From 60d366616044ca0e0d9c31739c9aa2f5d92c9a25 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Tue, 9 Apr 2024 12:04:39 -0400 Subject: [PATCH 1/3] Add codeql bin check to db create scripts --- scripts/create-db-with-cds.sh | 8 ++++++++ scripts/create-db.sh | 8 ++++++++ 2 files changed, 16 insertions(+) mode change 100644 => 100755 scripts/create-db.sh diff --git a/scripts/create-db-with-cds.sh b/scripts/create-db-with-cds.sh index ab9334507..d08df45a7 100644 --- a/scripts/create-db-with-cds.sh +++ b/scripts/create-db-with-cds.sh @@ -1,6 +1,10 @@ #!/bin/bash # !!!!!!! Run it at javascript/frameworks/cap/test/queries/test/queries/ !!!!!!! +#test if codeql is on the path +if command -v codeql + then + # Remember current directory TEST_DIR=$(pwd) @@ -35,3 +39,7 @@ for dir in *; do done echo "Done!" + +else + echo "Add CodeQL to PATH!" +fi diff --git a/scripts/create-db.sh b/scripts/create-db.sh old mode 100644 new mode 100755 index cd31740bd..5979e3471 --- a/scripts/create-db.sh +++ b/scripts/create-db.sh @@ -1,6 +1,10 @@ #!/bin/bash # !!!!!!! Run it at javascript/frameworks/ui5/test/queries/test/queries/ !!!!!!! +#test if codeql is on the path +if command -v codeql + then + # Remember current directory TEST_DIR=$(pwd) @@ -26,3 +30,7 @@ for dir in *; do done echo "Done!" + +else + echo "Add CodeQL to PATH!" +fi From cdd22e47f5b475048fed04c25c38b04340777a82 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 10 Apr 2024 13:26:22 -0400 Subject: [PATCH 2/3] Add model for event handlers registered to service that is only defined in cds and testcase --- .../frameworks/cap/RemoteFlowSources.qll | 23 +++++++++++++++++++ .../remoteflowsources/remoteflowsource.cds | 6 +++++ .../remoteflowsource.cds.json | 19 +++++++++++++++ .../remoteflowsource.expected | 1 + .../cds/remoteflowsources/remoteflowsource.js | 10 ++++++++ .../cds/remoteflowsources/remoteflowsource.ql | 5 ++++ 6 files changed, 64 insertions(+) create mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds create mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json create mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected create mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js create mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll index 1403c997e..036993b7a 100644 --- a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll +++ b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll @@ -28,3 +28,26 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource { result = "Parameter of an event handler belonging to an exposed service" } } + +/** + * A service may be described only in a CDS file, but event handlers may still be registered in a format such as: + * ```javascript + * module.exports = srv => { + * srv.before('CREATE', 'Media', req => { //service name is used to describe which to register this handler to + * ``` + * parameters named `req` are captured in the above example. + */ +class ServiceinCDSHandlerParameter extends RemoteFlowSource { + ServiceinCDSHandlerParameter() { + exists(MethodCallNode m, CdlEntity service, string serviceName | + service.getName().regexpReplaceAll(".*\\.", "") = serviceName and + m.getArgument(1).toString().regexpReplaceAll("'", "") = serviceName and + this = m.getArgument(2) and + m.getMethodName() in ["on", "before", "after"] + ) + } + + override string getSourceType() { + result = "Parameter of an event handler belonging to an exposed service defined in a cds file" + } +} diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds new file mode 100644 index 000000000..a9c2e3b07 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds @@ -0,0 +1,6 @@ +namespace sap.capire.test; + +entity Test { + + key id:Integer; +} \ No newline at end of file diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json new file mode 100644 index 000000000..7ff0515a0 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json @@ -0,0 +1,19 @@ +{ + "namespace": "sap.capire.test", + "definitions": { + "sap.capire.test.Test": { + "kind": "entity", + "elements": { + "id": { + "key": true, + "type": "cds.Integer" + } + } + } + }, + "meta": { + "creator": "CDS Compiler v4.5.0", + "flavor": "inferred" + }, + "$version": "2.0" +} \ No newline at end of file diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected new file mode 100644 index 000000000..0257d9782 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected @@ -0,0 +1 @@ +| remoteflowsource.js:6:34:9:5 | req => ... i\\n } | diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js new file mode 100644 index 000000000..7d778e6d4 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js @@ -0,0 +1,10 @@ +const loki = require('lokijs') +const db = new loki('DB') +const testDB = db.addCollection('Test') + +module.exports = srv => { + srv.before('CREATE', 'Test', req => { //source + const obj = testDB.insert({ test: '' }) + req.data.id = obj.$loki + }) +} \ No newline at end of file diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql new file mode 100644 index 000000000..9381dbed0 --- /dev/null +++ b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql @@ -0,0 +1,5 @@ +import javascript +import advanced_security.javascript.frameworks.cap.RemoteFlowSources + +from RemoteFlowSource source +select source \ No newline at end of file From da65203419efd919dca6d05fb2b021cf2dba158d Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Wed, 10 Apr 2024 15:09:29 -0400 Subject: [PATCH 3/3] Remove unneeded cds.json --- .../remoteflowsource.cds.json | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json deleted file mode 100644 index 7ff0515a0..000000000 --- a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "namespace": "sap.capire.test", - "definitions": { - "sap.capire.test.Test": { - "kind": "entity", - "elements": { - "id": { - "key": true, - "type": "cds.Integer" - } - } - } - }, - "meta": { - "creator": "CDS Compiler v4.5.0", - "flavor": "inferred" - }, - "$version": "2.0" -} \ No newline at end of file