Improve CQL Injection Query #200
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Will fix later
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
… duplicate old test case
These are combined into the new CQL injection test file to avoid confusion; the few commits that precede this one "ports" the old test cases to the newer test file.
|
Added more test cases by moving over the test cases in the old cqlinjection.js (which was once moved to old/cqlinjection.js) and further split the test cases:
|
lcartey
requested changes
Jun 27, 2025
| * ```js | ||
| * const cds = require('@sap/cds') | ||
| * ``` | ||
| */ | ||
| /* TODO: Does the `cds` object imported with `"@sap/cds/lib"` also have shortcut to `cds.db`? */ |
There was a problem hiding this comment.
TODO still to follow up on?
| } | ||
|
|
||
| override CdlEntity getCqlDefinition() { | ||
| /* NOTE: the result may be multiple; but they are all identical so we don't really care. */ | ||
| result.getName() = | ||
| this.getEntities().(MethodCallNode).getArgument(0).getStringValue() + "." + entityName | ||
| } | ||
|
|
||
| override UserDefinedApplicationService getServiceDefinition() { | ||
| /* TODO: Always get the DB service definition. */ |
| parse = succ | ||
| ) | ||
| } | ||
| DataFlow::Node getQueryOfSink(DataFlow::Node sink) { |
There was a problem hiding this comment.
Could we create a CQLSink class with a getQuery predicate, instead of duplicating this logic between the isSink definition for the dataflow configuration and this predicate.
| exists(CdsFacade cds | not cds.isFromCdsLib() | | ||
| this = cds.getMember("db").asSource() or | ||
| this = cds.asSource() | ||
| ) |
There was a problem hiding this comment.
The logic in this characteristic predicate is quite similar to the CdsDb class:
- Can we combine the two definitions?
- Are they intended to be different?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR contributes
Improve CQL Injection Query.
CqlQueryRunnerCallnow expands and replacesTaintedCqlClause, now coveringcds.run,cds.db.run,srv.run, andtx.run..runand property readentities:EntityEntryis "absorbed" intoEntityReference. Plus,EntityReferencenow covers more examples, namely,cdsas a shortcut tocds.db.Add robust test cases (This is the gist of this PR, please take a look for the behavioral summary description of what this PR aims to implement).
cds.runand friends.await-ing the query.this.runand friends.Service2.runand friends.cds.ql.cds.parse.cql.CQL.Service2.tx( tx => tx.run(...) )and friends.this.tx( tx => tx.run(...) )and friends.cds.tx( tx => tx.run(...) )and friends.cds.db.tx( tx => tx.run(...) )and friends.Future works
cds.read(...).from(...), only thecds.read(...)part is alerted on, where the entire chained method call is more desirable as a alert location.SensitiveExposure.qlseems to be quite brittle, it needs a rewrite. This PR only updates the query's reference to old definitions that are no longer available.