Do some refactoring

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll

@@ -18,21 +18,6 @@ class TaintedClause instanceof CqlClause {
   Expr asExpr() { result = super.asExpr() }
 }
 
-/**
- * Call to`cds.db.run`
- * or
- * an await surrounding a sql statement
- */
-class CQLSink extends DataFlow::Node {
-  CQLSink() {
-    this = any(CdsFacade cds).getMember("db").getMember("run").getACall().getAnArgument()
-    or
-    exists(AwaitExpr a, CqlClause clause |
-      a.getAChildExpr() = clause.asExpr() and this.asExpr() = clause.asExpr()
-    )
-  }
-}
-
 /**
  * a more heurisitic based taint step
  * captures one of the alternative ways to construct query strings:
@@ -57,7 +42,14 @@ class CqlIConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CQLSink }
+  override predicate isSink(DataFlow::Node node) {
+    node = any(CdsFacade cds).getMember("db").getMember("run").getACall().getAnArgument()
+    or
+    exists(AwaitExpr awaitExpr, CqlClause clause |
+      node.asExpr() = clause.asExpr() and
+      awaitExpr.getOperand() = clause.asExpr()
+    )
+  }
 
   override predicate isSanitizer(DataFlow::Node node) {
     super.isSanitizer(node) or

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -7,6 +7,7 @@ import advanced_security.javascript.frameworks.cap.CQL
 import advanced_security.javascript.frameworks.cap.RemoteFlowSources
 
 /**
+ * The CDS facade that provides useful interfaces to the current CAP application.
  * ```js
  * const cds = require('@sap/cds')
  * ```
@@ -31,6 +32,23 @@ class CdsEntitiesCall extends DataFlow::CallNode {
   }
 }
 
+/**
+ * The property `db` of on a CDS facade, often accessed as `cds.db`.
+ */
+class CdsDb extends SourceNode {
+  CdsDb() { exists(CdsFacade cds | this = cds.getMember("db").asSource()) }
+
+  MethodCallNode getRunCall() { result = this.getAMemberCall("run") }
+
+  MethodCallNode getCreateCall() { result = this.getAMemberCall("create") }
+
+  MethodCallNode getUpdateCall() { result = this.getAMemberCall("update") }
+
+  MethodCallNode getDeleteCall() { result = this.getAMemberCall("delete") }
+
+  MethodCallNode getInsertCall() { result = this.getAMemberCall("insert") }
+}
+
 /**
  * An entity object that belongs to a service.
  *
@@ -123,7 +141,8 @@ class CdsConnectToCall extends DataFlow::CallNode {
 }
 
 /**
- * A dataflow node that represents a service. Note that its definition is a `UserDefinedApplicationService`, not a `ServiceInstance`.
+ * A dataflow node that represents a service.
+ * Note that its definition is a `UserDefinedApplicationService`, not a `ServiceInstance`.
  */
 abstract class ServiceInstance extends SourceNode {
   abstract UserDefinedApplicationService getDefinition();
@@ -764,5 +783,59 @@ class HandlerParameterData instanceof PropRead {
     )
   }
 
-  string toString() { result = PropRead.super.toString() }
+  string toString() { result = super.toString() }
+}
+
+/**
+ * A call to a method capable of running a CQL query. This includes the following:
+ * - Generic query runners: `cds.run`, `cds.db.run`, `srv.run`
+ * - Shortcut to CQL's `READ`: `cds.read`, `cds.db.read`, `srv.read`
+ * - Shortcut to CQL's `CREATE`: `cds.create`, `cds.db.create`, `srv.create`
+ * - Shortcut to CQL's `INSERT`: `cds.insert`, `cds.db.insert`, `srv.insert`
+ * - Shortcut to CQL's `UPSERT`: `cds.upsert`, `cds.db.upsert`, `srv.upsert`
+ * - Shortcut to CQL's `UPDATE`: `cds.update`, `cds.db.update`, `srv.update`
+ * - Shortcut to CQL's `DELETE`: `cds.delete`, `cds.db.delete`, `srv.delete`
+ */
+abstract class CqlQueryRunnerCall extends MethodCallNode {
+  SourceNode base;
+  string methodName;
+
+  CqlQueryRunnerCall() {
+    this = base.getAMemberCall(methodName) and
+    (
+      /*
+       * 1. Method call on the CDS facade or the base database service,
+       * accessed as `cds.db`.
+       */
+
+      exists(CdsFacade cds | base = cds.asSource()) or
+      exists(CdsDb cdsDb | base = cdsDb) or
+      /* 2. Method call on a service instance object. */
+      exists(ServiceInstance srv | base = srv)
+    )
+  }
+}
+
+class CqlRunMethodCall extends CqlQueryRunnerCall {
+  CqlRunMethodCall() { this.getMethodName() = "run" }
+}
+
+class CqlReadMethodCall extends CqlQueryRunnerCall {
+  CqlReadMethodCall() { this.getMethodName() = "read" }
+}
+
+class CqlCreateMethodCall extends CqlQueryRunnerCall {
+  CqlCreateMethodCall() { this.getMethodName() = "create" }
+}
+
+class CqlUpdateMethodCall extends CqlQueryRunnerCall {
+  CqlUpdateMethodCall() { this.getMethodName() = "update" }
+}
+
+class CqlDeleteMethodCall extends CqlQueryRunnerCall {
+  CqlDeleteMethodCall() { this.getMethodName() = "delete" }
+}
+
+class CqlInsertMethodCall extends CqlQueryRunnerCall {
+  CqlInsertMethodCall() { this.getMethodName() = "insert" }
 }

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll

@@ -11,12 +11,14 @@ class CqlQueryBase extends VarRef {
     exists(string name |
       this.getName() = name and
       name in ["SELECT", "INSERT", "DELETE", "UPDATE", "UPSERT"] and
-      /* Made available as a global variable */
-      exists(GlobalVariable queryBase | this = queryBase.getAReference())
-      or
-      /* Imported from `cds.ql` */
-      exists(CdsFacade cds |
-        cds.getMember("ql").getMember(name).getAValueReachableFromSource().asExpr() = this
+      (
+        /* Made available as a global variable */
+        exists(GlobalVariable queryBase | this = queryBase.getAReference())
+        or
+        /* Imported from `cds.ql` */
+        exists(CdsFacade cds |
+          cds.getMember("ql").getMember(name).getAValueReachableFromSource().asExpr() = this
+        )
       )
     )
   }
@@ -88,22 +90,22 @@ Expr getRootReceiver(Expr e) {
  * provided by the module cds.ql
  */
 private newtype TCqlClause =
-  TaggedTemplate(TaggedTemplateExpr taggedTemplateExpr) {
+  TTaggedTemplate(TaggedTemplateExpr taggedTemplateExpr) {
     exists(CqlQueryBase base | base = getRootReceiver(taggedTemplateExpr)) or
     exists(CqlQueryBaseCall call | call = getRootReceiver(taggedTemplateExpr))
   } or
-  MethodCall(MethodCallExpr callExpr) {
+  TMethodCall(MethodCallExpr callExpr) {
     exists(CqlQueryBase base | base = getRootReceiver(callExpr)) or
     exists(CqlQueryBaseCall call | call = getRootReceiver(callExpr))
   } or
-  ShortcutCall(CqlQueryBaseCall callExpr)
+  TShortcutCall(CqlQueryBaseCall callExpr)
 
 class CqlClause extends TCqlClause {
-  TaggedTemplateExpr asTaggedTemplate() { this = TaggedTemplate(result) }
+  TaggedTemplateExpr asTaggedTemplate() { this = TTaggedTemplate(result) }
 
-  MethodCallExpr asMethodCall() { this = MethodCall(result) }
+  MethodCallExpr asMethodCall() { this = TMethodCall(result) }
 
-  CallExpr asShortcutCall() { this = ShortcutCall(result) }
+  CallExpr asShortcutCall() { this = TShortcutCall(result) }
 
   Node flow() { result = this.asExpr().flow() }
 
@@ -169,8 +171,8 @@ class CqlClause extends TCqlClause {
   CqlQueryBase getCqlBase() { result = getRootReceiver(this.asMethodCall()) }
 
   CqlQueryBaseCall getCqlBaseCall() {
-    result = getRootReceiver(this.asTaggedTemplate()).(CqlQueryBaseCall) or
-    result = getRootReceiver(this.asMethodCall()).(CqlQueryBaseCall)
+    result = getRootReceiver(this.asTaggedTemplate()) or
+    result = getRootReceiver(this.asMethodCall())
   }
 
   /** Describes a parent expression relation */
@@ -184,9 +186,9 @@ class CqlClause extends TCqlClause {
    * Possible cases for constructing a chain of clauses:
    *
    * (looking at the terminal clause and its possible parent types as tuples: (this, parent))
-   * 1. MethodCall.MethodCall
+   * 1. TMethodCall.TMethodCall
    *     - example `(SELECT.from(Table),  SELECT.from(Table).where("col1='*'"))`
-   * 2. ShortcutCall.MethodCall
+   * 2. TShortcutCall.TMethodCall
    *     - example `(SELECT("col1, col2"), SELECT("col1, col2").from("Table"))`
    *
    * Note that ShortcutCalls cannot be added to any clause chain other than the first position, e.g.