Merge branch 'knewbury01/cds-util-path-traversal-query' of https://github.com/advanced-security/codeql-sap-js into knewbury01/cds-util-path-traversal-query

Author: knewbury01

javascript/frameworks/cap/ext/qlpack.yml

@@ -1,6 +1,6 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-models
-version: 2.0.0
+version: 2.1.0
 extensionTargets:
   codeql/javascript-all: "^2.4.0"

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll

@@ -22,6 +22,10 @@ class CdsLogger extends MethodCallNode {
   string getName() { result = name }
 }
 
+/**
+ * A template literal that is not interpolated. It is basically a string literal
+ * defined in backticks (\`\`).
+ */
 class ConstantOnlyTemplateLiteral extends TemplateLiteral {
   ConstantOnlyTemplateLiteral() {
     forall(Expr e | e = this.getAnElement() | e instanceof TemplateElement)
@@ -51,9 +55,26 @@ module CAPLogInjectionConfiguration implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
+    /*
+     * This predicate includes cases such as:
+     * 1. A CDS entity element lacking a type annotation.
+     *   - Possibly because it relies on a common aspect.
+     * 2. A CDS entity element annotated with a non-string type listed above.
+     *
+     * Therefore, the data held by the handler parameter data (e.g. `req.data.X`)
+     * has to be EXPLICITLY annotated as `String` or `LargeString` to be excluded
+     * from the next condition.
+     */
+
     exists(HandlerParameterData handlerParameterData |
       node = handlerParameterData and
-      not handlerParameterData.getType() = ["cds.String", "cds.LargeString"]
+      /* Note the use of `.. != ..` instead of `not .. = ..` below. */
+      exists(string handlerParameterDataType |
+        handlerParameterDataType = handlerParameterData.getType()
+      |
+        handlerParameterDataType != "cds.String" and
+        handlerParameterDataType != "cds.LargeString"
+      )
     )
   }
 

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -177,7 +177,27 @@ class ServiceInstanceFromConstructor extends ServiceInstance {
 }
 
 /**
- * A read to `this` variable which represents the service whose definition encloses this variable access.
+ * A read to `this` variable which represents the service whose definition encloses
+ * this variable access.
+ * e.g.1. Given this code:
+ * ``` javascript
+ * const cds = require("@sap/cds");
+ * module.exports = class SomeService extends cds.ApplicationService {
+ *   init() {
+ *     this.on("SomeEvent", (req) => { ... } )
+ *   }
+ * }
+ * ```
+ * This class captures the access to the `this` variable as in `this.on(...)`.
+ *
+ * e.g.2. Given this code:
+ * ``` javascript
+ * const cds = require('@sap/cds');
+ * module.exports = cds.service.impl (function() {
+ *   this.on("SomeEvent", (req) => { ... })
+ * })
+ * ```
+ * This class captures the access to the `this` variable as in `this.on(...)`.
  */
 class ServiceInstanceFromThisNode extends ServiceInstance, ThisNode {
   UserDefinedApplicationService userDefinedApplicationService;
@@ -294,12 +314,56 @@ class DbServiceInstanceFromCdsConnectTo extends ServiceInstanceFromCdsConnectTo,
   override UserDefinedApplicationService getDefinition() { none() }
 }
 
+/**
+ * The 0-th parameter of an exported closure that represents the service being implemented. e.g.
+ * ``` javascript
+ * const cds = require('@sap/cds')
+ * module.exports = (srv) => {
+ *   srv.on("SomeEvent1", (req) => { ... })
+ * }
+ * ```
+ * This class captures the `srv` parameter of the exported arrow function. Also see
+ * `ServiceInstanceFromImplMethodCallClosureParameter` which is similar to this.
+ */
+class ServiceInstanceFromExportedClosureParameter extends ServiceInstance, ParameterNode {
+  ExportedClosureApplicationServiceDefinition exportedClosure;
+
+  ServiceInstanceFromExportedClosureParameter() { this = exportedClosure.getParameter(0) }
+
+  override UserDefinedApplicationService getDefinition() { result = exportedClosure }
+}
+
+/**
+ * The 0-th parameter of a callback (usually an arrow function) passed to `cds.service.impl` that
+ * represents the service being implemented. e.g.
+ * ``` javascript
+ * const cds = require('@sap/cds')
+ * module.exports = cds.service.impl((srv) => {
+ *   srv.on("SomeEvent1", (req) => { ... })
+ * })
+ * ```
+ * This class captures the `srv` parameter of the exported arrow function. Also see
+ * `ServiceInstanceFromExportedClosureParameter` which is similar to this.
+ */
+class ServiceInstanceFromImplMethodCallClosureParameter extends ServiceInstance, ParameterNode {
+  ImplMethodCallApplicationServiceDefinition implMethodCallApplicationServiceDefinition;
+
+  ServiceInstanceFromImplMethodCallClosureParameter() {
+    this = implMethodCallApplicationServiceDefinition.getInitFunction().getParameter(0)
+  }
+
+  override UserDefinedApplicationService getDefinition() {
+    result = implMethodCallApplicationServiceDefinition
+  }
+}
+
 /**
  * A call to `before`, `on`, or `after` on an `cds.ApplicationService`.
  * It registers an handler to be executed when an event is fired,
  * to do something with the incoming request or event as its parameter.
  */
 class HandlerRegistration extends MethodCallNode {
+  /** The instance of the service a handler is registered on. */
   ServiceInstance srv;
   string methodName;
 
@@ -308,6 +372,9 @@ class HandlerRegistration extends MethodCallNode {
     methodName = ["before", "on", "after"]
   }
 
+  /**
+   * Gets the instance of the service a handler is registered on.
+   */
   ServiceInstance getService() { result = srv }
 
   /**
@@ -347,7 +414,7 @@ class HandlerRegistration extends MethodCallNode {
 
 /**
  * The first parameter of a handler, representing the request object received either directly
- * from a user, or from another service that may be internal (defined in the same application) 
+ * from a user, or from another service that may be internal (defined in the same application)
  * or external (defined in another application, or even served from a different server).
  * e.g.
  * ``` javascript
@@ -356,14 +423,15 @@ class HandlerRegistration extends MethodCallNode {
  *   this.before("SomeEvent", "SomeEntity", (req, next) => { ... });
  *   this.after("SomeEvent", "SomeEntity", (req, next) => { ... });
  * }
- * ``` 
- * All parameters named `req` above are captured. Also see `HandlerParameterOfExposedService`
+ * ```
+ * All parameters named `req` above are captured. Also see
+ * `RemoteflowSources::HandlerParameterOfExposedService`
  * for a subset of this class that is only about handlers exposed to some protocol.
  */
 class HandlerParameter extends ParameterNode {
   Handler handler;
 
-  HandlerParameter() { this = handler.getParameter(0) }
+  HandlerParameter() { this = isHandlerParameter(handler) }
 
   Handler getHandler() { result = handler }
 }
@@ -506,7 +574,7 @@ abstract class UserDefinedApplicationService extends UserDefinedService {
   /**
    * Holds if this service supports access from the outside through any kind of protocol.
    */
-  predicate isExposed() { not this.isInternal() }
+  predicate isExposed() { exists(this.getCdsDeclaration()) and not this.isInternal() }
 
   /**
    * Holds if this service does not support access from the outside through any kind of protocol, thus being internal only.
@@ -539,9 +607,21 @@ class ES6ApplicationServiceDefinition extends ClassNode, UserDefinedApplicationS
 
 /**
  * Subclassing `cds.ApplicationService` via a call to `cds.service.impl`.
- * ```js
+ * e.g.1. Given this code:
+ * ``` javascript
+ * const cds = require('@sap/cds')
+ * module.exports = cds.service.impl (function() {
+ *   this.on("SomeEvent1", (req) => { ... })
+ * })
+ * ```
+ * This class captures the call `cds.service.impl (function() { ... })`.
+ *
+ * e.g.2. Given this code:
+ * ``` javascript
  * const cds = require('@sap/cds')
- * module.exports = cds.service.impl (function() { ... })
+ * module.exports = cds.service.impl ((srv) => {
+ *   srv.on("SomeEvent1", (req) => { ... })
+ * })
  * ```
  */
 class ImplMethodCallApplicationServiceDefinition extends MethodCallNode,
@@ -554,6 +634,40 @@ class ImplMethodCallApplicationServiceDefinition extends MethodCallNode,
   override FunctionNode getInitFunction() { result = this.getArgument(0) }
 }
 
+/**
+ * A user-defined application service that comes in a form of an exported
+ * closure. e.g. Given the below code,
+ * ``` javascript
+ * const cds = require("@sap/cds");
+ *
+ * module.exports = (srv) => {
+ *   srv.before("SomeEvent1", "SomeEntity", (req, res) => { ... })
+ *   srv.on("SomeEvent2", (req) => { ... } )
+ *   srv.after("SomeEvent3", (req) => { ... } )
+ * }
+ * ```
+ * This class captures the entire `(srv) => { ... }` function that is
+ * exported.
+ */
+class ExportedClosureApplicationServiceDefinition extends FunctionNode,
+  UserDefinedApplicationService
+{
+  ExportedClosureApplicationServiceDefinition() {
+    /*
+     * ==================== HACK ====================
+     * See issue #221.
+     */
+
+    exists(PropWrite moduleExports |
+      moduleExports.getBase().asExpr().(VarAccess).getName() = "module" and
+      moduleExports.getPropertyName() = "exports" and
+      this = moduleExports.getRhs()
+    )
+  }
+
+  override FunctionNode getInitFunction() { result = this }
+}
+
 abstract class InterServiceCommunicationMethodCall extends MethodCallNode {
   string name;
   ServiceInstance recipient;

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

@@ -30,7 +30,9 @@ class HandlerParameterOfExposedService extends HandlerParameter {
      * is known.
      */
 
-    not exists(this.getHandler().getHandlerRegistration().getService().getDefinition())
+    not exists(
+      this.getHandler().getHandlerRegistration().getService().getDefinition().getCdsDeclaration()
+    )
   }
 }
 
@@ -54,7 +56,9 @@ class UserProvidedPropertyReadOfHandlerParameterOfExposedService extends RemoteF
 
   UserProvidedPropertyReadOfHandlerParameterOfExposedService() {
     /* 1. `req.(data|params|headers|id)` */
-    this = handlerParameterOfExposedService.getAPropertyRead(["data", "params", "headers", "id"])
+    this =
+      handlerParameterOfExposedService
+          .getAPropertyRead(["data", "params", "headers", "id", "_queryOptions"])
     or
     /* 2. APIs stemming from `req.http.req`: Defined by Express.js */
     exists(PropRead reqHttpReq |

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/TypeTrackers.qll

@@ -39,3 +39,12 @@ private SourceNode cdsApplicationServiceInstantiation(TypeTracker t) {
 SourceNode cdsApplicationServiceInstantiation() {
   result = cdsApplicationServiceInstantiation(TypeTracker::end())
 }
+
+private SourceNode isHandlerParameter(TypeTracker t, Handler handler) {
+  result = handler.getParameter(0) or
+  exists(TypeTracker t2 | result = isHandlerParameter(t, handler).track(t2, t))
+}
+
+SourceNode isHandlerParameter(Handler handler) {
+  result = isHandlerParameter(TypeTracker::end(), handler)
+}

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.2
+    version: 0.0.3
   codeql/dataflow:
-    version: 2.0.12
+    version: 2.0.13
   codeql/javascript-all:
-    version: 2.6.8
+    version: 2.6.9
   codeql/mad:
-    version: 1.0.28
+    version: 1.0.29
   codeql/regex:
-    version: 1.0.28
+    version: 1.0.29
   codeql/ssa:
-    version: 2.0.4
+    version: 2.0.5
   codeql/threat-models:
-    version: 1.0.28
+    version: 1.0.29
   codeql/tutorial:
-    version: 1.0.28
+    version: 1.0.29
   codeql/typetracking:
-    version: 2.0.12
+    version: 2.0.13
   codeql/util:
-    version: 2.0.15
+    version: 2.0.16
   codeql/xml:
-    version: 1.0.28
+    version: 1.0.29
   codeql/yaml:
-    version: 1.0.28
+    version: 1.0.29
 compiled: false

javascript/frameworks/cap/lib/qlpack.yml

@@ -1,7 +1,7 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-all
-version: 2.0.0
+version: 2.1.0
 suites: codeql-suites
 extractor: javascript
 dependencies:

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.2
+    version: 0.0.3
   codeql/dataflow:
-    version: 2.0.12
+    version: 2.0.13
   codeql/javascript-all:
-    version: 2.6.8
+    version: 2.6.9
   codeql/mad:
-    version: 1.0.28
+    version: 1.0.29
   codeql/regex:
-    version: 1.0.28
+    version: 1.0.29
   codeql/ssa:
-    version: 2.0.4
+    version: 2.0.5
   codeql/threat-models:
-    version: 1.0.28
+    version: 1.0.29
   codeql/tutorial:
-    version: 1.0.28
+    version: 1.0.29
   codeql/typetracking:
-    version: 2.0.12
+    version: 2.0.13
   codeql/util:
-    version: 2.0.15
+    version: 2.0.16
   codeql/xml:
-    version: 1.0.28
+    version: 1.0.29
   codeql/yaml:
-    version: 1.0.28
+    version: 1.0.29
 compiled: false

javascript/frameworks/cap/src/qlpack.yml

@@ -1,11 +1,11 @@
 ---
 library: false
 name: advanced-security/javascript-sap-cap-queries
-version: 2.0.0
+version: 2.1.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
   codeql/javascript-all: "^2.4.0"
-  advanced-security/javascript-sap-cap-models: "^2.0.0"
-  advanced-security/javascript-sap-cap-all: "^2.0.0"
+  advanced-security/javascript-sap-cap-models: "^2.1.0"
+  advanced-security/javascript-sap-cap-all: "^2.1.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls