Skip to content

Commit 71ff926

Browse files
jeongsoolee09jeongsoolee09
committed
Fix wrong SAFE labels and shift comment location
For cases of `.run(...)`, the comment location was made on where the CQL was assembled. Shift the label to be where the actual sink, the call to `run`, is.
1 parent 565dde2 commit 71ff926

File tree

1 file changed

+32
-32
lines changed
  • javascript/frameworks/cap/test/queries/cqlinjection/srv

1 file changed

+32
-32
lines changed

javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js

Lines changed: 32 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -288,8 +288,8 @@ module.exports = class Service1 extends cds.ApplicationService {
288288
this.on("send41", async (req) => {
289289
const { id } = req.data;
290290
const Service2 = await cds.connect.to("Service2");
291-
const query = SELECT.from`Service1Entity`.where("ID=" + id); // UNSAFE: direct concatenation with `+`
292-
Service2.run(query);
291+
const query = SELECT.from`Service1Entity`.where("ID=" + id);
292+
Service2.run(query); // UNSAFE: direct concatenation with `+`
293293
});
294294

295295
this.on("send42", async (req) => {
@@ -332,101 +332,101 @@ module.exports = class Service1 extends cds.ApplicationService {
332332
this.on("send51", async (req) => {
333333
const { id } = req.data;
334334
const Service2 = await cds.connect.to("Service2");
335-
const query = cds.ql("SELECT * from Service1Entity where ID =" + id); // UNSAFE: direct concatenation with `+`
336-
Service2.run(query);
335+
const query = cds.ql("SELECT * from Service1Entity where ID =" + id);
336+
Service2.run(query); // UNSAFE: direct concatenation with `+`
337337
});
338338

339339
this.on("send51", async (req) => {
340340
const { id } = req.data;
341341
const Service2 = await cds.connect.to("Service2");
342-
const query = cds.ql(`SELECT * from Service1Entity where ID =` + id); // UNSAFE: direct concatenation with `+`
343-
Service2.run(query);
342+
const query = cds.ql(`SELECT * from Service1Entity where ID =` + id);
343+
Service2.run(query); // UNSAFE: direct concatenation with `+`
344344
});
345345

346346
this.on("send53", async (req) => {
347347
const { id } = req.data;
348348
const Service2 = await cds.connect.to("Service2");
349-
const query = cds.ql(`SELECT * from Service1Entity where ID = ${id}`); // UNSAFE: direct concatenation with `+`
350-
Service2.run(query);
349+
const query = cds.ql(`SELECT * from Service1Entity where ID = ${id}`);
350+
Service2.run(query); // UNSAFE: direct concatenation with `+`
351351
});
352352

353353
this.on("send54", async (req) => {
354354
const { id } = req.data;
355355
const Service2 = await cds.connect.to("Service2");
356-
const query = cds.ql`SELECT * from Service1Entity where ID = ${id}`; // SAFE: tagged template expression
357-
Service2.run(query);
356+
const query = cds.ql`SELECT * from Service1Entity where ID = ${id}`;
357+
Service2.run(query); // SAFE: tagged template expression
358358
});
359359

360360
/* ========== 6. Service1 running query on the database service using CQN parsed with `cds.parse.cql` ========== */
361361
this.on("send61", async (req) => {
362362
const { id } = req.data;
363-
const query = cds.parse.cql("SELECT * from Entity1 where ID =" + id); // UNSAFE: direct concatenation with `+`
364-
cds.run(query);
363+
const query = cds.parse.cql("SELECT * from Entity1 where ID =" + id);
364+
cds.run(query); // UNSAFE: direct concatenation with `+`
365365
});
366366

367367
this.on("send62", async (req) => {
368368
const { id } = req.data;
369-
const query = cds.parse.cql(`SELECT * from Entity1 where ID =` + id); // UNSAFE: direct concatenation with `+`
370-
cds.run(query);
369+
const query = cds.parse.cql(`SELECT * from Entity1 where ID =` + id);
370+
cds.run(query); // UNSAFE: direct concatenation with `+`
371371
});
372372

373373
this.on("send63", async (req) => {
374374
const { id } = req.data;
375-
const query = cds.parse.cql(`SELECT * from Entity1 where ID = ${id}`); // UNSAFE: direct interpolation in a template literal
376-
cds.run(query);
375+
const query = cds.parse.cql(`SELECT * from Entity1 where ID = ${id}`);
376+
cds.run(query); // UNSAFE: direct interpolation in a template literal
377377
});
378378

379379
this.on("send64", async (req) => {
380380
const { id } = req.data;
381-
const query = cds.parse.cql`SELECT * from Entity1 where ID = ${id}`; // SAFE: tagged template expression
382-
cds.run(query);
381+
const query = cds.parse.cql`SELECT * from Entity1 where ID = ${id}`;
382+
cds.run(query); // SAFE: tagged template expression
383383
});
384384

385385
/* ========== 7. Service1 running query on the database service using CQN parsed with global function `CQL` ========== */
386386
this.on("send71", async (req) => {
387387
const { id } = req.data;
388-
const query = CQL("SELECT * from Entity1 where ID =" + id); // UNSAFE: direct concatenation with `+`
389-
cds.run(query);
388+
const query = CQL("SELECT * from Entity1 where ID =" + id);
389+
cds.run(query); // UNSAFE: direct concatenation with `+`
390390
});
391391

392392
this.on("send72", async (req) => {
393393
const { id } = req.data;
394-
const query = CQL(`SELECT * from Entity1 where ID =` + id); // UNSAFE: direct concatenation with `+`
395-
cds.run(query);
394+
const query = CQL(`SELECT * from Entity1 where ID =` + id);
395+
cds.run(query); // UNSAFE: direct concatenation with `+`
396396
});
397397

398398
this.on("send73", async (req) => {
399399
const { id } = req.data;
400-
const query = CQL(`SELECT * from Entity1 where ID = ${id}`); // UNSAFE: direct interpolation in a template literal
401-
cds.run(query);
400+
const query = CQL(`SELECT * from Entity1 where ID = ${id}`);
401+
cds.run(query); // UNSAFE: direct interpolation in a template literal
402402
});
403403

404404
this.on("send74", async (req) => {
405405
const { id } = req.data;
406-
const query = CQL`SELECT * from Entity1 where ID = ${id}`; // SAFE: tagged template expression
407-
cds.run(query);
406+
const query = CQL`SELECT * from Entity1 where ID = ${id}`;
407+
cds.run(query); // SAFE: tagged template expression
408408
});
409409

410410
/* ========== 8. Service1 running query on Service2 using an unparsed CDL string (only valid in old versions of CAP) ========== */
411411
this.on("send81", async (req) => {
412412
const { id } = req.data;
413413
const Service2 = await cds.connect.to("Service2");
414-
const query = "SELECT * from Entity1 where ID =" + id; // UNSAFE: direct concatenation with `+`
415-
Service2.run(query);
414+
const query = "SELECT * from Entity1 where ID =" + id;
415+
Service2.run(query); // UNSAFE: direct concatenation with `+`
416416
});
417417

418418
this.on("send82", async (req) => {
419419
const { id } = req.data;
420420
const Service2 = await cds.connect.to("Service2");
421-
const query = `SELECT * from Entity1 where ID =` + id; // UNSAFE: direct concatenation with `+`
422-
Service2.run(query);
421+
const query = `SELECT * from Entity1 where ID =` + id;
422+
Service2.run(query); // UNSAFE: direct concatenation with `+`
423423
});
424424

425425
this.on("send83", async (req) => {
426426
const { id } = req.data;
427427
const Service2 = await cds.connect.to("Service2");
428-
const query = `SELECT * from Entity1 where ID = ${id}`; // SAFE: tagged template expression
429-
Service2.run(query);
428+
const query = `SELECT * from Entity1 where ID = ${id}`;
429+
Service2.run(query); // UNSAFE: direct interpolation in a template literal
430430
});
431431

432432
/* ========== 9. Service1 running query on Service2 using `Service2.tx( tx => tx.run(...) )` and friends ========== */

0 commit comments

Comments
 (0)