Implement UnnecessarilyGrantedPrivilegedAccessRights (#139)

- Add UnnecessarilyGrantedPrivilegedAccessRights.ql query.
- Fix wrong assumptions on cds.requires in test cases: previously cds.requires had service-1 and service-2.

Author: jeongsoolee09

.github/workflows/javascript.sarif.expected

@@ -0,0 +1,66 @@
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+
+/**
+ * A reference to an entity that is defined in this application.
+ */
+class LocalEntityReference instanceof EntityReference {
+  LocalEntityReference() { not this instanceof RemoteEntityReference }
+
+  string toString() { result = super.toString() }
+
+  Location getLocation() { result = super.getLocation() }
+
+  predicate hasRestrictedAccessControl() {
+    exists(RestrictCondition restrict |
+      restrict =
+        this.(EntityReference).getCqlDefinition().getRestrictAnnotation().getARestrictCondition()
+    |
+      not restrict.grantsToAnyone(_)
+    )
+  }
+}
+
+/**
+ * A reference to an entity that is not defined in this application and
+ * read from a service instance that is looked up with the name defined in
+ * package.json.
+ */
+class RemoteEntityReference instanceof EntityReference {
+  RemoteEntityReference() { not exists(this.getCqlDefinition()) }
+
+  string toString() { result = super.toString() }
+
+  Location getLocation() { result = super.getLocation() }
+}
+
+abstract class PrivilegedUserInstance extends DataFlow::NewNode { }
+
+class CdsUserPrivilegedProperty extends PrivilegedUserInstance {
+  CdsUserPrivilegedProperty() {
+    exists(CdsUser cdsUser |
+      this =
+        cdsUser.getInducingNode().(PropRead).getAPropertyRead("Privileged").getAnInstantiation()
+    )
+  }
+}
+
+class CustomPrivilegedUser extends ClassNode {
+  CustomPrivilegedUser() {
+    exists(CdsUser cdsUser | this.getASuperClassNode() = cdsUser.asSource()) and
+    exists(FunctionNode init |
+      init = this.getInstanceMethod("is") and
+      forall(Expr expr | expr = init.asExpr().(Function).getAReturnedExpr() |
+        expr.mayHaveBooleanValue(true)
+      )
+    )
+  }
+}
+
+class CustomPrivilegedUserInstance extends PrivilegedUserInstance, NewNode {
+  CustomPrivilegedUserInstance() {
+    exists(CustomPrivilegedUser customPrivilegedUserClass |
+      this = customPrivilegedUserClass.getAnInstantiation()
+    )
+  }
+}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPUnnecessarilyGrantedPrivilegedAccessRightsQuery.qll

@@ -34,6 +34,15 @@ abstract class CdlElement extends JsonObject {
    */
   string getName() { result = name }
 
+  /**
+   * Gets the unqualified name of this CDL element without the leading namespace.
+   */
+  string getUnqualifiedName() {
+    exists(string qualifiedName | qualifiedName = this.getName() |
+      result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
+    )
+  }
+
   /**
    * Gets the kind of this CDL element.
    */
@@ -128,12 +137,6 @@ class CdlService extends CdlElement {
 class CdlEntity extends CdlElement {
   CdlEntity() { kind = CdlEntityKind(this.getPropStringValue("kind")) }
 
-  string getUnqualifiedName() {
-    exists(string qualifiedName | qualifiedName = this.getName() |
-      result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
-    )
-  }
-
   predicate isSelectFrom(CdlEntity otherEntity) {
     otherEntity.getName() =
       this.getPropValue("query")
@@ -166,24 +169,12 @@ class CdlEntity extends CdlElement {
 class CdlEvent extends CdlElement {
   CdlEvent() { kind = CdlEventKind(this.getPropStringValue("kind")) }
 
-  string getUnqualifiedName() {
-    exists(string qualifiedName | qualifiedName = this.getName() |
-      result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
-    )
-  }
-
   string getBasename() { result = name.splitAt(".", count(name.indexOf("."))) }
 }
 
 class CdlAction extends CdlElement {
   CdlAction() { kind = CdlActionKind(this.getPropStringValue("kind")) }
 
-  string getUnqualifiedName() {
-    exists(string qualifiedName | qualifiedName = this.getName() |
-      result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
-    )
-  }
-
   predicate belongsToServiceWithNoAuthn() {
     exists(CdlService service | service.hasNoCdsAccessControl() | this = service.getAnAction())
   }
@@ -194,12 +185,6 @@ class CdlFunction extends CdlElement {
 
   JsonObject getReturns() { result = this.getPropValue("returns") }
 
-  string getUnqualifiedName() {
-    exists(string qualifiedName | qualifiedName = this.getName() |
-      result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
-    )
-  }
-
   predicate belongsToServiceWithNoAuthn() {
     exists(CdlService service | service.hasNoCdsAccessControl() | this = service.getAFunction())
   }