Create a new CQL injection test project and move the old one to a folder

Author: jeongsoolee09

javascript/frameworks/cap/test/queries/cqlinjection/db/schema.cds

@@ -0,0 +1,11 @@
+namespace advanced_security.log_injection.sample_entities;
+
+entity Entity1 {
+  Attribute1 : String(100);
+  Attribute2 : String(100)
+}
+
+entity Entity2 {
+  Attribute3 : String(100);
+  Attribute4 : String(100)
+}

javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected renamed to javascript/frameworks/cap/test/queries/cqlinjection/old/cqlinjection.expected

@@ -0,0 +1,23 @@
+{
+  "name": "@advanced-security/log-injection",
+  "version": "1.0.0",
+  "dependencies": {
+    "@sap/cds": "^7",
+    "express": "^4.17.1",
+    "@cap-js/sqlite": "*"
+  },
+  "scripts": {
+    "start": "cds-serve",
+    "watch": "cds watch"
+  },
+  "cds": {
+    "requires": {
+      "service-1": {
+        "impl": "srv/service1.js"
+      },
+      "service-2": {
+        "impl": "srv/service2.js"
+      }
+    }
+  }
+}

javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js renamed to javascript/frameworks/cap/test/queries/cqlinjection/old/cqlinjection.js

@@ -0,0 +1,4 @@
+const cds = require("@sap/cds");
+const app = require("express")();
+
+cds.serve("all").in(app);

javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.qlref renamed to javascript/frameworks/cap/test/queries/cqlinjection/old/cqlinjection.qlref

@@ -0,0 +1,13 @@
+using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
+
+/* Uncomment the line below to make the service hidden */
+// @protocol: 'none'
+service Service1 @(path: '/service-1') {
+  /* Entity to send READ/GET about. */
+  entity Service1Entity as projection on db_schema.Entity1 excluding { Attribute2 }
+
+  /* API to talk to Service1. */
+  action send1 (
+    messageToPass : String
+  ) returns String;
+}

javascript/frameworks/cap/test/queries/cqlinjection/package.json

@@ -0,0 +1,138 @@
+const cds = require("@sap/cds");
+
+module.exports = class Service1 extends cds.ApplicationService {
+  init() {
+    /* ========== Service1 running query on the database service using `cds.run` and friends using Fluent API ========== */
+    this.on("send11", async (req) => {
+      const { id } = req.data;
+      const query = SELECT.from`Entity1`.where("ID=" + id);
+      cds.run(query);
+    });
+
+    this.on("send12", async (req) => {
+      const { id } = req.data;
+      cds.read("Entity1").where("ID =" + id);
+    });
+
+    this.on("send13", async (req) => {
+      const { id } = req.data;
+      cds.create("Entity1").entries({id: "" + id});
+    });
+
+    this.on("send14", async (req) => {
+      const { id, amount } = req.data;
+      cds.update("Entity1").set("col1 = col1" + amount).where("col1 = " + id);
+    });
+
+    this.on("send15", async (req) => {
+      const { id } = req.data;
+      cds.upsert("Entity1").entries({id: "" + id});
+    });
+
+    this.on("send16", async (req) => {
+      const { id } = req.data;
+      cds.delete("Entity1").where("ID =" + id);
+    });
+
+    /* ========== Service1 running query on itself by `await`-ing the query ========== */
+    this.on("send21", async (req) => {
+      const { id } = req.data;
+      const { Service1Entity } = this.entities;
+      await SELECT.from(Service1Entity).where("ID=" + id);
+    });
+
+    this.on("send22", async (req) => {
+      const { id } = req.data;
+      const { Service1Entity } = this.entities;
+      await INSERT.into(Service1Entity).entries({ id: "" + id });
+    });
+
+    this.on("send23", async (req) => {
+      const { id, amount } = req.data;
+      const { Service1Entity } = this.entities;
+      await UPDATE.entity(Service1Entity).set(`col1 = col1 -` + amount).where("id=" + id);
+    });
+
+    this.on("send24", async (req) => {
+      const { id } = req.data;
+      const { Service1Entity } = this.entities;
+      await UPSERT.into(Service1Entity).entries({ id: "" + id });
+    });
+
+    this.on("send25", async (req) => {
+      const { id } = req.data;
+      const { Service1Entity } = this.entities;
+      await DELETE.from(Service1Entity).where("ID =" + id);
+    });
+
+    /* ========== Service1 running query on itself using `this.run` and friends using Fluent API ========== */
+    this.on("send31", async (req) => {
+      const { id } = req.data;
+      const query = SELECT.from`Service1Entity`.where("ID=" + id);
+      this.run(query);
+    });
+
+    this.on("send32", async (req) => {
+      const { id } = req.data;
+      this.read(`Service1Entity`).where("ID =" + id);
+    });
+
+    this.on("send33", async (req) => {
+      const { id } = req.data;
+      this.create(`Service1Entity`).entries({id: "" + id});
+    });
+
+    this.on("send34", async (req) => {
+      const { id, amount } = req.data;
+      this.update(`Service1Entity`).set("col1 = col1" + amount).where("col1 = " + id);
+    });
+
+    this.on("send35", async (req) => {
+      const { id } = req.data;
+      this.upsert(`Service1Entity`).entries({id: "" + id});
+    });
+
+    this.on("send36", async (req) => {
+      const { id } = req.data;
+      this.delete(`Service1Entity`).where("ID =" + id);
+    });
+
+    /* ========== Service1 running query on Service2 using `Service2.run` and friends ========== */
+    this.on("send41", async (req) => {
+      const { id } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      const query = SELECT.from`Service1Entity`.where("ID=" + id);
+      Service2.run(query);
+    });
+
+    this.on("send42", async (req) => {
+      const { id } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      Service2.read(`Service2Entity`).where("ID =" + id);
+    });
+
+    this.on("send43", async (req) => {
+      const { id } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      Service2.create(`Service2Entity`).entries({id: "" + id});
+    });
+
+    this.on("send44", async (req) => {
+      const { id, amount } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      Service2.update(`Service2Entity`).set("col1 = col1" + amount).where("col1 = " + id);
+    });
+
+    this.on("send45", async (req) => {
+      const { id } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      Service2.upsert(`Service2Entity`).entries({id: "" + id});
+    });
+
+    this.on("send46", async (req) => {
+      const { id } = req.data;
+      const { Service2 } = await cds.connect.to("Service2");
+      Service2.delete(`Service2Entity`).where("ID =" + id);
+    });
+  }
+};

javascript/frameworks/cap/test/queries/cqlinjection/server.js

@@ -0,0 +1,13 @@
+using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
+
+/* Uncomment the line below to make the service hidden */
+// @protocol: 'none'
+service Service2 @(path: '/service-2') {
+  /* Entity to send READ/GET about. */
+  entity Service2Entity as projection on db_schema.Entity2 excluding { Attribute4 }
+
+  /* API to talk to Service2. */
+  action send2 (
+    messageToPass: String
+  ) returns String;
+}

javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.cds

@@ -0,0 +1,11 @@
+const cds = require("@sap/cds");
+
+module.exports = cds.service.impl(function () {
+  /* Log upon receiving an "send2" event. */
+  this.on("send2", async (msg) => {
+    const { messageToPass } = msg.data;
+    /* Do something with the received data; customize below to individual needs. */
+    const doSomething = console.log;
+    doSomething(messageToPass);
+  });
+});