Add additional cases to remoteflowsources

jeongsoolee09 · jeongsoolee09 · commit b7a00f767c7b · 2025-08-25T16:45:20.000-04:00
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/HandlerParameterOfExposedService.expected b/javascript/frameworks/cap/test/models/cds/remoteflowsources/HandlerParameterOfExposedService.expected
@@ -9,6 +9,7 @@
 | srv/service1.js:52:29:52:31 | req |
 | srv/service1.js:58:29:58:31 | req |
 | srv/service1.js:64:29:64:31 | req |
+| srv/service1.js:70:30:70:32 | req |
 | srv/service2.js:4:27:4:29 | msg |
 | srv/service3.js:5:29:5:31 | req |
 | srv/service3.js:11:29:11:31 | req |
@@ -19,3 +20,4 @@
 | srv/service3.js:51:29:51:31 | req |
 | srv/service3.js:57:29:57:31 | req |
 | srv/service3.js:63:29:63:31 | req |
+| srv/service3.js:69:30:69:32 | req |
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/HandlerParameterOfExposedService.ql b/javascript/frameworks/cap/test/models/cds/remoteflowsources/HandlerParameterOfExposedService.ql
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected
@@ -13,6 +13,7 @@
 | srv/service1.js:34:31:34:61 | req.htt ... eProp") |
 | srv/service1.js:35:31:35:60 | req.htt ... eProp") |
 | srv/service1.js:41:29:41:34 | req.id |
+| srv/service1.js:47:29:47:45 | req._queryOptions |
 | srv/service2.js:5:31:5:38 | msg.data |
 | srv/service3.js:6:33:6:40 | req.data |
 | srv/service3.js:12:33:12:42 | req.params |
@@ -29,3 +30,4 @@
 | srv/service3.js:33:31:33:61 | req.htt ... eProp") |
 | srv/service3.js:34:31:34:60 | req.htt ... eProp") |
 | srv/service3.js:40:29:40:34 | req.id |
+| srv/service3.js:46:29:46:45 | req._queryOptions |
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service1.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service1.js
@@ -44,24 +44,30 @@ module.exports = class Service1 extends cds.ApplicationService {
     });
 
     this.on("send6", async (req) => {
-      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service
+      const messageToPass = req._queryOptions;  // UNSAFE: Taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send7", async (req) => {
-      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service
+      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send8", async (req) => {
-      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service
+      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send9", async (req) => {
+      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send10", async (req) => {
       const messageToPass = req.user;  // SAFE: Not a taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service3.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service3.js
@@ -43,24 +43,30 @@ class Service3 extends cds.ApplicationService {
     });
 
     this.on("send6", async (req) => {
-      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service (fallback)
+      const messageToPass = req._queryOptions;  // UNSAFE: Taint source, Exposed service
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send7", async (req) => {
-      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service (fallback)
+      const messageToPass = req.locale;  // SAFE: Not a taint source, Exposed service (fallback)
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send8", async (req) => {
-      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service (fallback)
+      const messageToPass = req.tenant;  // SAFE: Not a taint source, Exposed service (fallback)
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
 
     this.on("send9", async (req) => {
+      const messageToPass = req.timestamp;  // SAFE: Not a taint source, Exposed service (fallback)
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
+
+    this.on("send10", async (req) => {
       const messageToPass = req.user;  // SAFE: Not a taint source, Exposed service (fallback)
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service4.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service4.js
@@ -41,5 +41,11 @@ module.exports = class Service4 extends cds.ApplicationService {
       const Service2 = await cds.connect.to("service-2");
       Service2.send("send2", { messageToPass });
     });
+
+    this.on("send6", async (req) => {
+      const messageToPass = req._queryOptions;  // UNSAFE: Taint source, Exposed service
+      const Service2 = await cds.connect.to("service-2");
+      Service2.send("send2", { messageToPass });
+    });
   }
 };
