Merge pull request #89 from advanced-security/mbaluda-cap

Event handler phases

Author: mbaluda

.github/codeql/codeql-config.yaml

@@ -4,7 +4,7 @@ queries:
   - uses: security-extended
   # for ui5/cap queries
   - uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
-  - uses: ./javascript/frameworks/cap/src
+  - uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
 
 paths:
   - "**/*.xml"

.github/workflows/code_scanning.yml

@@ -64,6 +64,7 @@ jobs:
         pip install sarif-tools
         sarif --version
         sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
+        cat sarif-diff.json
         ! grep -q "[1-9]" sarif-diff.json
         
     - name: Upload sarif change

.github/workflows/javascript.sarif.expected

@@ -1,9 +1,9 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-models
-version: 0.3.0
+version: 0.1.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.1"
-  codeql/javascript-queries: "^0.8.1"
+  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-queries: "^0.8.7"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/cap/ext/qlpack.yml

@@ -80,23 +80,23 @@ module CDS {
   }
 
   /**
-   * Parameter of request handler of `_.on`:
+   * Parameter of request handler phases `_.before`, `_.on` `_.after`:
    * ```js
    * _.on ('READ','Books', (req) => req.reply([...]))
    * ```
    */
-  class OnNodeParam extends ValueNode, ParameterNode {
-    MethodCallNode on;
+  class EventPhaseNodeParam extends ValueNode, ParameterNode {
+    MethodCallNode eventPhase;
 
-    OnNodeParam() {
+    EventPhaseNodeParam() {
       exists(FunctionNode handler |
-        on.getMethodName() = "on" and
-        on.getLastArgument() = handler and
+        eventPhase.getMethodName() = ["before", "on", "after"] and
+        eventPhase.getLastArgument() = handler and
         handler.getLastParameter() = this
       )
     }
 
-    MethodCallNode getOnNode() { result = on }
+    MethodCallNode getEventPhaseNode() { result = eventPhase }
   }
 
   /**
@@ -106,30 +106,35 @@ module CDS {
    * ```
    * not sure how else to know which service is registering the handler
    */
-  class RequestSource extends OnNodeParam {
+  class RequestSource extends EventPhaseNodeParam {
     RequestSource() {
       // TODO : consider  - do we need to actually ever know which service the handler is associated to?
       exists(UserDefinedApplicationService svc, FunctionNode init |
         svc.getAnInstanceMember() = init and
         init.getName() = "init" and
-        this.getOnNode().getEnclosingFunction() = init.getAstNode()
+        this.getEventPhaseNode().getEnclosingFunction() = init.getAstNode()
       )
       or
-      exists(WithCallParameter pa | this.getOnNode().getEnclosingFunction() = pa.getFunction())
+      exists(WithCallParameter pa |
+        this.getEventPhaseNode().getEnclosingFunction() = pa.getFunction()
+      )
     }
   }
 
   class ApplicationService extends API::Node {
-    ApplicationService() { exists(CdsFacade c | this = c.getMember("ApplicationService")) }
+    ApplicationService() {
+      exists(CdsFacade c | this = c.getMember(["ApplicationService", "Service"]))
+    }
   }
 
   /**
    * ```js
    * const cds = require('@sap/cds')
+   * const cds = require('@sap/cds/lib')
    * ```
    */
   class CdsFacade extends API::Node {
-    CdsFacade() { this = API::moduleImport("@sap/cds") }
+    CdsFacade() { this = API::moduleImport(["@sap/cds", "@sap/cds/lib"]) }
   }
 
   /**
@@ -143,13 +148,26 @@ module CDS {
    * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
    */
   class CdsLogSink extends DataFlow::Node {
-    CdsLogSink() { this = any(CdsLogCall cdsLog).getACall().getAChainedMethodCall(["trace", "debug", "info", "log", "warn", "error"]).getAnArgument() }
+    CdsLogSink() {
+      this =
+        any(CdsLogCall cdsLog)
+            .getACall()
+            .getAChainedMethodCall(["trace", "debug", "info", "log", "warn", "error"])
+            .getAnArgument()
+    }
   }
 
   /**
    * Methods that parse source strings into a CQL expression
    */
   class ParseSink extends DataFlow::Node {
-    ParseSink() { this = any(CdsFacade cds).getMember("parse").getMember(["expr", "ref", "xpr"]).getACall().getAnArgument() }
+    ParseSink() {
+      this =
+        any(CdsFacade cds)
+            .getMember("parse")
+            .getMember(["expr", "ref", "xpr"])
+            .getACall()
+            .getAnArgument()
+    }
   }
 }

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -1,16 +1,22 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/dataflow:
+    version: 0.1.7
   codeql/javascript-all:
-    version: 0.8.5
+    version: 0.8.7
   codeql/mad:
-    version: 0.2.5
+    version: 0.2.7
   codeql/regex:
-    version: 0.2.5
+    version: 0.2.7
+  codeql/ssa:
+    version: 0.2.7
   codeql/tutorial:
-    version: 0.2.5
+    version: 0.2.7
+  codeql/typetracking:
+    version: 0.2.7
   codeql/util:
-    version: 0.2.5
+    version: 0.2.7
   codeql/yaml:
-    version: 0.2.5
+    version: 0.2.7
 compiled: false

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -1,9 +1,9 @@
 ---
 library: true
 name: advanced-security/javascript-sap-cap-all
-version: 0.1.1
+version: 0.1.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.1"
-  advanced-security/javascript-sap-cap-models: "^0.3.0"
+  codeql/javascript-all: "^0.8.7"
+  advanced-security/javascript-sap-cap-models: "^0.1.0"

javascript/frameworks/cap/lib/qlpack.yml

@@ -1,16 +1,22 @@
 ---
 lockVersion: 1.0.0
 dependencies:
+  codeql/dataflow:
+    version: 0.1.7
   codeql/javascript-all:
-    version: 0.8.5
+    version: 0.8.7
   codeql/mad:
-    version: 0.2.5
+    version: 0.2.7
   codeql/regex:
-    version: 0.2.5
+    version: 0.2.7
+  codeql/ssa:
+    version: 0.2.7
   codeql/tutorial:
-    version: 0.2.5
+    version: 0.2.7
+  codeql/typetracking:
+    version: 0.2.7
   codeql/util:
-    version: 0.2.5
+    version: 0.2.7
   codeql/yaml:
-    version: 0.2.5
+    version: 0.2.7
 compiled: false

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -0,0 +1,13 @@
+- description: SAP CAPire Code Scanning Suite
+- queries: .
+- include:
+    tags contain: security
+    kind:
+    - problem
+    - path-problem
+    precision:
+    - high
+    - very-high
+    problem.severity:
+    - warning
+    - error

javascript/frameworks/cap/src/codeql-suites/javascript-code-scanning.qls

@@ -0,0 +1,4 @@
+- description: SAP CAPire Code Scanning Suite
+- queries: .
+- include:
+    tags contain: diagnostics