feat: initial codeql setup (#1390)

2026-01-04 23:50:37 -06:00 · 2025-05-14 20:21:52 -04:00
parent e580f646a5
commit 2ade7eb527
8 changed files with 500 additions and 0 deletions
--- a/.github/codeql/custom-queries/javascript/api-auth-bypass.ql
+++ b/.github/codeql/custom-queries/javascript/api-auth-bypass.ql
@@ -0,0 +1,45 @@
+/**
+ * @name Potential API Authorization Bypass
+ * @description Functions that process API requests without verifying authorization may lead to security vulnerabilities.
+ * @kind problem
+ * @problem.severity error
+ * @precision medium
+ * @id js/api-auth-bypass
+ * @tags security
+ *       external/cwe/cwe-285
+ */
+
+import javascript
+
+/**
+ * Identifies functions that appear to handle API requests
+ */
+predicate isApiHandler(Function f) {
+  exists(f.getAParameter()) and
+  (
+    f.getName().regexpMatch("(?i).*(api|handler|controller|resolver|endpoint).*") or
+    exists(CallExpr call |
+      call.getCalleeName().regexpMatch("(?i).*(get|post|put|delete|patch).*") and
+      call.getArgument(1) = f
+    )
+  )
+}
+
+/**
+ * Identifies expressions that appear to perform authorization checks
+ */
+predicate isAuthCheck(DataFlow::Node node) {
+  exists(CallExpr call |
+    call.getCalleeName().regexpMatch("(?i).*(authorize|authenticate|isAuth|checkAuth|verifyAuth|hasPermission|isAdmin|canAccess).*") and
+    call.flow().getASuccessor*() = node
+  )
+}
+
+from Function apiHandler
+where
+  isApiHandler(apiHandler) and
+  not exists(DataFlow::Node authCheck | 
+    isAuthCheck(authCheck) and
+    authCheck.getEnclosingExpr().getEnclosingFunction() = apiHandler
+  )
+select apiHandler, "API handler function may not perform proper authorization checks."