Cover all cases in the current CQL injection test

jeongsoolee09 · jeongsoolee09 · commit 89522d0f2bdc · 2025-06-24T13:25:43.000-04:00
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll
@@ -66,14 +66,48 @@ class CqlInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
 
   override predicate isAdditionalTaintStep(DataFlow::Node start, DataFlow::Node end) {
+    /*
+     * 1.
+     */
+
     exists(CqlClauseParserCallWithStringConcat cqlParseCallWithStringConcat |
       start = cqlParseCallWithStringConcat.(CqlClauseParserCall).getAnArgument() and
       end = cqlParseCallWithStringConcat
     )
     or
+    /*
+     * 2. Jump from a query parameter to the CQL query clause itself. e.g. Given below code:
+     *
+     * ``` javascript
+     * await SELECT.from(Service1Entity).where("ID=" + id);
+     * ```
+     *
+     * This step jumps from `id` in the call to `where` to the entire SELECT clause.
+     */
+
     exists(CqlClause cqlClause |
       start = cqlClause.getArgument().flow() and
       end = cqlClause.flow()
     )
+    or
+    /*
+     * 3. In case of INSERT and UPSERT, jump from an object write to a query parameter to the argument itself.
+     * e.g. Given below code:
+     *
+     * ``` javascript
+     * await INSERT.into(Service1Entity).entries({ id: "" + id });
+     * ```
+     *
+     * This step jumps from `id` in the property value expression to the enclosing object `{ id: "" + id }`.
+     * This in conjunction with the above step 2 will make the taint tracker jump from `id` to the entire
+     * INSERT clause.
+     */
+
+    exists(CqlClause cqlClause, PropWrite propWrite |
+      (cqlClause instanceof CqlInsertClause or cqlClause instanceof CqlUpsertClause) and
+      cqlClause.getArgument().flow() = propWrite.getBase() and
+      start = propWrite.getRhs() and
+      end = propWrite.getBase()
+    )
   }
 }
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll
@@ -8,16 +8,18 @@ import advanced_security.javascript.frameworks.cap.CDS
  */
 class CqlQueryBase extends VarRef {
   CqlQueryBase() {
-    exists(string name |
-      this.getName() = name and
-      name in ["SELECT", "INSERT", "DELETE", "UPDATE", "UPSERT"] and
-      (
-        /* Made available as a global variable */
-        exists(GlobalVariable queryBase | this = queryBase.getAReference())
-        or
-        /* Imported from `cds.ql` */
-        exists(CdsFacade cds |
-          cds.getMember("ql").getMember(name).getAValueReachableFromSource().asExpr() = this
+    exists(VarRef varRef | this = varRef |
+      exists(string name |
+        varRef.getName() = name and
+        name in ["SELECT", "INSERT", "DELETE", "UPDATE", "UPSERT"] and
+        (
+          /* Made available as a global variable */
+          exists(GlobalVariable queryBase | this = queryBase.getAReference())
+          or
+          /* Imported from `cds.ql` */
+          exists(CdsFacade cds |
+            cds.getMember("ql").getMember(name).getAValueReachableFromSource().asExpr() = this
+          )
         )
       )
     )
@@ -107,6 +109,8 @@ class CqlClause extends TCqlClause {
 
   CallExpr asShortcutCall() { this = TShortcutCall(result) }
 
+  predicate isMethodCall() { this = TMethodCall(_) }
+
   Node flow() { result = this.asExpr().flow() }
 
   Expr asExpr() {
diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/old/cqlinjection.expected b/javascript/frameworks/cap/test/queries/cqlinjection/old/cqlinjection.expected
@@ -1,7 +1,6 @@
 WARNING: module 'PathGraph' has been deprecated and may be removed in future (CqlInjection.ql:14,8-27)
-WARNING: type 'Configuration' has been deprecated and may be removed in future (CqlInjection.ql:19,33-61)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,29-47)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,56-74)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:17,37-55)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:17,64-82)
 nodes
 | cqlinjection.js:7:34:7:36 | req |
 | cqlinjection.js:7:34:7:36 | req |
@@ -16,7 +15,8 @@ nodes
 | cqlinjection.js:12:50:12:53 | book |
 | cqlinjection.js:13:36:13:40 | query |
 | cqlinjection.js:13:36:13:40 | query |
-| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) |
 | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
 | cqlinjection.js:15:52:15:63 | `ID=${book}` |
 | cqlinjection.js:15:58:15:61 | book |
@@ -26,7 +26,8 @@ nodes
 | cqlinjection.js:17:53:17:56 | book |
 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:18:37:18:42 | query2 |
-| cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
+| cqlinjection.js:20:21:20:64 | await S ... + book) |
+| cqlinjection.js:20:21:20:64 | await S ... + book) |
 | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
 | cqlinjection.js:20:52:20:63 | 'ID=' + book |
 | cqlinjection.js:20:60:20:63 | book |
@@ -59,15 +60,17 @@ edges
 | cqlinjection.js:12:19:12:56 | SELECT. ... book}`) | cqlinjection.js:12:11:12:56 | query |
 | cqlinjection.js:12:44:12:55 | `ID=${book}` | cqlinjection.js:12:19:12:56 | SELECT. ... book}`) |
 | cqlinjection.js:12:50:12:53 | book | cqlinjection.js:12:44:12:55 | `ID=${book}` |
-| cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
+| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:15:21:15:64 | await S ... book}`) |
+| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:15:21:15:64 | await S ... book}`) |
 | cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
 | cqlinjection.js:15:58:15:61 | book | cqlinjection.js:15:52:15:63 | `ID=${book}` |
 | cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:17:20:17:57 | SELECT. ... + book) | cqlinjection.js:17:11:17:57 | query2 |
 | cqlinjection.js:17:45:17:56 | 'ID=' + book | cqlinjection.js:17:20:17:57 | SELECT. ... + book) |
 | cqlinjection.js:17:53:17:56 | book | cqlinjection.js:17:45:17:56 | 'ID=' + book |
-| cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
+| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:20:21:20:64 | await S ... + book) |
+| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:20:21:20:64 | await S ... + book) |
 | cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
 | cqlinjection.js:20:60:20:63 | book | cqlinjection.js:20:52:20:63 | 'ID=' + book |
 | cqlinjection.js:27:11:27:62 | cqn | cqlinjection.js:28:39:28:41 | cqn |
@@ -80,9 +83,9 @@ edges
 | cqlinjection.js:30:32:30:59 | `SELECT ...  + book | cqlinjection.js:30:18:30:60 | cds.par ... + book) |
 | cqlinjection.js:30:56:30:59 | book | cqlinjection.js:30:32:30:59 | `SELECT ...  + book |
 #select
-| cqlinjection.js:13:36:13:40 | query | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:13:36:13:40 | query | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:18:37:18:42 | query2 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:18:37:18:42 | query2 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:20:27:20:64 | SELECT. ... + book) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:28:39:28:41 | cqn | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:28:39:28:41 | cqn | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:31:39:31:42 | cqn1 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:31:39:31:42 | cqn1 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:13:36:13:40 | query | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:13:36:13:40 | query | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:15:21:15:64 | await S ... book}`) | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:18:37:18:42 | query2 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:18:37:18:42 | query2 | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:20:21:20:64 | await S ... + book) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:20:21:20:64 | await S ... + book) | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:28:39:28:41 | cqn | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:28:39:28:41 | cqn | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:31:39:31:42 | cqn1 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:31:39:31:42 | cqn1 | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
diff --git a/javascript/frameworks/cap/test/queries/old/cqlinjection.expected b/javascript/frameworks/cap/test/queries/old/cqlinjection.expected
@@ -1,7 +1,6 @@
 WARNING: module 'PathGraph' has been deprecated and may be removed in future (CqlInjection.ql:14,8-27)
-WARNING: type 'Configuration' has been deprecated and may be removed in future (CqlInjection.ql:19,33-61)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,29-47)
-WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,56-74)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:17,37-55)
+WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:17,64-82)
 nodes
 | cqlinjection.js:7:34:7:36 | req |
 | cqlinjection.js:7:34:7:36 | req |
@@ -16,7 +15,8 @@ nodes
 | cqlinjection.js:12:50:12:53 | book |
 | cqlinjection.js:13:36:13:40 | query |
 | cqlinjection.js:13:36:13:40 | query |
-| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) |
 | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
 | cqlinjection.js:15:52:15:63 | `ID=${book}` |
 | cqlinjection.js:15:58:15:61 | book |
@@ -26,7 +26,8 @@ nodes
 | cqlinjection.js:17:53:17:56 | book |
 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:18:37:18:42 | query2 |
-| cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
+| cqlinjection.js:20:21:20:64 | await S ... + book) |
+| cqlinjection.js:20:21:20:64 | await S ... + book) |
 | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
 | cqlinjection.js:20:52:20:63 | 'ID=' + book |
 | cqlinjection.js:20:60:20:63 | book |
@@ -59,15 +60,17 @@ edges
 | cqlinjection.js:12:19:12:56 | SELECT. ... book}`) | cqlinjection.js:12:11:12:56 | query |
 | cqlinjection.js:12:44:12:55 | `ID=${book}` | cqlinjection.js:12:19:12:56 | SELECT. ... book}`) |
 | cqlinjection.js:12:50:12:53 | book | cqlinjection.js:12:44:12:55 | `ID=${book}` |
-| cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
+| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:15:21:15:64 | await S ... book}`) |
+| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:15:21:15:64 | await S ... book}`) |
 | cqlinjection.js:15:52:15:63 | `ID=${book}` | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) |
 | cqlinjection.js:15:58:15:61 | book | cqlinjection.js:15:52:15:63 | `ID=${book}` |
 | cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:17:11:17:57 | query2 | cqlinjection.js:18:37:18:42 | query2 |
 | cqlinjection.js:17:20:17:57 | SELECT. ... + book) | cqlinjection.js:17:11:17:57 | query2 |
 | cqlinjection.js:17:45:17:56 | 'ID=' + book | cqlinjection.js:17:20:17:57 | SELECT. ... + book) |
 | cqlinjection.js:17:53:17:56 | book | cqlinjection.js:17:45:17:56 | 'ID=' + book |
-| cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
+| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:20:21:20:64 | await S ... + book) |
+| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:20:21:20:64 | await S ... + book) |
 | cqlinjection.js:20:52:20:63 | 'ID=' + book | cqlinjection.js:20:27:20:64 | SELECT. ... + book) |
 | cqlinjection.js:20:60:20:63 | book | cqlinjection.js:20:52:20:63 | 'ID=' + book |
 | cqlinjection.js:27:11:27:62 | cqn | cqlinjection.js:28:39:28:41 | cqn |
@@ -80,9 +83,9 @@ edges
 | cqlinjection.js:30:32:30:59 | `SELECT ...  + book | cqlinjection.js:30:18:30:60 | cds.par ... + book) |
 | cqlinjection.js:30:56:30:59 | book | cqlinjection.js:30:32:30:59 | `SELECT ...  + book |
 #select
-| cqlinjection.js:13:36:13:40 | query | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:13:36:13:40 | query | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:15:27:15:64 | SELECT. ... book}`) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:18:37:18:42 | query2 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:18:37:18:42 | query2 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:20:27:20:64 | SELECT. ... + book) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:20:27:20:64 | SELECT. ... + book) | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:28:39:28:41 | cqn | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:28:39:28:41 | cqn | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
-| cqlinjection.js:31:39:31:42 | cqn1 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:31:39:31:42 | cqn1 | This query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:13:36:13:40 | query | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:13:36:13:40 | query | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:15:21:15:64 | await S ... book}`) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:15:21:15:64 | await S ... book}`) | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:18:37:18:42 | query2 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:18:37:18:42 | query2 | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:20:21:20:64 | await S ... + book) | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:20:21:20:64 | await S ... + book) | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:28:39:28:41 | cqn | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:28:39:28:41 | cqn | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
+| cqlinjection.js:31:39:31:42 | cqn1 | cqlinjection.js:7:34:7:36 | req | cqlinjection.js:31:39:31:42 | cqn1 | This CQL query depends on a $@. | cqlinjection.js:7:34:7:36 | req | user-provided value |
