Merge pull request #137 from advanced-security/knewbury01/e2-pii-cap

Add fully qualified name matching on E2 sources

Author: knewbury01

.github/workflows/javascript.sarif.expected

@@ -142,6 +142,17 @@ class CdlAttribute extends JsonObject {
   string getName() { result = name }
 }
 
+/**
+ * a `CdlEntity` that is declared in a namespace
+ */
+class NamespacedEntity extends JsonObject instanceof CdlEntity {
+  string namespace;
+
+  NamespacedEntity() { this.getParent+().getPropValue("namespace").getStringValue() = namespace }
+
+  string getNamespace() { result = namespace }
+}
+
 /**
  * any `JsonValue` that has a `PersonalData` like annotation above it
  */

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -15,6 +15,32 @@ class CdsFacade extends API::Node {
   Node getNode() { result = this.asSource() }
 }
 
+/**
+ * A call to `entities` on a CDS facade.
+ */
+class CdsEntitiesCall extends API::Node {
+  CdsEntitiesCall() { exists(CdsFacade cds | this = cds.getMember("entities")) }
+}
+
+/**
+ * An entity instance obtained by the entity's namespace,
+ * via `cds.entities`
+ * ```javascript
+ * // Obtained through `cds.entities`
+ * const { Service1 } = cds.entities("sample.application.namespace");
+ * ```
+ */
+class EntityEntry extends DataFlow::CallNode {
+  EntityEntry() { exists(CdsEntitiesCall c | c.getACall() = this) }
+
+  /**
+   * Gets the namespace that this entity belongs to.
+   */
+  string getNamespace() {
+    result = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue()
+  }
+}
+
 /**
  * A call to `serve` on a CDS facade.
  */

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -6,7 +6,7 @@
  * @problem.severity warning
  * @security-severity 7.5
  * @precision medium
- * @id javascript/sensitive-log
+ * @id js/sensitive-log
  * @tags security
  *       external/cwe/cwe-532
  */
@@ -16,19 +16,41 @@ import advanced_security.javascript.frameworks.cap.CDS
 import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
 import DataFlow::PathGraph
 
-class SensitiveExposureSource extends DataFlow::Node {
-  SensitiveExposureSource() {
-    exists(PropRead p, SensitiveAnnotatedElement c |
-      p.getPropertyName() = c.getName() and
-      this = p
-    )
+SourceNode entityAccesses(TypeTracker t, string entityNamespace) {
+  t.start() and
+  exists(EntityEntry e | result = e and entityNamespace = e.getNamespace())
+  or
+  exists(TypeTracker t2 | result = entityAccesses(t2, entityNamespace).track(t2, t))
+}
+
+SourceNode entityAccesses(string entityNamespace) {
+  result = entityAccesses(TypeTracker::end(), entityNamespace)
+}
+
+class SensitiveExposureFieldSource extends DataFlow::Node {
+  SensitiveAnnotatedAttribute cdsField;
+  SensitiveAnnotatedEntity entity;
+  string namespace;
+
+  SensitiveExposureFieldSource() {
+    this = entityAccesses(namespace).getAPropertyRead().getAPropertyRead() and
+    //field name is same as some cds declared field
+    this.(PropRead).getPropertyName() = cdsField.getName() and
+    //entity name is the same as some cds declared entity
+    entityAccesses(namespace).getAPropertyRead().toString() = entity.getShortName() and
+    //and that field belongs to that entity in the cds
+    entity.(CdlEntity).getAttribute(cdsField.getName()) = cdsField and
+    //and the namespace is the same (fully qualified id match)
+    entity.(NamespacedEntity).getNamespace() = namespace
   }
 }
 
 class SensitiveLogExposureConfig extends TaintTracking::Configuration {
   SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof SensitiveExposureSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof SensitiveExposureFieldSource
+  }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
 }