Merge pull request #109 from advanced-security/knewbury01/fn-cap-sources

knewbury01 · web-flow · commit 4c4165977b86 · 2024-04-11T13:21:35.000-04:00
Fix FN cap sources
diff --git a/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll b/javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll
@@ -28,3 +28,26 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource {
     result = "Parameter of an event handler belonging to an exposed service"
   }
 }
+
+/**
+ * A service may be described only in a CDS file, but event handlers may still be registered in a format such as:
+ * ```javascript
+ * module.exports = srv => {
+ * srv.before('CREATE', 'Media', req => { //service name is used to describe which to register this handler to
+ * ```
+ * parameters named `req` are captured in the above example.
+ */
+class ServiceinCDSHandlerParameter extends RemoteFlowSource {
+  ServiceinCDSHandlerParameter() {
+    exists(MethodCallNode m, CdlEntity service, string serviceName |
+      service.getName().regexpReplaceAll(".*\\.", "") = serviceName and
+      m.getArgument(1).toString().regexpReplaceAll("'", "") = serviceName and
+      this = m.getArgument(2) and
+      m.getMethodName() in ["on", "before", "after"]
+    )
+  }
+
+  override string getSourceType() {
+    result = "Parameter of an event handler belonging to an exposed service defined in a cds file"
+  }
+}
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds
@@ -0,0 +1,6 @@
+namespace sap.capire.test;
+
+entity Test {
+
+   key id:Integer;
+}
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected
@@ -0,0 +1 @@
+| remoteflowsource.js:6:34:9:5 | req =>  ... i\\n    } |
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js
@@ -0,0 +1,10 @@
+const loki = require('lokijs')
+const db = new loki('DB')
+const testDB = db.addCollection('Test')
+
+module.exports = srv => {
+    srv.before('CREATE', 'Test', req => { //source
+      const obj = testDB.insert({ test: '' })
+      req.data.id = obj.$loki
+    })
+}
diff --git a/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql b/javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql
@@ -0,0 +1,5 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
+
+from RemoteFlowSource source
+select source
diff --git a/scripts/create-db-with-cds.sh b/scripts/create-db-with-cds.sh
@@ -1,6 +1,10 @@
 #!/bin/bash
 # !!!!!!! Run it at javascript/frameworks/cap/test/queries/test/queries/ !!!!!!!
 
+#test if codeql is on the path
+if command -v codeql
+   then
+
 # Remember current directory
 TEST_DIR=$(pwd)
 
@@ -35,3 +39,7 @@ for dir in *; do
 done
 
 echo "Done!"
+
+else
+    echo "Add CodeQL to PATH!"
+fi
diff --git a/scripts/create-db.sh b/scripts/create-db.sh
@@ -1,6 +1,10 @@
 #!/bin/bash
 # !!!!!!! Run it at javascript/frameworks/ui5/test/queries/test/queries/ !!!!!!!
 
+#test if codeql is on the path
+if command -v codeql
+   then
+
 # Remember current directory
 TEST_DIR=$(pwd)
 
@@ -26,3 +30,7 @@ for dir in *; do
 done
 
 echo "Done!"
+
+else
+    echo "Add CodeQL to PATH!"
+fi

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| remoteflowsource.js:6:34:9:5 \| req => ... i\\n } \|`