From 6617947822cce9bc5510944227e899e20872ab48 Mon Sep 17 00:00:00 2001
From: Matt Schwager <matt.schwager@trailofbits.com>
Date: Wed, 10 Jan 2024 13:27:22 -0700
Subject: [PATCH] Fix #16, add support for Express routes defined on the app

---
 CHANGELOG.md                |  4 ++++
 routes/rules/express.yml    | 10 ++++++++++
 tests/test_rules/express.ts | 15 +++++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 994b125..bd1c924 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Support for Express routes defined on the app ([#16](https://github.com/mschwager/route-detect/issues/16))
+
 ## [0.7.0] - 2023-06-28
 
 ### Added
diff --git a/routes/rules/express.yml b/routes/rules/express.yml
index bebc2e6..abaac6d 100644
--- a/routes/rules/express.yml
+++ b/routes/rules/express.yml
@@ -17,6 +17,11 @@ rules:
               ...
               $APP = express.Router(...)
               ...
+          - pattern-inside: |
+              import express from "express";
+              ...
+              $APP = express(...)
+              ...
           - pattern-inside: |
               import { Router } from "express";
               ...
@@ -86,6 +91,11 @@ rules:
               ...
               $APP = express.Router(...)
               ...
+          - pattern-inside: |
+              import express from "express";
+              ...
+              $APP = express(...)
+              ...
           - pattern-inside: |
               import { Router } from "express";
               ...
diff --git a/tests/test_rules/express.ts b/tests/test_rules/express.ts
index 8c6859a..c1e5911 100644
--- a/tests/test_rules/express.ts
+++ b/tests/test_rules/express.ts
@@ -5,6 +5,7 @@ import passport from 'passport';
 function authenticated() {
     const router1 = Router()
     const router2 = express.Router()
+    const app = express()
 
     router1.use(passport.initialize());
     router1.use(passport.session());
@@ -12,6 +13,9 @@ function authenticated() {
     router2.use(passport.initialize());
     router2.use(passport.session());
 
+    app.use(passport.initialize());
+    app.use(passport.session());
+
     // ruleid: express-route-authenticated
     router1.get('/', (req, res) => {
       res.send('GET request to the homepage')
@@ -32,11 +36,17 @@ function authenticated() {
     router2.delete('/', (req, res) => {
       res.send('DELETE request to the homepage')
     })
+
+    // ruleid: express-route-authenticated
+    app.get('/', (req, res) => {
+      res.send('hello world')
+    })
 }
 
 function unauthenticated() {
     const router1 = Router()
     const router2 = express.Router()
+    const app = express()
 
     // ruleid: express-route-unauthenticated
     router1.get('/', (req, res) => {
@@ -47,4 +57,9 @@ function unauthenticated() {
     router2.delete('/', (req, res) => {
       res.send('DELETE request to the homepage')
     })
+
+    // ruleid: express-route-unauthenticated
+    app.get('/', (req, res) => {
+      res.send('hello world')
+    })
 }