JS: Add support for @vercel/node serverless functions

This adds a framework model for Vercel serverless functions so that
CodeQL's existing JavaScript security queries can detect vulnerabilities
in handlers of the form

    export default function handler(req: VercelRequest, res: VercelResponse) { ... }

Handlers are identified as the default export of a module whose first
two parameters are typed as `VercelRequest`/`VercelResponse` from
`@vercel/node`. The default-export constraint excludes private helpers
that share the same signature. Type-based detection follows the same
pattern already used by `NextReqResHandler` in `Next.qll`.

The framework model covers:
- Route handler recognition (default-exported typed handlers only)
- Request input sources: `query`, `body`, `cookies`, and `url`
  (the last inherited from Node's `IncomingMessage`)
- Named header accesses like `req.headers.host` and `req.headers.referer`,
  modelled as `Http::RequestHeaderAccess` so header-specific queries fire
- Response sinks: `res.send`, `res.status(...).send`, `res.redirect`
- Header definitions via `res.setHeader`

Includes a library test exercising each model predicate (including a
negative case for private helpers) and query consistency fixtures
demonstrating end-to-end detection for js/reflected-xss,
js/request-forgery, js/sql-injection, and js/command-line-injection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: murderteeth

docs/codeql/reusables/supported-frameworks.rst

@@ -197,6 +197,7 @@ and the CodeQL library pack ``codeql/javascript-all`` (`changelog <https://githu
    superagent, Network communicator
    swig, templating language
    underscore, Utility library
+   vercel, Serverless framework
    vue, HTML framework
 
 

javascript/ql/lib/change-notes/2026-04-12-vercel-node.md

@@ -0,0 +1,4 @@
+---
+category: newFeature
+---
+* Added support for [`@vercel/node`](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions. Handlers are recognised via the `VercelRequest`/`VercelResponse` TypeScript parameter types, and standard security queries (`js/reflected-xss`, `js/request-forgery`, `js/sql-injection`, `js/command-line-injection`, etc.) now detect vulnerabilities in Vercel API route files.

javascript/ql/lib/javascript.qll

@@ -134,6 +134,7 @@ import semmle.javascript.frameworks.TorrentLibraries
 import semmle.javascript.frameworks.Typeahead
 import semmle.javascript.frameworks.TrustedTypes
 import semmle.javascript.frameworks.UriLibraries
+import semmle.javascript.frameworks.VercelNode
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
 import semmle.javascript.frameworks.Webix

javascript/ql/lib/semmle/javascript/frameworks/VercelNode.qll

@@ -0,0 +1,200 @@
+/**
+ * Provides classes for working with [@vercel/node](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions.
+ */
+
+import javascript
+import semmle.javascript.frameworks.HTTP
+
+/**
+ * Provides classes for working with [@vercel/node](https://www.npmjs.com/package/@vercel/node) Vercel serverless functions.
+ *
+ * A Vercel serverless function is a module whose default export is a function
+ * with signature `(req: VercelRequest, res: VercelResponse) => void`, where
+ * the types are imported from the `@vercel/node` package. The Vercel runtime
+ * invokes the default export for every incoming HTTP request.
+ */
+module VercelNode {
+  /**
+   * A Vercel serverless function handler, identified as the default export of a
+   * module whose first two parameters are typed as `VercelRequest` and
+   * `VercelResponse` from `@vercel/node`.
+   *
+   * Since `@vercel/node` is commonly imported as a type-only import, handlers
+   * are recognised by their TypeScript parameter types. The default-export
+   * constraint excludes private helpers or test utilities that share the
+   * same signature.
+   */
+  class RouteHandler extends Http::Servers::StandardRouteHandler, DataFlow::FunctionNode {
+    DataFlow::ParameterNode req;
+    DataFlow::ParameterNode res;
+
+    RouteHandler() {
+      this = any(Module m).getAnExportedValue("default").getAFunctionValue() and
+      req = this.getParameter(0) and
+      res = this.getParameter(1) and
+      req.hasUnderlyingType("@vercel/node", "VercelRequest") and
+      res.hasUnderlyingType("@vercel/node", "VercelResponse")
+    }
+
+    /** Gets the parameter that contains the request object. */
+    DataFlow::ParameterNode getRequest() { result = req }
+
+    /** Gets the parameter that contains the response object. */
+    DataFlow::ParameterNode getResponse() { result = res }
+  }
+
+  /**
+   * A Vercel request source, that is, the request parameter of a route handler.
+   */
+  private class RequestSource extends Http::Servers::RequestSource {
+    RouteHandler rh;
+
+    RequestSource() { this = rh.getRequest() }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
+  /**
+   * A Vercel response source, that is, the response parameter of a route handler.
+   */
+  private class ResponseSource extends Http::Servers::ResponseSource {
+    RouteHandler rh;
+
+    ResponseSource() { this = rh.getResponse() }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
+  /**
+   * A chained response, such as `res.status(200)`, `res.type('html')`, or `res.set(...)`.
+   *
+   * These methods return the response object and are commonly chained before `send` or `json`.
+   */
+  private class ChainedResponseSource extends Http::Servers::ResponseSource {
+    RouteHandler rh;
+
+    ChainedResponseSource() {
+      exists(ResponseSource src |
+        this = src.ref().getAMethodCall(["status", "type", "set"]) and
+        rh = src.getRouteHandler()
+      )
+    }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
+  /**
+   * An access to user-controlled input on a Vercel request.
+   *
+   * Covers `req.query`, `req.body`, `req.cookies`, and `req.url` (inherited
+   * from Node's `IncomingMessage`). Named-header accesses like `req.headers.host`
+   * are handled by `RequestHeaderAccess` below.
+   */
+  private class RequestInputAccess extends Http::RequestInputAccess {
+    RouteHandler rh;
+    string kind;
+
+    RequestInputAccess() {
+      exists(RequestSource src | rh = src.getRouteHandler() |
+        this = src.ref().getAPropertyRead("query") and kind = "parameter"
+        or
+        this = src.ref().getAPropertyRead("body") and kind = "body"
+        or
+        this = src.ref().getAPropertyRead("cookies") and kind = "cookie"
+        or
+        this = src.ref().getAPropertyRead("url") and kind = "url"
+      )
+      or
+      exists(RequestHeaderAccess access | this = access |
+        rh = access.getRouteHandler() and
+        kind = "header"
+      )
+    }
+
+    override RouteHandler getRouteHandler() { result = rh }
+
+    override string getKind() { result = kind }
+  }
+
+  /**
+   * An access to a named header on a Vercel request, for example
+   * `req.headers.host` or `req.headers.referer`.
+   */
+  private class RequestHeaderAccess extends Http::RequestHeaderAccess {
+    RouteHandler rh;
+
+    RequestHeaderAccess() {
+      exists(RequestSource src |
+        this = src.ref().getAPropertyRead("headers").getAPropertyRead() and
+        rh = src.getRouteHandler()
+      )
+    }
+
+    override string getAHeaderName() {
+      result = this.(DataFlow::PropRead).getPropertyName().toLowerCase()
+    }
+
+    override RouteHandler getRouteHandler() { result = rh }
+
+    override string getKind() { result = "header" }
+  }
+
+  /**
+   * An argument to `res.send(...)` on a Vercel response, including chained
+   * calls such as `res.status(200).send(...)`.
+   */
+  private class ResponseSendArgument extends Http::ResponseSendArgument {
+    RouteHandler rh;
+
+    ResponseSendArgument() {
+      exists(Http::Servers::ResponseSource src |
+        (src instanceof ResponseSource or src instanceof ChainedResponseSource) and
+        this = src.ref().getAMethodCall("send").getArgument(0) and
+        rh = src.getRouteHandler()
+      )
+    }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
+  /**
+   * A call to `res.redirect(...)` on a Vercel response.
+   */
+  private class RedirectInvocation extends Http::RedirectInvocation, DataFlow::MethodCallNode {
+    RouteHandler rh;
+
+    RedirectInvocation() {
+      exists(ResponseSource src |
+        this = src.ref().getAMethodCall("redirect") and
+        rh = src.getRouteHandler()
+      )
+    }
+
+    override DataFlow::Node getUrlArgument() { result = this.getLastArgument() }
+
+    override RouteHandler getRouteHandler() { result = rh }
+  }
+
+  /**
+   * A call to `res.setHeader(name, value)` on a Vercel response.
+   */
+  private class SetHeader extends Http::ExplicitHeaderDefinition, DataFlow::CallNode {
+    RouteHandler rh;
+
+    SetHeader() {
+      exists(ResponseSource src |
+        this = src.ref().getAMethodCall("setHeader") and
+        rh = src.getRouteHandler()
+      )
+    }
+
+    override RouteHandler getRouteHandler() { result = rh }
+
+    override predicate definesHeaderValue(string headerName, DataFlow::Node headerValue) {
+      headerName = this.getArgument(0).getStringValue().toLowerCase() and
+      headerValue = this.getArgument(1)
+    }
+
+    override DataFlow::Node getNameNode() { result = this.getArgument(0) }
+  }
+}

javascript/ql/test/library-tests/frameworks/vercel/HeaderDefinition.qll

@@ -0,0 +1,7 @@
+import javascript
+
+query predicate test_HeaderDefinition(
+  Http::HeaderDefinition hd, string name, VercelNode::RouteHandler rh
+) {
+  hd.getRouteHandler() = rh and name = hd.getAHeaderName()
+}

javascript/ql/test/library-tests/frameworks/vercel/RedirectInvocation.qll

@@ -0,0 +1,7 @@
+import javascript
+
+query predicate test_RedirectInvocation(
+  Http::RedirectInvocation call, DataFlow::Node url, VercelNode::RouteHandler rh
+) {
+  call.getRouteHandler() = rh and url = call.getUrlArgument()
+}

javascript/ql/test/library-tests/frameworks/vercel/RequestInputAccess.qll

@@ -0,0 +1,7 @@
+import javascript
+
+query predicate test_RequestInputAccess(
+  Http::RequestInputAccess ria, string kind, VercelNode::RouteHandler rh
+) {
+  ria.getRouteHandler() = rh and kind = ria.getKind()
+}

javascript/ql/test/library-tests/frameworks/vercel/RequestSource.qll

@@ -0,0 +1,5 @@
+import javascript
+
+query predicate test_RequestSource(Http::Servers::RequestSource src, VercelNode::RouteHandler rh) {
+  src.getRouteHandler() = rh
+}

javascript/ql/test/library-tests/frameworks/vercel/ResponseSendArgument.qll

@@ -0,0 +1,7 @@
+import javascript
+
+query predicate test_ResponseSendArgument(
+  Http::ResponseSendArgument arg, VercelNode::RouteHandler rh
+) {
+  arg.getRouteHandler() = rh
+}

javascript/ql/test/library-tests/frameworks/vercel/ResponseSource.qll

@@ -0,0 +1,5 @@
+import javascript
+
+query predicate test_ResponseSource(Http::Servers::ResponseSource src, VercelNode::RouteHandler rh) {
+  src.getRouteHandler() = rh
+}