Remove redundant files and add cases

- `service3nocds.js` had a service that was named differently. Clarified the gist of the file using tags.
- `service4.js` was identical to `service3nocds.js`, except for the `cds.serve` call. This is better suited for `server.js`.
- Since `HandlerParameterOfExposedService` is no longer a `RemoteFlowSource`, we place another query for testing it only.
- The case categorization is as follows:
  - `service1`: Exposed service with reads from properties and method calls, some of which are tainted and not tainted.
  - `service2`: Service that both receives data from service1 and service4 but does not propagate it further.
  - `service3`: Service without a CDS declaration, simulating extraction failure. Should be recognized as exposed, from overapproximation. Consists of identical property reads / method calls as those of `service1`.
  - `service4`: Service that is explicitly declared as internal only. Consists of identical property reads / method calls as those of `service1`, but is not a taint source from being unexposed.

Author: jeongsoolee09

javascript/frameworks/cap/test/models/cds/remoteflowsources/ExposedServices.ql

@@ -0,0 +1,5 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
+
+from HandlerParameterOfExposedService handlerParameterOfExposedService
+select handlerParameterOfExposedService

javascript/frameworks/cap/test/models/cds/remoteflowsources/server.js

@@ -2,3 +2,7 @@ const cds = require("@sap/cds");
 const app = require("express")();
 
 cds.serve("all").in(app);
+
+cds.serve('./some-service').with((srv) => {
+  srv.before('READ', 'Books', (req) => req.reply([])) // SAFE: Exposed service (fallback), but not a taint source
+})

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service1.js

@@ -4,7 +4,65 @@ const cds = require("@sap/cds");
 module.exports = class Service1 extends cds.ApplicationService {
   init() {
     this.on("send1", async (req) => {
-      const { messageToPass } = req.data;
+      const { messageToPass } = req.data;  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send2", async (req) => {
+      const [ messageToPass ] = req.params;  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send3", async (req) => {
+      const messageToPass = req.headers["user-agent"];  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send4", async (req) => {
+      const messageToPass1 = req.http.req.query.someProp;  // UNSAFE: Taint source, Exposed service
+      const messageToPass2 = req.http.req.body.someProp;  // UNSAFE: Taint source, Exposed service
+      const messageToPass3 = req.http.req.params.someProp;  // UNSAFE: Taint source, Exposed service
+      const messageToPass4 = req.http.req.headers.someProp;  // UNSAFE: Taint source, Exposed service
+      const messageToPass5 = req.http.req.cookies.someProp;  // UNSAFE: Taint source, Exposed service
+      const messageToPass6 = req.http.req.originalUrl;  // UNSAFE: Taint source, Exposed service
+      const messageToPass7 = req.http.req.hostname;  // UNSAFE: Taint source, Exposed service
+      const messageToPass8 = req.http.req.get("someProp");  // UNSAFE: Taint source, Exposed service
+      const messageToPass9 = req.http.req.is("someProp");  // UNSAFE: Taint source, Exposed service
+      const messageToPass10 = req.http.req.header("someProp");  // UNSAFE: Taint source, Exposed service
+      const messageToPass11 = req.http.req.param("someProp");  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");  // UNSAFE: Taint source, Exposed service
+      Service2.send("send2", { messageToPass1 });
+    });
+
+    this.on("send5", async (req) => {
+      const messageToPass = req.id;  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send6", async (req) => {
+      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send7", async (req) => {
+      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send8", async (req) => {
+      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send9", async (req) => {
+      const messageToPass = req.user;  // SAFE: Not a taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service2.cds

@@ -1,12 +1,8 @@
 using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
 
-/* Uncomment the line below to make the service hidden */
-// @protocol: 'none'
 service Service2 @(path: '/service-2') {
-  /* Entity to send READ/GET about. */
   entity Service2Entity as projection on db_schema.Entity2 excluding { Attribute4 }
 
-  /* API to talk to Service2. */
   action send2 (
     messageToPass: String
   ) returns String;

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service2.js

@@ -1,10 +1,8 @@
 const cds = require("@sap/cds");
 
 module.exports = cds.service.impl(function () {
-  /* Log upon receiving an "send2" event. */
   this.on("send2", async (msg) => {
-    const { messageToPass } = msg.data;
-    /* Do something with the received data; customize below to individual needs. */
+    const { messageToPass } = msg.data;  // UNSAFE: Taint source, Exposed service
     const doSomething = console.log;
     doSomething(messageToPass);
   });

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service3.js

@@ -0,0 +1,71 @@
+// This service unit test is a replica of requesthandler.js 
+const cds = require("@sap/cds");
+class Service3 extends cds.ApplicationService {
+  init() {
+    this.on("send1", async (req) => {
+      const { messageToPass } = req.data;  // UNSAFE: Taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send2", async (req) => {
+      const [ messageToPass ] = req.params;  // UNSAFE: Taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send3", async (req) => {
+      const messageToPass = req.headers["user-agent"];  // UNSAFE: Taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send4", async (req) => {
+      const messageToPass1 = req.http.req.query.someProp;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass2 = req.http.req.body.someProp;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass3 = req.http.req.params.someProp;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass4 = req.http.req.headers.someProp;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass5 = req.http.req.cookies.someProp;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass6 = req.http.req.originalUrl;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass7 = req.http.req.hostname;  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass8 = req.http.req.get("someProp");  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass9 = req.http.req.is("someProp");  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass10 = req.http.req.header("someProp");  // UNSAFE: Taint source, Exposed service (fallback)
+      const messageToPass11 = req.http.req.param("someProp");  // UNSAFE: Taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");  // UNSAFE: Taint source, Exposed service (fallback)
+      Service2.send("send2", { messageToPass1 });
+    });
+
+    this.on("send5", async (req) => {
+      const messageToPass = req.id;  // UNSAFE: Taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send6", async (req) => {
+      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send7", async (req) => {
+      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send8", async (req) => {
+      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send9", async (req) => {
+      const messageToPass = req.user;  // SAFE: Not a taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    return super.init()
+  }
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service3nocds.js

@@ -1,10 +1,9 @@
 using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
 
+@protocol: 'none' // NOTE: This service is internal use only.
 service Service4 @(path: '/service-4') {
-  /* Entity to send READ/GET about. */
   entity Service4Entity as projection on db_schema.Entity4 excluding { Attribute4 }
 
-  /* API to talk to other services. */
   action send4 (
     messageToPass: String
   ) returns String;

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service4.cds

@@ -0,0 +1,45 @@
+const cds = require("@sap/cds");
+
+module.exports = class Service5 extends cds.ApplicationService {
+  init() {
+    this.on("send1", async (req) => {
+      const { messageToPass } = req.data;  // SAFE: Unexposed service, not a taint source
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send2", async (req) => {
+      const [ messageToPass ] = req.params;  // SAFE: Unexposed service, not a taint source
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send3", async (req) => {
+      const messageToPass = req.headers["user-agent"];  // SAFE: Unexposed service, not a taint source
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send4", async (req) => {
+      const messageToPass1 = req.http.req.query.someProp;  // SAFE: Unexposed service, not a taint source
+      const messageToPass2 = req.http.req.body.someProp;  // SAFE: Unexposed service, not a taint source
+      const messageToPass3 = req.http.req.params.someProp;  // SAFE: Unexposed service, not a taint source
+      const messageToPass4 = req.http.req.headers.someProp;  // SAFE: Unexposed service, not a taint source
+      const messageToPass5 = req.http.req.cookies.someProp;  // SAFE: Unexposed service, not a taint source
+      const messageToPass6 = req.http.req.originalUrl;  // SAFE: Unexposed service, not a taint source
+      const messageToPass7 = req.http.req.hostname;  // SAFE: Unexposed service, not a taint source
+      const messageToPass8 = req.http.req.get("someProp");  // SAFE: Unexposed service, not a taint source
+      const messageToPass9 = req.http.req.is("someProp");  // SAFE: Unexposed service, not a taint source
+      const messageToPass10 = req.http.req.header("someProp");  // SAFE: Unexposed service, not a taint source
+      const messageToPass11 = req.http.req.param("someProp");  // SAFE: Unexposed service, not a taint source
+      const Service2 = await cds.connect.to("service-2");  // SAFE: Unexposed service, not a taint source
+      Service2.send("send2", { messageToPass1 });
+    });
+
+    this.on("send5", async (req) => {
+      const messageToPass = req.id;  // SAFE: Unexposed service, not a taint source
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+  }
+};