diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll index 1403c997e..036993b7a 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll @@ -28,3 +28,26 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource { result = "Parameter of an event handler belonging to an exposed service" } } + +/** + * A service may be described only in a CDS file, but event handlers may still be registered in a format such as: + * ```javascript + * module.exports = srv => { + * srv.before('CREATE', 'Media', req => { //service name is used to describe which to register this handler to + * ``` + * parameters named `req` are captured in the above example. + */ +class ServiceinCDSHandlerParameter extends RemoteFlowSource { + ServiceinCDSHandlerParameter() { + exists(MethodCallNode m, CdlEntity service, string serviceName | + service.getName().regexpReplaceAll(".*\\.", "") = serviceName and + m.getArgument(1).toString().regexpReplaceAll("'", "") = serviceName and + this = m.getArgument(2) and + m.getMethodName() in ["on", "before", "after"] + ) + } + + override string getSourceType() { + result = "Parameter of an event handler belonging to an exposed service defined in a cds file" + } +} diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds new file mode 100644 index 000000000..a9c2e3b07 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds @@ -0,0 +1,6 @@ +namespace sap.capire.test; + +entity Test { + + key id:Integer; +} \ No newline at end of file diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected new file mode 100644 index 000000000..0257d9782 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected @@ -0,0 +1 @@ +| remoteflowsource.js:6:34:9:5 | req => ... i\\n } | diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js new file mode 100644 index 000000000..7d778e6d4 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js @@ -0,0 +1,10 @@ +const loki = require('lokijs') +const db = new loki('DB') +const testDB = db.addCollection('Test') + +module.exports = srv => { + srv.before('CREATE', 'Test', req => { //source + const obj = testDB.insert({ test: '' }) + req.data.id = obj.$loki + }) +} \ No newline at end of file diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql new file mode 100644 index 000000000..9381dbed0 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql @@ -0,0 +1,5 @@ +import javascript +import advanced_security.javascript.frameworks.cap.RemoteFlowSources + +from RemoteFlowSource source +select source \ No newline at end of file diff --git a/scripts/create-db-with-cds.sh b/scripts/create-db-with-cds.sh index ab9334507..d08df45a7 100644 --- a/scripts/create-db-with-cds.sh +++ b/scripts/create-db-with-cds.sh @@ -1,6 +1,10 @@ #!/bin/bash # !!!!!!! Run it at javascript/frameworks/cap/test/queries/test/queries/ !!!!!!! +#test if codeql is on the path +if command -v codeql + then + # Remember current directory TEST_DIR=$(pwd) @@ -35,3 +39,7 @@ for dir in *; do done echo "Done!" + +else + echo "Add CodeQL to PATH!" +fi diff --git a/scripts/create-db.sh b/scripts/create-db.sh old mode 100644 new mode 100755 index cd31740bd..5979e3471 --- a/scripts/create-db.sh +++ b/scripts/create-db.sh @@ -1,6 +1,10 @@ #!/bin/bash # !!!!!!! Run it at javascript/frameworks/ui5/test/queries/test/queries/ !!!!!!! +#test if codeql is on the path +if command -v codeql + then + # Remember current directory TEST_DIR=$(pwd) @@ -26,3 +30,7 @@ for dir in *; do done echo "Done!" + +else + echo "Add CodeQL to PATH!" +fi