Adds XSJS CSRF and authorization queries

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/Xsaccess.qll

@@ -0,0 +1,11 @@
+import javascript
+
+class ExposedServiceAccessSpec extends File {
+  ExposedServiceAccessSpec() {
+    this.getBaseName() = "xs-app.json"
+    or
+    // we are only interested in exposed services
+    this.getBaseName() = ".xsaccess" and
+    any(JsonValue v | this = v.getJsonFile()).getPropValue("exposed").getBooleanValue() = false
+  }
+}

javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.md

@@ -0,0 +1,23 @@
+# Broken XSJS authentication
+
+If you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.
+
+## Recommendation
+
+Use the built-in SAP HANA XS authentication mechanism and session management (cookies). For example, use the "authentication" keyword to enable an authentication method and set it according to the authentication method you want implement, for example: SAP logon ticket, form-based, or basic (user name and password) in the application's .xsaccess file, which ensures that all objects in the application path are available only to authenticated users.
+
+## Example
+
+The following `xs-app.json` fragment shows disabled XSJS authentication.
+
+``` javascript
+{
+  "welcomeFile": "index.html",
+  "authenticationMethod": "none",
+  "routes": [ ...
+```
+
+## References
+
+* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).
+* Common Weakness Enumeration: [CWE-287](https://cwe.mitre.org/data/definitions/287.html).

javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Broken XSJS authentication
+ * @description Disabling XSJS authentication makes the application vulnerable to
+ *              unauthorized access.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id js/xsjs-broken-authentication
+ * @tags security
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.xsjs.Xsaccess
+
+from JsonValue value, string msg
+where
+  value.getJsonFile() instanceof ExposedServiceAccessSpec and
+  (
+    msg = "Authentication should not be disabled." and
+    exists(JsonValue v |
+      value = v.getPropValue(["authentication", "authenticationMethod", "authenticationType"])
+    |
+      value.getStringValue() = "none"
+      or
+      value instanceof JsonNull
+    )
+    or
+    // the authentication specification is missing from .xsaccess
+    msg = "Authentication is missing from the configuration." and
+    value.isTopLevel() and
+    value.getJsonFile().getBaseName() = ".xsaccess" and
+    not exists(JsonValue p |
+      p.getJsonFile() = value.getJsonFile() and
+      p.getPropValue("authentication") = any(JsonValue v)
+    )
+  )
+select value, msg

javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.md

@@ -0,0 +1,25 @@
+# Disabled XSJS CSRF protection
+
+When you set up a web server to receive a request from a client without any mechanism for verifying that it was intentionally sent, then it is vulnerable to attack. An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
+
+## Recommendation
+
+When you use XSJS, Cross-Site Request Forgery (CSRF) protection is enabled by default. SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
+
+## Example
+
+The following `xs-app.json` fragment enables CSRF protection in XSJS.
+
+``` javascript
+"routes": [
+  {
+    "source": "/bad/(.*)",
+    "destination": "srv_api",
+    "csrfProtection": true,
+```
+
+## References
+
+* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
+* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
+* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).

javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Disabled XSJS CSRF protection
+ * @description Disabling CSRF protection makes the application vulnerable to
+ *              a Cross-Site Request Forgery (CSRF) attack.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id js/xsjs-disabled-csrf-protection
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.xsjs.Xsaccess
+
+from JsonValue value
+where
+  value.getJsonFile() instanceof ExposedServiceAccessSpec and
+  exists(JsonValue v |
+    value = v.getPropValue(["prevent_xsrf", "csrfProtection"]) and
+    value.getBooleanValue() = false
+  )
+select value, "CSRF vulnerability due to protection being disabled."

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.expected

@@ -0,0 +1,4 @@
+| service/exposed/.xsaccess:4:23:4:26 | null | Authentication should not be disabled. |
+| service/missing_auth/.xsaccess:1:1:4:1 | {\\n    " ...  true\\n} | Authentication is missing from the configuration. |
+| service/xs-app.json:3:29:3:34 | "none" | Authentication should not be disabled. |
+| service/xs-app.json:15:35:15:40 | "none" | Authentication should not be disabled. |

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.qlref

@@ -0,0 +1 @@
+XSJSAuthentication/XSJSAuthentication.ql

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.expected

@@ -0,0 +1,2 @@
+| service/exposed/.xsaccess:3:21:3:25 | false | CSRF vulnerability due to protection being disabled. |
+| service/xs-app.json:14:31:14:35 | false | CSRF vulnerability due to protection being disabled. |

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.qlref

@@ -0,0 +1 @@
+XSJSCsrfDisabled/XSJSCsrfDisabled.ql

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess

@@ -0,0 +1,5 @@
+{
+    "exposed": true,
+    "prevent_xsrf": false,
+    "authentication": null
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess

@@ -0,0 +1,5 @@
+{
+    "exposed": false,
+    "prevent_xsrf": false,
+    "authentication": null
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess

@@ -0,0 +1,4 @@
+{
+    "exposed": false,
+    "prevent_xsrf": true
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs

@@ -0,0 +1 @@
+var webRequest1 = $.request;

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json

@@ -0,0 +1,18 @@
+{
+    "welcomeFile": "index.html",
+    "authenticationMethod": "none",
+    "routes": [
+        {
+            "source": "/good/(.*)",
+            "destination": "srv_api",
+            "csrfProtection": true,
+            "authenticationType": "xsuaa"
+        },
+        {
+            "source": "/bad/(.*)",
+            "destination": "srv_api",
+            "csrfProtection": false,
+            "authenticationType": "none"
+        }
+    ]
+}