Skip to content

Cover multi-service log injection #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 90 commits into from
Mar 26, 2024
Merged

Cover multi-service log injection #94

merged 90 commits into from
Mar 26, 2024

Conversation

jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Feb 15, 2024
edited
Loading

What this PR contributes

Add five additional log injection cases

log-injection-without-protocol-none

True positive case with two problematic flows.

  • Action send1 of Service1 containing a string can be triggered from outside by OData
  • Action send2 of Service2 containing a string can be triggered from outside by OData
  • Upon receiving action send1, Service1 sends send2 of Service2 with the data it received with send1
  • Upon receiving action send2, Service2 logs the data to the standard output

log-injection-with-service1-protocol-none

True positive case with one problematic flow.

  • Action send1 of Service1 containing a string can be triggered from outside by OData
  • Action send2 of Service2 containing a string cannot be triggered from outside by OData
  • Upon receiving action send1, Service1 sends send2 of Service2 with the data it received with send1
  • Upon receiving action send2, Service2 logs the data to the standard output

log-injection-with-service2-protocol-none

True positive case with one problematic flow.

  • Action send1 of Service1 containing a string cannot be triggered from outside by OData
  • Action send2 of Service2 containing a string can be triggered from outside by OData
  • Upon receiving action send1, Service1 sends send2 of Service2 with the data it received with send1
  • Upon receiving action send2, Service2 logs the data to the standard output

log-injection-with-complete-protocol-none

False positive case with no problematic flows.

  • Action send1 of Service1 containing a string cannot be triggered from outside by OData
  • Action send2 of Service2 containing a string cannot be triggered from outside by OData
  • Upon receiving action send1, Service1 sends send2 of Service2 with the data it received with send1
  • Upon receiving action send2, Service2 logs the data to the standard output

log-injection-not-depending-on-request

False positive case with no problematic flows.

  • Action send1 of Service1 containing a string can be triggered from outside by OData, but the data is not consumed
  • Action send2 of Service2 containing a string cannot be triggered from outside by OData
  • Upon receiving action send1, Service1 freshly creates a Datetime object and sends send2 of Service2 with it
  • Upon receiving action send2, Service2 logs the data to the standard output

Add more vocabularies

  • Augment CDS.qll with more classes
  • Add CDL.qll to reason about .cds files compiled to .json
  • Add Application.qll to reason about the application as a whole, e.g. the root directory of the application.
  • Add PackageJson.qll to reason about CAP-specific manifests in the "cds" section of the package.json file.

Move definitions to dataflow directory

This is to more closely resemble the structure of the standard library's.

  • dataflow/DataFlow.qll, whose import path is advanced_security.javascript.frameworks.cap.dataflow.DataFlow, contains all security-related DataFlow::Nodes or relations between them.
  • dataflow/FlowSteps.qll, whose import path is advanced_security.javascript.frameworks.cap.dataflow.FlowSteps, contains additional flow steps to be registered to DataFlow::SharedFlowStep.
    • A major contribution in this aspect is the modeling of a flow step between two services either via REST-style or CRUD-style API, or emitting and subscribing of events.

Move log injection customizations to CAPLogInjectionQuery.qll

This is to more closely resemble the structure of the standard library's.

@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review February 15, 2024 19:33
jeongsoolee09 and others added 26 commits March 20, 2024 16:52
@jeongsoolee09
Update javascript.sarif.expected
054be51
@jeongsoolee09
Untrack .json files compiled from .cds files
b166ee1
@jeongsoolee09
Recognize accompanying .cds files as ".cds.json"
f86e613
@jeongsoolee09
Update the script to compile .cds files
7518e3a
@jeongsoolee09
Update workflow files to ensure presence of cds shell command
d393a1d 
It also trims whitespaces.
@jeongsoolee09
Debug Compile CAP CDS files step
abc1942
@jeongsoolee09
Remove npm install command from both workflows
79fab0d
@jeongsoolee09
Update code_scanning.yml
c4bc859
@jeongsoolee09
Update run-codeql-unit-tests-javascript.yml
a98747e
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/cover-multi-service-log-i
8875027
@jeongsoolee09
Update sqlinjection to appease batch CDS compilation
e9df248
@jeongsoolee09
Merge branch 'jeongsoolee09/cover-multi-service-log-i' of github.com:…
8278b9f 
…advanced-security/codeql-sap-js into jeongsoolee09/cover-multi-service-log-i
@jeongsoolee09
Fix using path
24748e5
@jeongsoolee09
Add a debug echo in the workflows
69e4590
@jeongsoolee09
Add debug echo
c9219f7
@jeongsoolee09
Rename files
60e3550
@jeongsoolee09
Rename files
cb9a9f6
@jeongsoolee09
Delete cqlinjection and sqlinjection
ad38212
@jeongsoolee09
update javascript.sarif.expected
3406c27
@jeongsoolee09
Revert "update javascript.sarif.expected"
3aefa19 
This reverts commit 3406c27.
@jeongsoolee09
Update run-codeql-unit-tests-javascript.yml
59a3f6c 
add `LGTM_INDEX_FILTERS: "include:**/*.json"` just in case
@jeongsoolee09
Testing by shuffling around the steps a bit
118c3b6 
1. Ensure presence of cds shell command
2. Compile CAP CDS files
3. Initialize CodeQL
4. Perform CodeQL Analysis
@jeongsoolee09
Merge branch 'jeongsoolee09/cover-multi-service-log-i' of github.com:…
9ed78dd 
…advanced-security/codeql-sap-js into jeongsoolee09/cover-multi-service-log-i
@jeongsoolee09
Revert "Perform missing version ups from 0.5.0 to 0.6.0"
c9ce5a8 
This reverts commit 3c0d822.
@mbaluda
fix paths for json files compiled from cds
93704f7
@jeongsoolee09
Add back cqlinjection
66a067c
@mbaluda mbaluda self-requested a review March 26, 2024 16:49
mbaluda
mbaluda approved these changes Mar 26, 2024
View reviewed changes
Copy link
Contributor

@mbaluda mbaluda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jeongsoolee09 jeongsoolee09 merged commit 3c8c240 into main Mar 26, 2024
@jeongsoolee09 jeongsoolee09 deleted the jeongsoolee09/cover-multi-service-log-i branch March 26, 2024 16:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knewbury01 knewbury01 knewbury01 left review comments

@mbaluda mbaluda mbaluda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jeongsoolee09 @mbaluda @knewbury01