Implement HandlerParameterData.getType/0

jeongsoolee09 · jeongsoolee09 · commit efd3470b0dfc · 2025-01-06T16:54:33.000-08:00
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll
@@ -29,7 +29,7 @@ class ConstantOnlyTemplateLiteral extends TemplateLiteral {
 }
 
 /**
- * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
+ * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`.
  */
 class CdsLogSink extends DataFlow::Node {
   CdsLogSink() {
@@ -49,5 +49,12 @@ class CAPLogInjectionConfiguration extends LogInjectionConfiguration {
     start instanceof RemoteFlowSource
   }
 
+  override predicate isBarrier(DataFlow::Node node) {
+    exists(HandlerParameterData handlerParameterData |
+      node = handlerParameterData and
+      not handlerParameterData.getType() = ["cds.String", "cds.LargeString"]
+    )
+  }
+
   override predicate isSink(DataFlow::Node end) { end instanceof CdsLogSink }
 }
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll
@@ -176,6 +176,10 @@ class CdlService extends CdlElement {
 
   CdlEntity getAnEntity() { result = this.getEntity(_) }
 
+  CdlActionOrFunction getAnActionOrFunction() {
+    result = this.getAnEvent() or result = this.getAnAction()
+  }
+
   CdlEvent getEvent(string eventName) {
     result.getName() = eventName and this.getName() = result.getName().splitAt(".", 0)
   }
@@ -227,13 +231,27 @@ class CdlEntity extends CdlElement {
   }
 }
 
-class CdlEvent extends CdlElement {
+abstract class CdlActionOrFunction extends CdlElement {
+  /**
+   * Gets a parameter definition of this action with a given name.
+   */
+  CdlAttribute getParameter(string paramName) {
+    result = this.getPropValue("params").getPropValue(paramName)
+  }
+
+  /**
+   * Gets a parameter definition of this action.
+   */
+  CdlAttribute getAParameter() { result = this.getParameter(_) }
+}
+
+class CdlEvent extends CdlActionOrFunction {
   CdlEvent() { kind = CdlEventKind(this.getPropStringValue("kind")) }
 
   string getBasename() { result = name.splitAt(".", count(name.indexOf("."))) }
 }
 
-class CdlAction extends CdlElement {
+class CdlAction extends CdlActionOrFunction {
   CdlAction() { kind = CdlActionKind(this.getPropStringValue("kind")) }
 
   predicate belongsToServiceWithNoAuthn() {
@@ -255,7 +273,10 @@ class CdlAttribute extends CdlObject {
   string name;
 
   CdlAttribute() {
-    exists(CdlElement entity | this = entity.getPropValue("elements").getPropValue(name))
+    exists(CdlElement entity | this = entity.getPropValue("elements").getPropValue(name)) or
+    exists(CdlActionOrFunction actionOrFunction |
+      this = actionOrFunction.getPropValue("params").getPropValue(name)
+    )
   }
 
   override string getObjectLocationName() { result = getName() }
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll
@@ -4,6 +4,7 @@ import advanced_security.javascript.frameworks.cap.TypeTrackers
 import advanced_security.javascript.frameworks.cap.PackageJson
 import advanced_security.javascript.frameworks.cap.CDL
 import advanced_security.javascript.frameworks.cap.CQL
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
 
 /**
  * ```js
@@ -701,3 +702,48 @@ class EntityReferenceFromCqlClause extends EntityReference, ExprNode {
 
   override CdlEntity getCqlDefinition() { result = cql.getAccessingEntityDefinition() }
 }
+
+/**
+ * The `"data"` property of the handler's parameter that represents the request or message passed to this handler.
+ * This property carries the user-provided payload provided to the CAP application. e.g.
+ * ``` javascript
+ * srv.on("send", async (msg) => {
+ *   const { payload } = msg.data;
+ * })
+ * ```
+ * The `payload` carries the data that is sent to this application on the action or event named `send`.
+ */
+class HandlerParameterData instanceof PropRead {
+  HandlerParameter handlerParameter;
+  string dataName;
+
+  HandlerParameterData() {
+    this = handlerParameter.getAPropertyRead("data").getAPropertyRead(dataName)
+  }
+
+  /**
+   * Gets the type of this handler parameter data.
+   */
+  string getType() {
+    /*
+     * The result string is the type of this parameter if:
+     * - There is an actionName which is this HandlerRegistration's action/function name, and
+     * - The actionName in the CDS declaration has params with the same name of this parameter, and
+     * - The result is the name of the type of the parameter.
+     */
+
+    exists(
+      UserDefinedApplicationService userDefinedApplicationService,
+      CdlActionOrFunction cdlActionOrFunction, HandlerRegistration handlerRegistration
+    |
+      handlerRegistration = userDefinedApplicationService.getAHandlerRegistration() and
+      handlerRegistration = handlerParameter.getHandlerRegistration() and
+      handlerRegistration.getAnEventName() = cdlActionOrFunction.getUnqualifiedName() and
+      cdlActionOrFunction =
+        userDefinedApplicationService.getCdsDeclaration().getAnActionOrFunction() and
+      result = cdlActionOrFunction.getParameter(dataName).getType()
+    )
+  }
+
+  string toString() { result = this.(PropRead).toString() }
+}
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll
@@ -12,11 +12,11 @@ import advanced_security.javascript.frameworks.cap.CDS
  * All the parameters named `req` and `msg` are captured in the above example.
  */
 class HandlerParameter extends ParameterNode, RemoteFlowSource {
+  Handler handler;
+  HandlerRegistration handlerRegistration;
+
   HandlerParameter() {
-    exists(
-      Handler handler, HandlerRegistration handlerRegistration,
-      UserDefinedApplicationService service
-    |
+    exists(UserDefinedApplicationService service |
       handler = handlerRegistration.getHandler() and
       this = handler.getParameter(0) and
       service.getAHandlerRegistration() = handlerRegistration and
@@ -27,6 +27,16 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource {
   override string getSourceType() {
     result = "Parameter of an event handler belonging to an exposed service"
   }
+
+  /**
+   * Gets the handler this is a parameter of.
+   */
+  Handler getHandler() { result = handler }
+
+  /**
+   * Gets the handler registration registering the handler it is a parameter of.
+   */
+  HandlerRegistration getHandlerRegistration() { result = handlerRegistration }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ class ConstantOnlyTemplateLiteral extends TemplateLiteral {`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`/**`
`32`		- * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
	`32`	+ * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`.
`33`	`33`	`*/`
`34`	`34`	`class CdsLogSink extends DataFlow::Node {`
`35`	`35`	`CdsLogSink() {`
`@@ -49,5 +49,12 @@ class CAPLogInjectionConfiguration extends LogInjectionConfiguration {`
`49`	`49`	`start instanceof RemoteFlowSource`
`50`	`50`	`}`
`51`	`51`
	`52`	`+ override predicate isBarrier(DataFlow::Node node) {`
	`53`	`+ exists(HandlerParameterData handlerParameterData \|`
	`54`	`+ node = handlerParameterData and`
	`55`	`+ not handlerParameterData.getType() = ["cds.String", "cds.LargeString"]`
	`56`	`+ )`
	`57`	`+ }`
	`58`	`+`
`52`	`59`	`override predicate isSink(DataFlow::Node end) { end instanceof CdsLogSink }`
`53`	`60`	`}`