Skip to content

Implement queries for authentication / authorization related issues #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 82 commits into from
Aug 12, 2024
Merged

Implement queries for authentication / authorization related issues #113

Show file tree
Hide file tree
Changes from 70 commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
5971d61
Add class `AuthenticationStrategy`
jeongsoolee09 Apr 11, 2024
d18ccfb
Refactor and add some predicates
jeongsoolee09 Apr 11, 2024
3b3fc24
Minor comment reflow
jeongsoolee09 Apr 12, 2024
9bb88cf
Add `NonProductionStrategyUsed.ql`
jeongsoolee09 Apr 12, 2024
4301952
Merge branch 'main' into jeongsoolee09/auth-queries
jeongsoolee09 Apr 12, 2024
a673eef
Merge branch 'main' into jeongsoolee09/auth-queries
jeongsoolee09 Apr 29, 2024
c44d9f8
Add `DefaultUserIsPrivileged.ql`
jeongsoolee09 Apr 29, 2024
9611102
Merge branch 'jeongsoolee09/auth-queries' of https://github.com/advan…
jeongsoolee09 Apr 29, 2024
845de60
Remove unnecessary type cast
jeongsoolee09 Apr 29, 2024
ee5c36a
Add `CustomPrivilegedUser`
jeongsoolee09 Apr 29, 2024
b44ac70
Debug `CqlClause`
jeongsoolee09 Apr 30, 2024
d995fec
Add member predicate `flow/0`
jeongsoolee09 Apr 30, 2024
3419af7
Add `authz-annotations` model tests
jeongsoolee09 May 1, 2024
056e0ef
Add model test for transactions
jeongsoolee09 Jun 14, 2024
913057f
Update scripts
jeongsoolee09 Jun 14, 2024
c99884c
Add classes to reason about `@restricts`
jeongsoolee09 Jun 15, 2024
aec2c5c
Add `CdsTransaction`
jeongsoolee09 Jun 15, 2024
d5931ff
Update CQL.qll
jeongsoolee09 Jun 16, 2024
7acf540
Debug `TCqlClause` and add type related predicates
jeongsoolee09 Jun 16, 2024
4286348
Minor comment formatting
jeongsoolee09 Jun 16, 2024
600d299
Debug getAnExecutedCqlClause
jeongsoolee09 Jun 17, 2024
5c8c9da
Add FP/Error/Warning on the cases
jeongsoolee09 Jun 24, 2024
7d911ac
Debug PoC of dynamically-generated-privileged
jeongsoolee09 Jun 24, 2024
44ee421
Minor comment
jeongsoolee09 Jun 25, 2024
4219abe
Minor comment
jeongsoolee09 Jun 25, 2024
d228638
Add `CdsReference`
jeongsoolee09 Jun 25, 2024
15839c3
Initial commit of `entityreference.js`
jeongsoolee09 Jun 25, 2024
4451e0b
Add test `entityreference`
jeongsoolee09 Jun 25, 2024
14ff647
Update entityreference.js
jeongsoolee09 Jun 25, 2024
67f9754
Loop over only directories
jeongsoolee09 Jun 25, 2024
d248f14
Don't use `VarDef` for global var, use typetracker
jeongsoolee09 Jun 26, 2024
d1b8b86
Fix expected results of unit tests
jeongsoolee09 Jun 26, 2024
f4976ae
Remove unneeded `entityreference.js` file
jeongsoolee09 Jun 26, 2024
c11573f
Add `CqlSelectClause.getAccessingEntityDefinition`
jeongsoolee09 Jun 27, 2024
011695e
Implement `getAccessingEntityDefinition` for all types of clauses
jeongsoolee09 Jun 27, 2024
70c5d33
Use getStringValue instead of StringLiteral.getValue
jeongsoolee09 Jul 1, 2024
fc21680
Directly use getStringValue before getting expr
jeongsoolee09 Jul 1, 2024
f24f2c8
Refactor
jeongsoolee09 Jul 1, 2024
946caba
Found a possible bug in CAP?
jeongsoolee09 Jul 1, 2024
2cf2c9e
Refactor and add some classes
jeongsoolee09 Jul 2, 2024
85d4eb1
Add more interesting cases
jeongsoolee09 Jul 2, 2024
5dfb060
Remove unnecessary comments
jeongsoolee09 Jul 2, 2024
1c85885
Minor
jeongsoolee09 Jul 2, 2024
7db2150
Add isSelectFrom/1, isProjectionOn/1
jeongsoolee09 Jul 2, 2024
a73ea78
update
jeongsoolee09 Jul 3, 2024
4f3522d
Draft of belongsToServiceWithNoAuthn and inherits
jeongsoolee09 Jul 3, 2024
4f539d4
Debug draft
jeongsoolee09 Jul 3, 2024
e19ebeb
Don't use a clickable link
jeongsoolee09 Jul 3, 2024
521e58c
Drafting `ConditionalStatement`
jeongsoolee09 Jul 3, 2024
927ddf1
Add `getAThenBranchExpr` and accompanying test
jeongsoolee09 Jul 3, 2024
03a92e9
Debug `LogicalShortCircuitStatement`
jeongsoolee09 Jul 8, 2024
7cb62c5
Some comments
jeongsoolee09 Jul 8, 2024
7430d2c
Restructure and move classes around
jeongsoolee09 Jul 8, 2024
d490463
Expose `getConditionExpr` at the abstract level
jeongsoolee09 Jul 9, 2024
a74b6c5
Finalize `CdlElementWithJsAuthn`
jeongsoolee09 Jul 9, 2024
d2dc811
Debug `CdlElementWithoutAuthn`
jeongsoolee09 Jul 9, 2024
0c39f09
Finalize `EntityExposedWithoutAuthn`
jeongsoolee09 Jul 9, 2024
92dd74b
Cover case of `cds.serve`
jeongsoolee09 Jul 10, 2024
a941e63
Merge branch 'main' into jeongsoolee09/auth-queries
jeongsoolee09 Jul 23, 2024
1a0598f
Remove unnecessary README
jeongsoolee09 Jul 26, 2024
42a9f8d
Merge branch 'jeongsoolee09/auth-queries' of github.com:advanced-secu…
jeongsoolee09 Jul 26, 2024
0b0f3a5
Merge branch 'main' into jeongsoolee09/auth-queries
jeongsoolee09 Jul 26, 2024
4a31a93
Add .expected
jeongsoolee09 Jul 29, 2024
6711c12
Merge branch 'jeongsoolee09/auth-queries' of github.com:advanced-secu…
jeongsoolee09 Jul 29, 2024
b0d065a
Update remoteflowsource test
jeongsoolee09 Jul 29, 2024
6eb001e
Remove test authz-annotations
jeongsoolee09 Jul 29, 2024
c1c409c
Fix test cqlinjection.qlref
jeongsoolee09 Jul 29, 2024
ddafa0e
Update sarif.expected
jeongsoolee09 Jul 29, 2024
095eef2
Debug remoteflowsources
jeongsoolee09 Jul 29, 2024
bd408f7
Debug Conditionals.qll and add more unit tests
jeongsoolee09 Jul 29, 2024
476db60
Debug `ServiceInstanceFromCdsConnectTo.getASrvMethodCall/0`
jeongsoolee09 Jul 31, 2024
b9b13a1
Don't ignore the compiled `.cds.json`
jeongsoolee09 Jul 31, 2024
6ba1f13
Remove DynamicallyGeneratedPrivileged and d test case
jeongsoolee09 Aug 7, 2024
e32a839
Update javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWit…
jeongsoolee09 Aug 7, 2024
1f34a44
Merge branch 'main' into jeongsoolee09/auth-queries
jeongsoolee09 Aug 8, 2024
ed9f529
Update `.expected` files
jeongsoolee09 Aug 8, 2024
b735789
Debug and update `.expected`
jeongsoolee09 Aug 8, 2024
2757306
add missing .cds.json
jeongsoolee09 Aug 8, 2024
0215c2f
Revert "add missing .cds.json"
jeongsoolee09 Aug 8, 2024
08819d7
Revert "Don't ignore the compiled `.cds.json`"
jeongsoolee09 Aug 8, 2024
bf2ee00
Update javascript.sarif.expected
jeongsoolee09 Aug 8, 2024
1a4f8b6
Fill in `@description` of `EntityExposedWithoutAuthn`
jeongsoolee09 Aug 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/javascript.sarif.expected
View file
Open in desktop

Large diffs are not rendered by default.

170 changes: 170 additions & 0 deletions ...script/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPNoAuthzQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
import advanced_security.javascript.frameworks.cap.CDS
import advanced_security.javascript.frameworks.cap.CDL
import advanced_security.javascript.frameworks.cap.Conditionals

abstract class CdlElementWithoutAuthn instanceof CdlElement {
string toString() { result = super.toString() }

Location getLocation() { result = super.getLocation() }
}

abstract class CdlElementWithoutCdsAuthn extends CdlElementWithoutAuthn instanceof CdlElement {
CdlElementWithoutCdsAuthn() { this.hasNoCdsAccessControl() }
}

class CdlServiceWithoutCdsAuthn extends CdlElementWithoutCdsAuthn instanceof CdlService { }

class CdlEntityWithoutCdsAuthn extends CdlElementWithoutCdsAuthn instanceof CdlEntity {
CdlEntityWithoutCdsAuthn() {
this.belongsToServiceWithNoAuthn()
or
exists(CdlEntityWithoutCdsAuthn otherCdlEntityWithoutCdsAuthn |
this.inherits(otherCdlEntityWithoutCdsAuthn)
)
}
}

class CdlActionWithoutCdsAuthn extends CdlElementWithoutCdsAuthn instanceof CdlAction {
CdlActionWithoutCdsAuthn() { this.belongsToServiceWithNoAuthn() }
}

class CdlFunctionWithoutCdsAuthn extends CdlElementWithoutCdsAuthn instanceof CdlAction {
CdlFunctionWithoutCdsAuthn() { this.belongsToServiceWithNoAuthn() }
}

class CdlElementProtectionWithHandlerRegistration instanceof HandlerRegistration {
string toString() { result = super.toString() }

predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
super.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}

CdlElementProtectionWithHandlerRegistration() {
(
this.isBefore()
or
this.isOn()
) and
exists(Handler handler, ConditionalExprOrStatement exprOrStmt |
handler = this.getHandler() and
(
exprOrStmt = handler.getFunction().getBody() or
exprOrStmt = handler.getFunction().getABodyStmt()
)
|
exprOrStmt.getConditionExpr().getAChildExpr*().flow() instanceof RequestUserIs and
exists(CdsRequest req |
exprOrStmt.getPolarity() = true and
exprOrStmt.getAnElseBranchExpr() = req.getARejectCall().asExpr()
or
exprOrStmt.getPolarity() = false and
exprOrStmt.getAThenBranchExpr() = req.getARejectCall().asExpr()
)
)
}

string getEntityName() { result = super.getEntityName() }

string getAnEventName() { result = super.getAnEventName() }
}

abstract class CdlElementWithJsAuthn instanceof CdlElement {
string toString() { result = super.toString() }

Location getLocation() { result = super.getLocation() }
}

class CdlServiceWithJsAuthn extends CdlElementWithJsAuthn instanceof CdlService {
CdlServiceWithJsAuthn() {
exists(CdlElementProtectionWithHandlerRegistration beforeOrOn |
this.getImplementation().getAHandlerRegistration() = beforeOrOn or
this.getCdsServeCall().getWithCall().getAHandlerRegistration() = beforeOrOn
|
beforeOrOn.getAnEventName() = "*"
)
}
}

class CdlEntityWithJsAuthn extends CdlElementWithJsAuthn instanceof CdlEntity {
CdlEntityWithJsAuthn() {
exists(CdlService service, CdlElementProtectionWithHandlerRegistration beforeOrOn |
this = service.getAnEntity() and
(
service.getImplementation().getAHandlerRegistration() = beforeOrOn or
service.getCdsServeCall().getWithCall().getAHandlerRegistration() = beforeOrOn
) and
beforeOrOn.getEntityName() = this.getUnqualifiedName()
)
}
}

class CdlActionWithJsAuthn extends CdlElementWithJsAuthn instanceof CdlAction {
CdlActionWithJsAuthn() {
exists(CdlService service, CdlElementProtectionWithHandlerRegistration beforeOrOn |
this = service.getAnAction() and
(
service.getImplementation().getAHandlerRegistration() = beforeOrOn or
service.getCdsServeCall().getWithCall().getAHandlerRegistration() = beforeOrOn
) and
beforeOrOn.getAnEventName() = this.getUnqualifiedName()
)
}
}

class CdlFunctionWithJsAuthn extends CdlElementWithJsAuthn instanceof CdlFunction {
CdlFunctionWithJsAuthn() {
exists(CdlService service, CdlElementProtectionWithHandlerRegistration beforeOrOn |
this = service.getAFunction() and
(
service.getImplementation().getAHandlerRegistration() = beforeOrOn or
service.getCdsServeCall().getWithCall().getAHandlerRegistration() = beforeOrOn
) and
beforeOrOn.getAnEventName() = this.getUnqualifiedName()
)
}
}

abstract class CdlElementWithoutJsAuthn extends CdlElementWithoutAuthn instanceof CdlElement { }

class CdlServiceWithoutJsAuthn extends CdlElementWithoutJsAuthn instanceof CdlService {
CdlServiceWithoutJsAuthn() { not this instanceof CdlServiceWithJsAuthn }
}

class CdlEntityWithoutJsAuthn extends CdlElementWithoutJsAuthn instanceof CdlEntity {
CdlEntityWithoutJsAuthn() { not this instanceof CdlEntityWithJsAuthn }
}

class CdlActionWithoutJsAuthn extends CdlElementWithoutJsAuthn instanceof CdlAction {
CdlActionWithoutJsAuthn() { not this instanceof CdlActionWithJsAuthn }
}

class CdlFunctionWithoutJsAuthn extends CdlElementWithoutJsAuthn instanceof CdlFunction {
CdlFunctionWithoutJsAuthn() { not this instanceof CdlFunctionWithJsAuthn }
}

/**
* The access to property `user` of a handler's request.
*/
class RequestUser extends SourceNode instanceof PropRef {
RequestUser() {
exists(Handler handler |
this.getBase().getALocalSource() = handler.getRequest() and
this.getPropertyName() = "user"
)
}
}

class RequestUserIs instanceof MethodCallNode {
string userRole;

RequestUserIs() {
exists(RequestUser requestUser |
this = requestUser.getAMethodCall("is") and
userRole = this.getArgument(0).getStringValue()
)
}

string toString() { result = super.toString() }
}
Loading