Merge branch 'main' into dependabot/npm_and_yarn/extractors/cds/tools/npm_and_yarn-a7dac938b8

Author: jeongsoolee09

javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.md

@@ -1,28 +1,32 @@
-# Broken XSJS authentication
+# Authentication not enforced in HANA XS application
 
-If you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.
+This HANA XS application does not enforce authentication on the requests it handles.
+
+## Overview
+
+SAP HANA XS applications are called via HTTP requests to process a connected HANA database, and this makes it critical to authenticate the sender of the request. Failing to do so allows attackers to impersonate users and gain access to underlying systems and data.
 
 ## Recommendation
 
-Use the built-in SAP HANA XS authentication mechanism and session management (cookies). 
-- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. 
-- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.
+Use the built-in SAP HANA XS authentication mechanism and session management (cookies).
+- If `XS Advanced` is used, authentication **is enabled by default**, and the `authenticationMethod` property indicates which authentication will be applied. However, avoid setting the property to something else than `none`, as doing so turns off all authentication on all routes.
+- If `XS Classic` is used, authentication is **not enabled by default**, so the `authentication` property in the application's `.xsaccess` file should be set to enable authentication. Set the value of the property according to the method you want to implement (`LogonTicket`, `Form`, or `Basic`).
 
 ## Example
 
-The following `xs-app.json` fragment shows disabled XSJS authentication.
+The fragment from an `xs-app.json` file shows the application in question having its authentication explicitly disabled.
 
 ```json
 {
   "welcomeFile": "index.html",
   "authenticationMethod": "none",
   ...
-}  
+}
 ```
 
 ## References
 
-* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).
-* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)
-* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)
-* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
+- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).
+- SAP: [XS Advanced Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.
+- SAP: [Application-Access File Keyword Options: Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication), relevant to XS Classic applications.
+- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).

javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.md

@@ -1,33 +1,37 @@
-# Disabled XSJS CSRF protection
+# CSRF protection disabled in HANA XS application
 
-A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
+This XS application is not protected against CSRF (cross-site request forgery) because it either disables the protection or fails to enable the protection explicitly.
+
+## Overview
+
+A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, `XMLHttpRequest`, etc. and can result in exposure of data or unintended code execution.
 
 ## Recommendation
 
-SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. 
-- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. 
-- In `XS Classic` CSRF protection should be enabled explicitly. 
+SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
+- If `XS Advanced` is used, CSRF protection is configured with the `"csrfProtection"` property of `xs-app.json`. It is **enabled by default and should not be disabled.**
+- If `XS Classic` is used, CSRF protection is configured with the `"prevent_xsrf"` property of `.xsaccess`. It is **disabled by default and should be enabled explicitly.**
 
 ## Example
 
-The following `xs-app.json` fragment enables CSRF protection in XSJS.
+The following `xs-app.json` fragment disables CSRF protection of the application it configures.
 
 ```json
 "routes": [
-  {
-    "source": "/bad/(.*)",
-    "destination": "srv_api",
-    "csrfProtection": true,
-    ...
-  }
-]
+    {
+        "source": "/bad/(.*)",
+        "destination": "srv_api",
+        "csrfProtection": false,
+        ...
+    },
     ...
-  }
 ]
 ```
 
 ## References
 
-* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
-* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
-* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).
+- SAP: [XS Advanced Application Router Configuration Syntax](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03#loioa9fc5c220d744180850996e2f5d34d6c__section_N101F7_N10016_N10001), relavant to XS Classic applications.
+- SAP: [Application-Access File Keyword Options, prevent_xsrf](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod), relevant to XS Advanced applications.
+- SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
+- Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).
+- OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).