest().getAPropertyRead("body")
+      ) and
+      kind = "body"
+      or
+      this = handler.getRequest().getAPropertyRead(["url", "nextUrl"]) and kind = "url"
+      or
+      this = handler.getRequest().getAPropertyRead("headers") and kind = "headers"
+    }
+
+    override string getKind() { result = kind }
+
+    override Http::RouteHandler getRouteHandler() { result = handler }
+
+    override string getSourceType() { result = "Next.js App Router request" }
+  }
 }

javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route.serverSide.ts

@@ -1,5 +1,5 @@
 export async function POST(req: Request) {
-  const { url } = await req.json(); // $ MISSING: Source[js/request-forgery]
-  const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+  const { url } = await req.json(); // $ Source[js/request-forgery]
+  const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
   return new Response(res.body, { headers: res.headers });
 }

javascript/ql/test/query-tests/Security/CWE-918/Request/app/api/proxy/route2.serverSide.ts

@@ -1,8 +1,8 @@
 import { NextRequest, NextResponse } from 'next/server';
 
 export async function POST(req: NextRequest) {
-  const { url } = await req.json(); // $ MISSING: Source[js/request-forgery]
-  const res = await fetch(url); // $ MISSING: Alert[js/request-forgery] Sink[js/request-forgery]
+  const { url } = await req.json(); // $ Source[js/request-forgery]
+  const res = await fetch(url); // $ Alert[js/request-forgery] Sink[js/request-forgery]
   const data = await res.text();
   return new NextResponse(data, { headers: res.headers });
 }

javascript/ql/test/query-tests/Security/CWE-918/RequestForgery.expected

@@ -2,6 +2,8 @@
 | apollo.serverSide.ts:8:39:8:64 | get(fil ...  => {}) | apollo.serverSide.ts:7:36:7:44 | { files } | apollo.serverSide.ts:8:43:8:50 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:8:43:8:50 | file.url | URL | apollo.serverSide.ts:7:36:7:44 | { files } | user-provided value |
 | apollo.serverSide.ts:18:37:18:62 | get(fil ...  => {}) | apollo.serverSide.ts:17:34:17:42 | { files } | apollo.serverSide.ts:18:41:18:48 | file.url | The $@ of this request depends on a $@. | apollo.serverSide.ts:18:41:18:48 | file.url | URL | apollo.serverSide.ts:17:34:17:42 | { files } | user-provided value |
 | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | The $@ of this request depends on a $@. | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | endpoint | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | user-provided value |
+| request/app/api/proxy/route2.serverSide.ts:5:21:5:30 | fetch(url) | request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | The $@ of this request depends on a $@. | request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | URL | request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | user-provided value |
+| request/app/api/proxy/route.serverSide.ts:3:21:3:30 | fetch(url) | request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | The $@ of this request depends on a $@. | request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | URL | request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | user-provided value |
 | serverSide.js:18:5:18:20 | request(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:18:13:18:19 | tainted | The $@ of this request depends on a $@. | serverSide.js:18:13:18:19 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:20:5:20:24 | request.get(tainted) | serverSide.js:14:29:14:35 | req.url | serverSide.js:20:17:20:23 | tainted | The $@ of this request depends on a $@. | serverSide.js:20:17:20:23 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
 | serverSide.js:24:5:24:20 | request(options) | serverSide.js:14:29:14:35 | req.url | serverSide.js:23:19:23:25 | tainted | The $@ of this request depends on a $@. | serverSide.js:23:19:23:25 | tainted | URL | serverSide.js:14:29:14:35 | req.url | user-provided value |
@@ -42,6 +44,14 @@ edges
 | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | axiosInterceptors.serverSide.js:19:11:19:17 | { url } | provenance |  |
 | axiosInterceptors.serverSide.js:20:5:20:25 | userProvidedUrl | axiosInterceptors.serverSide.js:11:26:11:40 | userProvidedUrl | provenance |  |
 | axiosInterceptors.serverSide.js:20:23:20:25 | url | axiosInterceptors.serverSide.js:20:5:20:25 | userProvidedUrl | provenance |  |
+| request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | provenance |  |
+| request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | provenance |  |
+| request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | provenance |  |
+| request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | provenance |  |
+| request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | provenance |  |
+| request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | provenance |  |
+| request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | provenance |  |
+| request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | provenance |  |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:18:13:18:19 | tainted | provenance |  |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:20:17:20:23 | tainted | provenance |  |
 | serverSide.js:14:9:14:52 | tainted | serverSide.js:23:19:23:25 | tainted | provenance |  |
@@ -109,6 +119,16 @@ nodes
 | axiosInterceptors.serverSide.js:19:21:19:28 | req.body | semmle.label | req.body |
 | axiosInterceptors.serverSide.js:20:5:20:25 | userProvidedUrl | semmle.label | userProvidedUrl |
 | axiosInterceptors.serverSide.js:20:23:20:25 | url | semmle.label | url |
+| request/app/api/proxy/route2.serverSide.ts:4:9:4:15 | { url } | semmle.label | { url } |
+| request/app/api/proxy/route2.serverSide.ts:4:9:4:34 | url | semmle.label | url |
+| request/app/api/proxy/route2.serverSide.ts:4:19:4:34 | await req.json() | semmle.label | await req.json() |
+| request/app/api/proxy/route2.serverSide.ts:4:25:4:34 | req.json() | semmle.label | req.json() |
+| request/app/api/proxy/route2.serverSide.ts:5:27:5:29 | url | semmle.label | url |
+| request/app/api/proxy/route.serverSide.ts:2:9:2:15 | { url } | semmle.label | { url } |
+| request/app/api/proxy/route.serverSide.ts:2:9:2:34 | url | semmle.label | url |
+| request/app/api/proxy/route.serverSide.ts:2:19:2:34 | await req.json() | semmle.label | await req.json() |
+| request/app/api/proxy/route.serverSide.ts:2:25:2:34 | req.json() | semmle.label | req.json() |
+| request/app/api/proxy/route.serverSide.ts:3:27:3:29 | url | semmle.label | url |
 | serverSide.js:14:9:14:52 | tainted | semmle.label | tainted |
 | serverSide.js:14:19:14:42 | url.par ... , true) | semmle.label | url.par ... , true) |
 | serverSide.js:14:29:14:35 | req.url | semmle.label | req.url |