Merge pull request #126 from advanced-security/knewbury01/e2-pii-cap

Add sensitive information exposure query

Author: knewbury01

.github/workflows/javascript.sarif.expected

@@ -33,6 +33,17 @@ abstract class CdlElement extends JsonObject {
   CdlAnnotation getAnAnnotation() { result = this.getAnnotation(_) }
 }
 
+class CdlEntityField extends CdlElement {
+  string name;
+  CdlKind kind;
+
+  CdlEntityField() { exists(CdlDefinition definition | this = definition.getElement(name)) }
+
+  override string getName() { result = name }
+
+  override CdlKind getKind() { result = kind }
+}
+
 class CdlService extends CdlElement {
   string name;
   CdlKind kind;
@@ -127,11 +138,46 @@ class CdlAttribute extends JsonObject {
   string getType() { result = this.getPropStringValue("type") }
 
   int getLength() { result = this.getPropValue("length").(JsonPrimitiveValue).getIntValue() }
+
+  string getName() { result = name }
+}
+
+/**
+ * any `JsonValue` that has a `PersonalData` like annotation above it
+ */
+abstract class SensitiveAnnotatedElement extends JsonValue {
+  abstract string getName();
 }
 
-abstract class CdlAnnotation extends JsonValue {
+class SensitiveAnnotatedEntity extends SensitiveAnnotatedElement instanceof CdlEntity {
+  SensitiveAnnotatedEntity() { exists(PersonalDataAnnotation a | a.getQualifiedElement() = this) }
+
+  override string getName() { result = this.(CdlEntity).getName() }
+
+  string getShortName() { result = this.getName().regexpCapture(".*\\.([^\\.]+$)", 1) }
+}
+
+class SensitiveAnnotatedAttribute extends SensitiveAnnotatedElement instanceof CdlAttribute {
+  SensitiveAnnotatedAttribute() {
+    exists(PersonalDataAnnotation a | a.getQualifiedElement() = this)
+  }
+
+  override string getName() { result = this.(CdlAttribute).getName() }
+}
+
+/**
+ * CDL annotations for PersonalData
+ */
+class PersonalDataAnnotation extends CdlAnnotation {
+  PersonalDataAnnotation() { this.getName().matches("PersonalData%") }
+}
+
+/**
+ * CDL annotations specifically associated to `CdlElement`s
+ */
+class CdlAnnotation extends JsonValue {
   string annotationName;
-  CdlElement element;
+  JsonValue element;
 
   CdlAnnotation() {
     this = element.getPropValue(annotationName) and
@@ -146,7 +192,7 @@ abstract class CdlAnnotation extends JsonValue {
   /**
    * Gets the CDL Element that this annotation is attached to.
    */
-  CdlElement getQualifiedElement() { result = element }
+  JsonValue getQualifiedElement() { result = element }
 }
 
 class ProtocolAnnotation extends CdlAnnotation {

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -0,0 +1,48 @@
+# CAP Insertion of Sensitive Information into Log File
+
+If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
+
+Data annotated as `@PersonalData` should not be logged.
+
+## Recommendation
+
+CAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.
+
+## Examples
+
+This CAP service directly logs the sensitive information.
+
+```cds
+namespace advanced_security.log_exposure.sample_entities;
+
+entity Sample {
+    name         : String(111);
+}
+
+// annotations for Data Privacy
+annotate Sample with
+@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }
+{
+  name  @PersonalData.IsPotentiallySensitive;
+}
+```
+
+``` javascript
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info("Received: ", Sample.name); // CAP log exposure alert
+    }
+}
+```
+
+## References
+
+- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).
+- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).
+- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).
+- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.md

@@ -0,0 +1,38 @@
+/**
+ * @name Insertion of sensitive information into log files
+ * @description Writing sensitive information to log files can allow that
+ *              information to be leaked to an attacker more easily.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id javascript/sensitive-log
+ * @tags security
+ *       external/cwe/cwe-532
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
+import DataFlow::PathGraph
+
+class SensitiveExposureSource extends DataFlow::Node {
+  SensitiveExposureSource() {
+    exists(PropRead p, SensitiveAnnotatedElement c |
+      p.getPropertyName() = c.getName() and
+      this = p
+    )
+  }
+}
+
+class SensitiveLogExposureConfig extends TaintTracking::Configuration {
+  SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SensitiveExposureSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
+}
+
+from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink, "Log entry depends on a potentially sensitive piece of information."

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql

@@ -0,0 +1,14 @@
+namespace advanced_security.log_exposure.sample_entities;
+
+entity Sample {
+    name         : String(111);
+    dateOfBirth  : Date;
+}
+
+// annotations for Data Privacy
+annotate Sample with
+@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }
+{
+  name  @PersonalData.IsPotentiallySensitive;
+  dateOfBirth     @PersonalData.IsPotentiallyPersonal; 
+}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds

@@ -0,0 +1,8 @@
+nodes
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+edges
+| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name |
+#select
+| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | Log entry depends on a potentially sensitive piece of information. |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected

@@ -0,0 +1,13 @@
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+	/* A sensitive info log sink. */
+        
+        LOG.info("Received: ", Sample.name); // CAP log exposure alert
+    }
+
+}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js

@@ -0,0 +1 @@
+sensitive-exposure/SensitiveExposure.ql