Skip to content

Commit 7958a80

Browse files
jeongsoolee09jeongsoolee09
committed
Make HandlerParameter extend ParameterNode
1 parent 81fa051 commit 7958a80

File tree

2 files changed

+16
-6
lines changed

2 files changed

+16
-6
lines changed

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

Lines changed: 15 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -346,16 +346,26 @@ class HandlerRegistration extends MethodCallNode {
346346
}
347347

348348
/**
349-
* A parameter of a handler
349+
* The first parameter of a handler, representing the request object received either directly
350+
* from a user, or from another service that may be internal (defined in the same application)
351+
* or external (defined in another application, or even served from a different server).
352+
* e.g.
353+
* ``` javascript
354+
* module.exports = class Service1 extends cds.ApplicationService {
355+
* this.on("SomeEvent", "SomeEntity", (req) => { ... });
356+
* this.before("SomeEvent", "SomeEntity", (req, next) => { ... });
357+
* this.after("SomeEvent", "SomeEntity", (req, next) => { ... });
358+
* }
359+
* ```
360+
* All parameters named `req` above are captured. Also see `HandlerParameterOfExposedService`
361+
* for a subset of this class that is only about handlers exposed to some protocol.
350362
*/
351-
class HandlerParameter instanceof ParameterNode {
363+
class HandlerParameter extends ParameterNode {
352364
Handler handler;
353365

354366
HandlerParameter() { this = handler.getParameter(0) }
355367

356368
Handler getHandler() { result = handler }
357-
358-
string toString() { result = super.toString() }
359369
}
360370

361371
/**
@@ -832,7 +842,7 @@ class HandlerParameterData instanceof PropRead {
832842
string dataName;
833843

834844
HandlerParameterData() {
835-
this = handlerParameter.(SourceNode).getAPropertyRead("data").getAPropertyRead(dataName)
845+
this = handlerParameter.getAPropertyRead("data").getAPropertyRead(dataName)
836846
}
837847

838848
/**

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ import advanced_security.javascript.frameworks.cap.CDS
2020
* logic falls back on overapproximating on the parameters and assume they are
2121
* exposed.
2222
*/
23-
class HandlerParameterOfExposedService extends RemoteFlowSource, HandlerParameter {
23+
class HandlerParameterOfExposedService extends HandlerParameter {
2424
HandlerParameterOfExposedService() {
2525
/* 1. The CDS definition is there and we can determine it is exposed. */
2626
this.getHandler().getHandlerRegistration().getService().getDefinition().isExposed()

0 commit comments

Comments
 (0)