Merge pull request #94 from advanced-security/jeongsoolee09/cover-multi-service-log-i

Cover multi-service log injection

Author: jeongsoolee09

.github/workflows/code_scanning.yml

@@ -8,9 +8,11 @@ on:
     branches: [ "main" ]
   schedule:
     - cron: '39 12 * * 2'
-    
+  workflow_dispatch:
+
 env:
   LGTM_INDEX_XML_MODE: all
+  LGTM_INDEX_FILTERS: "include:**/*.json"
 
 jobs:
   analyze:
@@ -35,6 +37,24 @@ jobs:
           mv $dir .github/codeql/extensions/$dir
         done
 
+    - name: Ensure presence of cds shell command
+      run: |
+        if ! command -v cds &> /dev/null
+        then
+          npm install -g @sap/cds-dk
+        fi
+
+    # Compile .cds files to .cds.json files.
+    - name: Compile CAP CDS files
+      run: |
+        for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
+        do
+          echo "I am compiling $cds_file"
+          cds compile $cds_file \
+            -2 json \
+            -o "$cds_file.json"
+        done
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
@@ -46,17 +66,17 @@ jobs:
     - name: Perform CodeQL Analysis
       id: analyze
       uses: github/codeql-action/analyze@v3
-    
+
     - name: Setup Python
       uses: actions/setup-python@v5
       with:
-        python-version: '3.10' 
-   
+        python-version: '3.10'
+
     - uses: actions/cache@v4
       with:
         path: ~/.cache/pip
         key: ${{ runner.os }}-pip
-        
+
     - name: Validate results
       continue-on-error: true
       id: validate
@@ -66,7 +86,7 @@ jobs:
         sarif diff ${{ steps.analyze.outputs.sarif-output }} .github/workflows/javascript.sarif.expected -o sarif-diff.json
         cat sarif-diff.json
         ! grep -q "[1-9]" sarif-diff.json
-        
+
     - name: Upload sarif change
       if: steps.validate.outcome != 'success'
       uses: actions/upload-artifact@v4
@@ -75,10 +95,9 @@ jobs:
         path: |
           sarif-diff.json
           ${{ steps.analyze.outputs.sarif-output }}
-    
+
     - name: Unexpected Code Scanning results
       if: steps.validate.outcome != 'success'
       run: |
         cat sarif-diff.json
         echo "::error::Unexpected Code Scanning results!" && exit 1
-      

.github/workflows/javascript.sarif.expected

@@ -51,7 +51,7 @@ jobs:
         with:
           qlt-version: 'latest'
           add-to-path: true
-          
+
       - name: Install CodeQL
         id: install-codeql
         shell: bash
@@ -61,13 +61,13 @@ jobs:
           echo "-----------------------------"
           echo "CodeQL Home: $QLT_CODEQL_HOME"
           echo "CodeQL Binary: $QLT_CODEQL_PATH"
-          
+
       - name: Verify Versions of Tooling
         shell: bash
         run: |
           echo -e "Checking CodeQL Version:"
           $QLT_CODEQL_PATH --version
-                     
+
           echo -e "Checking QLT Version:"
           echo "QLT Home: ${{ steps.install-qlt.outputs.qlt-home }}"
           qlt version
@@ -77,6 +77,24 @@ jobs:
         run: |
           qlt query run install-packs
 
+      - name: Ensure presence of cds shell command
+        run: |
+          if ! command -v cds &> /dev/null
+          then
+            npm install -g @sap/cds-dk
+          fi
+
+      # Compile .cds files to .cds.json files.
+      - name: Compile CAP CDS files
+        run: |
+          for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
+          do
+            echo "I am compiling $cds_file"
+            cds compile $cds_file \
+              -2 json \
+              -o "$cds_file.json"
+          done
+
       - name: Run test suites
         id: run-test-suites
         env:
@@ -86,16 +104,17 @@ jobs:
           CODEQL_STDLIB_IDENT: ${{matrix.codeql_standard_library_ident}}
           RUNNER_TMP: ${{ runner.temp }}
           LGTM_INDEX_XML_MODE: all
+          LGTM_INDEX_FILTERS: "include:**/*.json"
 
         shell: bash
         run: >
-          qlt test run execute-unit-tests  
+          qlt test run execute-unit-tests
           --codeql-args "--threads=0 --strict-test-discovery"
-          --num-threads 2 
-          --language javascript 
-          --runner-os $RUNNER_OS 
+          --num-threads 2
+          --language javascript
+          --runner-os $RUNNER_OS
           --work-dir $RUNNER_TMP
-            
+
       - name: Upload test results
         uses: actions/upload-artifact@v2
         with:
@@ -119,12 +138,12 @@ jobs:
         with:
           qlt-version: 'latest'
           add-to-path: true
-        
+
 
       - name: Collect test results
         uses: actions/download-artifact@v2
 
       - name: Validate test results
-        run: |          
+        run: |
           qlt test run validate-unit-tests --pretty-print --results-directory . >> $GITHUB_STEP_SUMMARY
-          qlt test run validate-unit-tests --results-directory . 
+          qlt test run validate-unit-tests --results-directory .

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -0,0 +1,25 @@
+/**
+ * Definitions pertaining to the application as a whole.
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.PackageJson
+
+class RootDirectory extends Folder {
+  RootDirectory() {
+    exists(PackageJson packageJson | this = packageJson.getJsonFile().getParentContainer())
+  }
+
+  /**
+   * Gets the path of a file relative to this root directory.
+   */
+  string getFilePathRelativeToRoot(File file) {
+    result = file.getAbsolutePath().regexpReplaceAll(this.getAbsolutePath(), ".") and
+    result.charAt(0) = "."
+  }
+
+  /**
+   * Holds if this root directory of the application contains the given file.
+   */
+  predicate contains(File file) { exists(this.getFilePathRelativeToRoot(file)) }
+}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/Application.qll

@@ -0,0 +1,47 @@
+import javascript
+import semmle.javascript.dataflow.DataFlow
+import semmle.javascript.security.dataflow.LogInjectionQuery
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
+import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.dataflow.DataFlow
+
+/**
+ * A logger obtained by a call to `log` on a CDS facade. Each logger is associated with
+ * its unique name.
+ */
+class CdsLogger extends MethodCallNode {
+  string name;
+
+  CdsLogger() {
+    exists(CdsFacade cds |
+      this = cds.getMember("log").getACall() and
+      name = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue()
+    )
+  }
+
+  string getName() { result = name }
+}
+
+/**
+ * Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
+ */
+class CdsLogSink extends DataFlow::Node {
+  CdsLogSink() {
+    exists(CdsLogger log, MethodCallNode loggingMethod |
+      this = loggingMethod.getAnArgument() and
+      loggingMethod.getMethodName() = ["trace", "debug", "info", "log", "warn", "error"] and
+      not this.asExpr() instanceof Literal and
+      not this.asExpr() instanceof TemplateLiteral and
+      loggingMethod.getReceiver().getALocalSource() = log
+    )
+  }
+}
+
+class CAPLogInjectionConfiguration extends LogInjectionConfiguration {
+  override predicate isSource(DataFlow::Node start) {
+    super.isSource(start) or
+    start instanceof RemoteFlowSource
+  }
+
+  override predicate isSink(DataFlow::Node end) { end instanceof CdsLogSink }
+}