Add model for event handlers registered to service that is only defined in cds and testcase

Author: knewbury01

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

@@ -28,3 +28,26 @@ class HandlerParameter extends ParameterNode, RemoteFlowSource {
     result = "Parameter of an event handler belonging to an exposed service"
   }
 }
+
+/**
+ * A service may be described only in a CDS file, but event handlers may still be registered in a format such as:
+ * ```javascript
+ * module.exports = srv => {
+ * srv.before('CREATE', 'Media', req => { //service name is used to describe which to register this handler to
+ * ```
+ * parameters named `req` are captured in the above example.
+ */
+class ServiceinCDSHandlerParameter extends RemoteFlowSource {
+  ServiceinCDSHandlerParameter() {
+    exists(MethodCallNode m, CdlEntity service, string serviceName |
+      service.getName().regexpReplaceAll(".*\\.", "") = serviceName and
+      m.getArgument(1).toString().regexpReplaceAll("'", "") = serviceName and
+      this = m.getArgument(2) and
+      m.getMethodName() in ["on", "before", "after"]
+    )
+  }
+
+  override string getSourceType() {
+    result = "Parameter of an event handler belonging to an exposed service defined in a cds file"
+  }
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds

@@ -0,0 +1,6 @@
+namespace sap.capire.test;
+
+entity Test {
+
+   key id:Integer;
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.cds.json

@@ -0,0 +1,19 @@
+{
+  "namespace": "sap.capire.test",
+  "definitions": {
+    "sap.capire.test.Test": {
+      "kind": "entity",
+      "elements": {
+        "id": {
+          "key": true,
+          "type": "cds.Integer"
+        }
+      }
+    }
+  },
+  "meta": {
+    "creator": "CDS Compiler v4.5.0",
+    "flavor": "inferred"
+  },
+  "$version": "2.0"
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.expected

@@ -0,0 +1 @@
+| remoteflowsource.js:6:34:9:5 | req =>  ... i\\n    } |

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.js

@@ -0,0 +1,10 @@
+const loki = require('lokijs')
+const db = new loki('DB')
+const testDB = db.addCollection('Test')
+
+module.exports = srv => {
+    srv.before('CREATE', 'Test', req => { //source
+      const obj = testDB.insert({ test: '' })
+      req.data.id = obj.$loki
+    })
+}

javascript/frameworks/cap/test/models/cds/remoteflowsources/remoteflowsource.ql

@@ -0,0 +1,5 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
+
+from RemoteFlowSource source
+select source