advanced-security · lcartey · Jan 16, 2025 · Apr 25, 2024 · Apr 25, 2024 · Sep 19, 2024
diff --git a/...frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/README.md b/...frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/README.md
@@ -0,0 +1,7 @@
+# Sanitized Log Injection
+
+This application demonstrates how a potential injection vulnerability is not reported if the data type definied in the service description is not strings.
+
+## It _is not_ a false positive case
+
+Service responds to a Received event and logs the data. However, the type of the message (Integer) does not allow for the injection to succeed.
diff --git a/...cript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds b/...cript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/db/schema.cds
@@ -0,0 +1,11 @@
+namespace advanced_security.log_injection.sample_entities;
+
+entity Entity1 {
+  Attribute1 : String(100);
+  Attribute2 : String(100)
+}
+
+entity Entity2 {
+  Attribute3 : String(100);
+  Attribute4 : String(100)
+}
diff --git a/...t/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected b/...t/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected
@@ -0,0 +1,3 @@
+nodes
+edges
+#select
diff --git a/...test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.qlref b/...test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.qlref
@@ -0,0 +1 @@
+loginjection/LogInjection.ql
diff --git a/...script/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json b/...script/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/package.json
@@ -0,0 +1,20 @@
+{
+    "name": "@advanced-security/log-injection",
+    "version": "1.0.0",
+    "dependencies": {
+        "@sap/cds": "^7",
+        "express": "^4.17.1",
+        "@cap-js/sqlite": "*"
+    },
+    "scripts": {
+        "start": "cds-serve",
+        "watch": "cds watch"
+    },
+    "cds": {
+        "requires": {
+            "service": {
+                "impl": "srv/service.js"
+            }
+        }
+    }
+}
diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js b/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/server.js
@@ -0,0 +1,4 @@
+const cds = require('@sap/cds');
+const app = require('express')();
+
+cds.serve('all').in(app);
diff --git a/...ipt/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds b/...ipt/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.cds
@@ -0,0 +1,11 @@
+using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
+
+service Service @(path: '/service') {
+  /* Entity to send READ/GET about. */
+  entity ServiceEntity as projection on db_schema.Entity2 excluding { Attribute4 }
+
+  /* API to talk to Service. */
+  action send (
+    messageToPass: Integer
+  ) returns String;
+}
diff --git a/...ript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js b/...ript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/srv/service.js
@@ -0,0 +1,11 @@
+const cds = require("@sap/cds");
+const LOG = cds.log("logger");
+
+module.exports = cds.service.impl(function() {
+    /* Log upon receiving an "send" event. */
+    this.on("send", async (msg) => {
+        const { messageToPass } = msg.data;
+        /* A log injection sink. */
+        LOG.info("Received: ", messageToPass); // messageToPass is Integer, not a log injection!
+  });
+})
-Original file line number
+Diff line change
@@ -0,0 +1,3 @@
+    nodes
+    edges
+    #select