Restrict RemoteFlowSource of CAP to only some properties and method calls on it
#208
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- `service3nocds.js` had a service that was named differently. Clarified the gist of the file using tags. - `service4.js` was identical to `service3nocds.js`, except for the `cds.serve` call. This is better suited for `server.js`. - Since `HandlerParameterOfExposedService` is no longer a `RemoteFlowSource`, we place another query for testing it only. - The case categorization is as follows: - `service1`: Exposed service with reads from properties and method calls, some of which are tainted and not tainted. - `service2`: Service that both receives data from service1 and service4 but does not propagate it further. - `service3`: Service without a CDS declaration, simulating extraction failure. Should be recognized as exposed, from overapproximation. Consists of identical property reads / method calls as those of `service1`. - `service4`: Service that is explicitly declared as internal only. Consists of identical property reads / method calls as those of `service1`, but is not a taint source from being unexposed.
The locations changed a little from altering the definition of `RemoteFlowSource` to the property reads of the parameter, not the parameter itself.
- `server.js` had a reference to a service that doesn't exist. Made it point to Service1 instead. - Create expected results of `ExposedServices`, a complementary test to `RemoteFlowSource`.
The results from query predicates changed a little from altering the definition of `RemoteFlowSource` to the property reads of the parameter, not the parameter itself.
knewbury01
reviewed
Aug 5, 2025
javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service4.js
Outdated
Show resolved
Hide resolved
data-douser
reviewed
Aug 5, 2025
...oginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected
Show resolved
Hide resolved
knewbury01
reviewed
Aug 5, 2025
javascript/frameworks/cap/test/models/cds/remoteflowsources/srv/service4withcds.js
Show resolved
Hide resolved
Add a `cds.serve(...).with(...)` that expands the functionality of Service3 which lacks a CDS declaration. Since Service3 is missing a CDS declaration, all of the handlers registrated in the `.with` method call should be considered as exposed.
knewbury01
approved these changes
Aug 7, 2025
jeongsoolee09
deleted the
jeongsoolee09/restrict-cap-remoteflowsource-properties
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What This PR Contributes
Refine the definition of the remote flow source of CAP
This PR refines the remote flow source of CAP by restricting the definition to reads of property on the program elements previously detected as remote flow sources, namely, parameters of handlers belonging to a service that is exposed to a web protocol. This PR achieves it through the following changes:
HandlerParameterOfExposedServiceextendRemoteFlowSource, andUserProvidedPropertyReadOfHandlerParameterOfExposedServiceand make it extend that instead.Enhance unit tests in
remoteflowsourcesTidy up the test project
The test project had several rooms of improvement:
cds.serve(...).with(...)calls are typically stored in a main entrypoint, so move it there (even if it's technically allowed to be place anywhere).Make another model test query
Also, this PR adds another complementary unit test,
ExposedServicesthat tests the classHandlerParameterOfExposedService, now demoted from being a remote flow source. It is still an important class so we would want to still test if it is working properly.Running the test locally
First, compile the
.cdsfiles by running the scriptextractors/cds/tools/workflow/cds-compilation-for-actions.sh. Then, runexport LGTM_INDEX_FILTERS=include:**/*.jsonto enable JSON extraction for your shell session. You should be prepared to create the database withcodeql database create --language=javascript.Future Works
requesthandler, and what it intends to test is already covered in this unit test. So, it can be safely deleted.cds.serve(...)can also accept a path string relative to the entrypoint of the root of the application, but it is not yet modeled. Modeling it can be a future work.