Fix regression in SensitiveExposure

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -665,7 +665,7 @@ abstract class EntityReference extends CdsReference {
  * SELECT.from`Books`.where(`ID=${id}`)
  * ```
  */
-class EntityReferenceFromEntities extends EntityReference instanceof PropRead {
+class EntityReferenceFromEntities extends EntityReference, SourceNode instanceof PropRead {
   /**
    * A read from property `entities` or a method call to `entities`.
    */
@@ -711,6 +711,12 @@ class EntityReferenceFromEntities extends EntityReference instanceof PropRead {
 
   string getEntityName() { result = entityName }
 
+  predicate isFromEntitiesCall() { entitiesAccess instanceof MethodCallNode }
+
+  string getEntitiesCallNamespace() {
+    result = entitiesAccess.(MethodCallNode).getArgument(0).getStringValue()
+  }
+
   abstract override CdlEntity getCqlDefinition();
 
   abstract UserDefinedApplicationService getServiceDefinition();

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql

@@ -16,54 +16,44 @@ import advanced_security.javascript.frameworks.cap.CDS
 import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
 import DataFlow::PathGraph
 
-/**
- * An entity instance obtained by the entity's namespace,
- * via `cds.entities`
- * ```javascript
- * // Obtained through `cds.entities`
- * const Service1 = cds.entities("sample.application.namespace");
- * ```
- */
-class EntityEntry extends DataFlow::CallNode {
-  EntityEntry() { exists(CdsEntitiesCall c | c.getACall() = this) }
-
-  /**
-   * Gets the namespace that this entity belongs to.
-   */
-  string getNamespace() {
-    result = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue()
-  }
+// /**
+//  * An entity instance obtained by the entity's namespace via `cds.entities`. e.g.
+//  *
+//  * ```javascript
+//  * const Service1 = cds.entities("sample.application.namespace");
+//  * ```
+//  */
+// class EntityEntry extends DataFlow::CallNode {
+//   EntityEntry() { exists(CdsEntitiesCall c | c.getACall() = this) }
+//   /**
+//    * Gets the namespace that this entity belongs to.
+//    */
+//   string getNamespace() {
+//     result = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue()
+//   }
+// }
+EntityReferenceFromEntities entityAccesses(string entityNamespace) {
+  entityNamespace = result.getEntitiesCallNamespace()
 }
 
-SourceNode entityAccesses(TypeTracker t, string entityNamespace) {
-  t.start() and
-  exists(EntityEntry e | result = e and entityNamespace = e.getNamespace())
-  or
-  exists(TypeTracker t2 | result = entityAccesses(t2, entityNamespace).track(t2, t))
-}
-
-SourceNode entityAccesses(string entityNamespace) {
-  result = entityAccesses(TypeTracker::end(), entityNamespace)
-}
-
-class SensitiveExposureFieldSource extends DataFlow::Node {
-  SensitiveAnnotatedAttribute cdsField;
-  SensitiveAnnotatedEntity entity;
+class SensitiveExposureFieldSource instanceof PropRead {
+  SensitiveAnnotatedAttribute cdlAttribute;
+  SensitiveAnnotatedEntity cdlEntity;
   string namespace;
 
   SensitiveExposureFieldSource() {
-    this = entityAccesses(namespace).getAPropertyRead().getAPropertyRead() and
+    this = entityAccesses(namespace).getAPropertyRead() and
     //field name is same as some cds declared field
-    this.(PropRead).getPropertyName() = cdsField.getName() and
-    //entity name is the same as some cds declared entity
-    entityAccesses(namespace).getAPropertyRead().toString() = entity.getShortName() and
-    //and that field belongs to that entity in the cds
-    entity.(CdlEntity).getAttribute(cdsField.getName()) = cdsField and
+    this.getPropertyName() = cdlAttribute.getName() and
+    //and that field belongs to that cdlEntity in the cds
+    cdlEntity.(CdlEntity).getAttribute(cdlAttribute.getName()) = cdlAttribute and
     //and the namespace is the same (fully qualified id match)
-    entity.(NamespacedEntity).getNamespace() = namespace
+    cdlEntity.(NamespacedEntity).getNamespace() = namespace
   }
 
-  SensitiveAnnotatedAttribute getCdsField() { result = cdsField }
+  SensitiveAnnotatedAttribute getCdsField() { result = cdlAttribute }
+
+  string toString() { result = super.toString() }
 }
 
 class SensitiveLogExposureConfig extends TaintTracking::Configuration {

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected

@@ -1,12 +1,12 @@
 WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposure.ql:17,8-27)
-WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposure.ql:50,42-70)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,41-59)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,68-86)
+WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposure.ql:59,42-70)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:69,41-59)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:69,68-86)
 nodes
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 | sensitive-exposure.js:9:32:9:42 | Sample.name |
 edges
 | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name |
 #select
-| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n      ...       } | name |
+| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds.json:9:17:13:9 | {\\n      ...       } | name |