CAP Framework Modeling Gaps

[data-douser]

Summary

This issue tracks identified gaps in CodeQL library modeling and security queries for the SAP Cloud Application Programming (CAP) framework. Analysis is based on the CAP framework documentation, existing implementation in javascript/frameworks/cap/, and review of merged CAP PRs and merged CDS PRs.

Identified Gaps

Authentication & Authorization Patterns

• JWT token validation and propagation - Model req.user.token, JWT validation flows, and token forwarding in service-to-service calls
• Session management - Model req.user.id, req.user.attr, and session-based authentication patterns
• OAuth/XSUAA flows - Model authentication strategies beyond what's in NonProductionStrategyUsed.ql
• User propagation - Track user context propagation in distributed CAP services

Draft Handling

• Draft editing operations - Model @odata.draft.enabled entity annotations and draft state transitions
• Draft activation/discard - Model draft-specific event handlers (DraftPrepare, DraftActivate, DraftDiscard)
• Draft isolation - Understand security implications of draft data isolation

Transaction Management

• Transaction context tracking - Model cds.tx() and transaction boundary creation
• Commit/rollback patterns - Track transaction lifecycle and error handling
• Nested transactions - Model sub-transaction contexts and their security implications

OData Protocol Features

• Query parameter injection - Model $filter, $orderby, $expand, $select parameters as potential injection points
• OData aggregation - Model aggregation queries and potential information leakage
• Batch operations - Model $batch endpoint processing and batch request parsing
• OData metadata exposure - Track sensitive information in $metadata endpoints

CAP-Specific Data Operations

• Association navigation - Model taint propagation through entity associations and compositions
• Deep insert/update - Track nested entity modifications and cascading operations
• Virtual entities - Model remote service entities and their data flow
• Custom actions and functions - Model bound/unbound actions defined in .cds files

CDS Annotations Security

• Validation annotations - Model @assert.range, @assert.format, @mandatory for sanitization
• @readonly enforcement - Detect violations of read-only annotations
• @cds.on.insert/@cds.on.update - Model annotation-based lifecycle hooks
• Personal data annotations - Model @PersonalData, @PersonalData.IsPotentiallySensitive for privacy compliance

Advanced Data Flow

• File upload handling - Model multipart/form-data processing and file attachment flows
• Streaming operations - Model large binary data streams (sources and sinks)
• Custom middleware - Track custom Express middleware registration and request/response modification
• Error handler taint - Model custom error handlers and error message leakage
• Background jobs - Model asynchronous job processing (cds.spawn, messaging)

Database-Specific Patterns

• HANA-specific features - Model HANA calculation views, stored procedures, and SQL Script
• Native SQL execution - Model cds.run(), cds.db.run() with raw SQL
• Database function calls - Model database-specific function calls (e.g., HANA functions)

Messaging & Events

• Message queue sources - Model CAP messaging (emit/on patterns for message brokers)
• Event mesh integration - Model SAP Event Mesh as external event sources
• Cross-service events - Track event propagation across CAP services

API Gateway & BTP Integration

• API Management policies - Consider API Gateway transformations affecting taint
• Destination service - Model destination configuration as potential credential exposure
• Cloud Connector - Model on-premise connectivity as additional attack surface

Completed Work

Recent CAP modeling enhancements (see merged PRs):

Query Enhancements:

• CQL Injection query with template literal and concatenation patterns (Begin dataflow lib upgrade generic portions #220)
• Log Injection query with interprocedural tracking and conservative type handling (Make CAP Log injection query more resilient and conservative #226)
• Path Injection query for cds.utils file operations (Add CDS Utils path injection query #224)
• Sensitive Data Exposure split query using out-of-box sources (Add sensitive exposure split query #207)
• Authentication/Authorization queries (DefaultUserIsPrivileged, UnnecessarilyGrantedPrivilegedAccessRights, NonProductionStrategyUsed, EntityExposedWithoutAuthn)

Modeling Improvements:

• 3 service definition patterns including exported closure (Address FN involving CAP remote flow sources #222)
• Restricted remote flow sources to property reads (Restrict RemoteFlowSource of CAP to only some properties and method calls on it #208)
• CDS utils modeling for file system operations (Add cds utils modelling #206)
• Enhanced remote flow sources with fallback for missing CDS definitions (Enhance remote flow sources for CAP #201)

Framework-Specific Configuration:

• Separated CAP taint configs from default configs (Remove dependencies on isSink in the taint tracking configurations of the default queries #180)
• Type-based barriers to exclude non-String injection alerts (Exclude injection alerts where the input data type is not String #115)

CDS Extractor Enhancements:

• Source-relative file paths in diagnostics (Fix CDS extractor database diagnostics to point to source-relative file paths #239)
• Retry mechanism for compilation failures (CDS extractor : Implement retry for CDS compilation tasks #209)
• Performance optimization for getCdsDeclaration() (Address a performance regression in recent upgrade #177)
• Fixed cds compile command usage (Run cds compile command without -o option #172)
• Dataflow API migration to non-deprecated APIs (Bump codeql/javascript-all and fix breaking changes #170)

Currently Modeled:

• Event handlers: srv.on, srv.before, srv.after
• Remote flow sources: req.data, req.params, req.headers, req.id, req._queryOptions, req.http.req.*
• Service patterns: ES6 class extension, cds.service.impl(), exported closure
• Service exposure: @path annotation detection, protocol: 'none' filtering
• CQL fluent API: SELECT, INSERT, UPDATE, DELETE, UPSERT
• CDS annotations: @restrict, @requires (for authorization)
• CDS definition parsing: entities, events, actions, functions

Implementation Notes

For new gaps:

1. Follow Test-Driven Development methodology
2. Reference CAP framework development prompt for detailed patterns
3. Use javascript-cap-modeling-agent for implementation
4. Consult CAP documentation for authoritative behavior
5. Add tests to javascript/frameworks/cap/test/ with .expected files

Priority should be given to gaps that:

• Are commonly exploited in CAP applications
• Have high impact on security posture
• Are currently not detected by out-of-box CodeQL queries

References

• SAP Cloud Application Programming Model
• CDS Language Reference
• CAP Node.js Runtime
• OData Protocol
• Merged CAP PRs
• Merged CDS PRs

[data-douser]

This issue was generated by Copilot as a test use of the changes proposed in PR #260 .
The Identified Gaps should be treated with extreme skepticism / validated before proceeding work on a given checklist item.