Fix a regression in taintedclause

jeongsoolee09 · jeongsoolee09 · commit a391d34e3094 · 2025-06-24T16:08:38.000-04:00
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll
@@ -41,12 +41,13 @@ class CqlShortcutMethodCallWithStringConcat instanceof CqlShortcutMethodCall {
 }
 
 /**
- * A CQL parser call (cds.ql, cds.parse.cql, ...) parameterized with a string
+ * A CQL parser call (`cds.ql`, `cds.parse.cql`, ...) parameterized with a string
  * conatenation expression.
  */
 class CqlClauseParserCallWithStringConcat instanceof CqlClauseParserCall {
   CqlClauseParserCallWithStringConcat() {
-    exists(StringConcatenation::getAnOperand(super.getCdlString()))
+    not this.getCdlString().(StringOps::Concatenation).asExpr() instanceof TemplateLiteral and
+    exists(StringConcatenation::getAnOperand(this.getCdlString()))
   }
 
   Location getLocation() { result = super.getLocation() }
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll
@@ -942,11 +942,17 @@ class CqlUpsertMethodCall extends CqlShortcutMethodCall {
 abstract class CqlClauseParserCall extends DataFlow::CallNode {
   DataFlow::ExprNode cdlString;
 
+  /**
+   * Gets the data flow node that represents the CDL string to be parsed.
+   */
   DataFlow::ExprNode getCdlString() { result = cdlString }
 }
 
 class GlobalCQLFunction extends CqlClauseParserCall {
-  GlobalCQLFunction() { this = DataFlow::globalVarRef("CQL").getACall() }
+  GlobalCQLFunction() {
+    this = DataFlow::globalVarRef("CQL").getACall() and
+    cdlString = this.getArgument(0)
+  }
 }
 
 class CdsParseCqlCall extends CqlClauseParserCall {
diff --git a/javascript/frameworks/cap/test/models/cql/taintedclause/taintedclause.ql b/javascript/frameworks/cap/test/models/cql/taintedclause/taintedclause.ql
@@ -1,5 +1,5 @@
 import javascript
-import advanced_security.javascript.frameworks.cap.CQL
+import advanced_security.javascript.frameworks.cap.CAPCqlInjectionQuery
 
-from ParseCQLTaintedClause clause
+from CqlClauseParserCallWithStringConcat clause
 select clause
diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js b/javascript/frameworks/cap/test/queries/cqlinjection/srv/service1.js
@@ -167,9 +167,9 @@ module.exports = class Service1 extends cds.ApplicationService {
     });
 
     /* ========== 7. Service1 running query on the database service using CQN parsed with global function `CQL` ========== */
-    this.on("send6", async (req) => {
+    this.on("send7", async (req) => {
       const { id } = req.data;
-      const query = cds.parse.cql(`SELECT * from Entity1 where ID =` + id);
+      const query = CQL(`SELECT * from Entity1 where ID =` + id);
       cds.run(query);
     });
 

Original file line number	Diff line number	Diff line change
`@@ -41,12 +41,13 @@ class CqlShortcutMethodCallWithStringConcat instanceof CqlShortcutMethodCall {`
`41`	`41`	`}`
`42`	`42`
`43`	`43`	`/**`
`44`		`- * A CQL parser call (cds.ql, cds.parse.cql, ...) parameterized with a string`
	`44`	+ * A CQL parser call (`cds.ql`, `cds.parse.cql`, ...) parameterized with a string
`45`	`45`	`* conatenation expression.`
`46`	`46`	`*/`
`47`	`47`	`class CqlClauseParserCallWithStringConcat instanceof CqlClauseParserCall {`
`48`	`48`	`CqlClauseParserCallWithStringConcat() {`
`49`		`- exists(StringConcatenation::getAnOperand(super.getCdlString()))`
	`49`	`+ not this.getCdlString().(StringOps::Concatenation).asExpr() instanceof TemplateLiteral and`
	`50`	`+ exists(StringConcatenation::getAnOperand(this.getCdlString()))`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`Location getLocation() { result = super.getLocation() }`