-
Notifications
You must be signed in to change notification settings - Fork 2
Improve CQL Injection Query #200
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
Will fix later
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
… duplicate old test case
These are combined into the new CQL injection test file to avoid confusion; the few commits that precede this one "ports" the old test cases to the newer test file.
Added more test cases by moving over the test cases in the old cqlinjection.js (which was once moved to old/cqlinjection.js) and further split the test cases:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've completed a partial review, with some initial comments.
* ```js | ||
* const cds = require('@sap/cds') | ||
* ``` | ||
*/ | ||
/* TODO: Does the `cds` object imported with `"@sap/cds/lib"` also have shortcut to `cds.db`? */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO still to follow up on?
} | ||
|
||
override CdlEntity getCqlDefinition() { | ||
/* NOTE: the result may be multiple; but they are all identical so we don't really care. */ | ||
result.getName() = | ||
this.getEntities().(MethodCallNode).getArgument(0).getStringValue() + "." + entityName | ||
} | ||
|
||
override UserDefinedApplicationService getServiceDefinition() { | ||
/* TODO: Always get the DB service definition. */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO - still to complete?
parse = succ | ||
) | ||
} | ||
DataFlow::Node getQueryOfSink(DataFlow::Node sink) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we create a CQLSink
class with a getQuery
predicate, instead of duplicating this logic between the isSink
definition for the dataflow configuration and this predicate.
exists(CdsFacade cds | not cds.isFromCdsLib() | | ||
this = cds.getMember("db").asSource() or | ||
this = cds.asSource() | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The logic in this characteristic predicate is quite similar to the CdsDb
class:
- Can we combine the two definitions?
- Are they intended to be different?
What this PR contributes
Improve CQL Injection Query.
CqlQueryRunnerCall
now expands and replacesTaintedCqlClause
, now coveringcds.run
,cds.db.run
,srv.run
, andtx.run
..run
and property readentities
:EntityEntry
is "absorbed" intoEntityReference
. Plus,EntityReference
now covers more examples, namely,cds
as a shortcut tocds.db
.Add robust test cases (This is the gist of this PR, please take a look for the behavioral summary description of what this PR aims to implement).
cds.run
and friends.await
-ing the query.this.run
and friends.Service2.run
and friends.cds.ql
.cds.parse.cql
.CQL
.Service2.tx( tx => tx.run(...) )
and friends.this.tx( tx => tx.run(...) )
and friends.cds.tx( tx => tx.run(...) )
and friends.cds.db.tx( tx => tx.run(...) )
and friends.Future works
cds.read(...).from(...)
, only thecds.read(...)
part is alerted on, where the entire chained method call is more desirable as a alert location.SensitiveExposure.ql
seems to be quite brittle, it needs a rewrite. This PR only updates the query's reference to old definitions that are no longer available.