Enhance remote flow sources for CAP

add test cases to cover cap event handler
registrations that were previously missing
add remote flow source type to cover more cases
of event handler registration

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -60,13 +60,14 @@ class CdsServeCall extends DataFlow::CallNode {
 
   Expr getServiceRepresentation() { result = serviceRepresentation }
 
-  UserDefinedApplicationService getServiceDefinition() {
+  ServiceInstance getServiceDefinition() {
     /* 1. The argument to cds.serve is "all" */
     this.getServiceRepresentation().getStringValue() = "all" and
     result = any(UserDefinedApplicationService service)
     or
     /* 2. The argument to cds.serve is a name of the service */
-    result.getUnqualifiedName() = this.getServiceRepresentation().getStringValue()
+    result.(UserDefinedApplicationService).getUnqualifiedName() =
+      this.getServiceRepresentation().getStringValue()
     or
     /* 3. The argument to cds.serve is a name by which the service is required */
     exists(RequiredService requiredService |
@@ -217,27 +218,28 @@ class CdsServeWithCall extends MethodCallNode {
  */
 class ServiceInstanceFromServeWithParameter extends ServiceInstance {
   CdsServeCall cdsServe;
+  CdsServeWithCall cdsServeWith;
 
   ServiceInstanceFromServeWithParameter() {
-    exists(CdsServeWithCall cdsServeWith |
-      /*
-       * cds.serve('./srv/some-service1').with ((srv) => {  // Parameter `srv` is captured.
-       *   srv.on ('READ','SomeEntity1', (req) => req.reply([...]))
-       * })
-       */
+    /*
+     * cds.serve('./srv/some-service1').with ((srv) => {  // Parameter `srv` is captured.
+     *   srv.on ('READ','SomeEntity1', (req) => req.reply([...]))
+     * })
+     */
 
-      this.(ThisNode).getBinder().asExpr() = cdsServeWith.getDecorator().(FunctionExpr)
-      or
-      /*
-       * cds.serve('./srv/some-service2').with (function() {  // Parameter `this` is captured.
-       *   this.on ('READ','SomeEntity2', (req) => req.reply([...]))
-       * })
-       */
+    this.(ThisNode).getBinder().asExpr() = cdsServeWith.getDecorator().(FunctionExpr)
+    or
+    /*
+     * cds.serve('./srv/some-service2').with (function() {  // Parameter `this` is captured.
+     *   this.on ('READ','SomeEntity2', (req) => req.reply([...]))
+     * })
+     */
 
-      this = cdsServeWith.getDecorator().(ArrowFunctionExpr).getParameter(0).flow()
-    )
+    this = cdsServeWith.getDecorator().(ArrowFunctionExpr).getParameter(0).flow()
   }
 
+  HandlerRegistration getAHandlerRegistration() { result = cdsServeWith.getAHandlerRegistration() }
+
   override UserDefinedApplicationService getDefinition() {
     /* 1. The argument to cds.serve is "all" */
     cdsServe.getServiceRepresentation().getStringValue() = "all" and

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

@@ -10,6 +10,8 @@ import advanced_security.javascript.frameworks.cap.CDS
  * SomeService.after("SomeEvent", "SomeEntity", (msg) => { ... });
  * ```
  * All the parameters named `req` and `msg` are captured in the above example.
+ *
+ * REQUIRES that a `UserDefinedApplicationService` is explicitly defined
  */
 class HandlerParameter extends ParameterNode, RemoteFlowSource {
   Handler handler;
@@ -49,9 +51,11 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource {
  * }
  * ```
  * parameters named `req` are captured in the above example.
+ *
+ * REQUIRES that a cds file has compiled AND that a service name is explicitly provided in the handler registration
  */
-class ServiceinCDSHandlerParameter extends ParameterNode, RemoteFlowSource {
-  ServiceinCDSHandlerParameter() {
+class ServiceinCDSHandlerParameterWithName extends ParameterNode, RemoteFlowSource {
+  ServiceinCDSHandlerParameterWithName() {
     exists(MethodCallNode m, CdlEntity entity, string entityName |
       entity.getName().regexpReplaceAll(".*\\.", "") = entityName and
       m.getArgument(1).asExpr().getStringValue().regexpReplaceAll("'", "") = entityName and
@@ -64,3 +68,46 @@ class ServiceinCDSHandlerParameter extends ParameterNode, RemoteFlowSource {
     result = "Parameter of an event handler belonging to an exposed service defined in a cds file"
   }
 }
+
+/**
+ * A parameter of a handler registered for a service on an event. e.g.
+ * ```javascript
+ * cds.serve('./test-service').with((srv) => {
+ *  srv.before('READ', '*', (req) => req.reply([]))
+ * })
+ * ```
+ * The parameter named `req` is captured in the above example.
+ *
+ * DOES NOT REQUIRE that a `UserDefinedApplicationService` is explicitly defined
+ * DOES NOT REQUIRE that the name is provided explicitly
+ */
+class HandlerParameterImplicitService extends ParameterNode, RemoteFlowSource {
+  Handler handler;
+  HandlerRegistration handlerRegistration;
+
+  HandlerParameterImplicitService() {
+    exists(ServiceInstanceFromServeWithParameter service |
+      handler = handlerRegistration.getHandler() and
+      this = handler.getParameter(0) and
+      service.getAHandlerRegistration() = handlerRegistration and
+      //this will otherwise duplicate on the case where we do actually know the
+      //name from the cds file and it matches up
+      //only relevant if you are using the specific type anyhow (as opposed to RemoteFlowSource)
+      not this instanceof ServiceinCDSHandlerParameterWithName
+    )
+  }
+
+  override string getSourceType() {
+    result = "Parameter of an event handler belonging to an implicitly defined service"
+  }
+
+  /**
+   * Gets the handler this is a parameter of.
+   */
+  Handler getHandler() { result = handler }
+
+  /**
+   * Gets the handler registration registering the handler it is a parameter of.
+   */
+  HandlerRegistration getHandlerRegistration() { result = handlerRegistration }
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql

@@ -2,4 +2,4 @@ import javascript
 import advanced_security.javascript.frameworks.cap.RemoteFlowSources
 
 from RemoteFlowSource source
-select source
+select source

javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service3nocds.js

@@ -0,0 +1,24 @@
+//this service unit test is a replica of requesthandler.js 
+const cds = require("@sap/cds");
+class BooksService extends cds.ApplicationService {
+    init() {
+        const { Books, Authors } = this.entities
+        this.on('READ', [Books, Authors], req => req.target.data) //req
+        this.on('UPDATE', Books, req => { //req
+            let [ID] = req.params
+            return Object.assign(Books.data[ID], req.data)
+        })
+        this.after('READ', req => req.target.data) //req
+        this.before('*', req => req.target.data) //req
+        return super.init()
+    }
+}
+module.exports = BooksService
+
+cds.serve('./test-service').with((srv) => {
+    srv.before('READ', 'Books', (req) => req.reply([])) //req
+})
+
+cds.serve('./test-service').with((srv) => {
+    srv.before('READ', 'Test', (req) => req.reply([])) //req
+})

javascript/frameworks/cap/test/models/cds/requesthandler/requesthandler.js

@@ -7,6 +7,8 @@ class BooksService extends cds.ApplicationService {
             let [ID] = req.params
             return Object.assign(Books.data[ID], req.data)
         })
+        this.after('READ', req => req.target.data)
+        this.before('*', req => req.target.data)
         return super.init()
     }
 }