Merge pull request #110 from advanced-security/knewbury01/fn-cap-sources

Patch for cap remoteflowsource ServiceinCDSHandlerParameter

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

@@ -33,16 +33,16 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource {
  * A service may be described only in a CDS file, but event handlers may still be registered in a format such as:
  * ```javascript
  * module.exports = srv => {
- * srv.before('CREATE', 'Media', req => { //service name is used to describe which to register this handler to
+ * srv.before('CREATE', 'Media', req => { //an entity name is used to describe which to register this handler to
  * ```
  * parameters named `req` are captured in the above example.
  */
-class ServiceinCDSHandlerParameter extends RemoteFlowSource {
+class ServiceinCDSHandlerParameter extends ParameterNode, RemoteFlowSource {
   ServiceinCDSHandlerParameter() {
-    exists(MethodCallNode m, CdlEntity service, string serviceName |
-      service.getName().regexpReplaceAll(".*\\.", "") = serviceName and
-      m.getArgument(1).toString().regexpReplaceAll("'", "") = serviceName and
-      this = m.getArgument(2) and
+    exists(MethodCallNode m, CdlEntity entity, string entityName |
+      entity.getName().regexpReplaceAll(".*\\.", "") = entityName and
+      m.getArgument(1).asExpr().getStringValue().regexpReplaceAll("'", "") = entityName and
+      this = m.getArgument(m.getNumArgument() - 1).(FunctionNode).getParameter(0) and
       m.getMethodName() in ["on", "before", "after"]
     )
   }

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected

@@ -1 +1 @@
-| remoteflowsource.js:6:34:9:5 | req =>  ... i\\n    } |
+| remoteflowsource.js:6:34:6:36 | req |