Checkpoint

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDS.qll

@@ -551,9 +551,21 @@ class ES6ApplicationServiceDefinition extends ClassNode, UserDefinedApplicationS
 
 /**
  * Subclassing `cds.ApplicationService` via a call to `cds.service.impl`.
- * ```js
+ * e.g.1. Given this code:
+ * ``` javascript
  * const cds = require('@sap/cds')
- * module.exports = cds.service.impl (function() { ... })
+ * module.exports = cds.service.impl (function() {
+ *   this.on("SomeEvent1", (req) => { ... })
+ * })
+ * ```
+ * This class captures the call `cds.service.impl (function() { ... })`.
+ * 
+ * e.g.2. Given this code:
+ * ``` javascript
+ * const cds = require('@sap/cds')
+ * module.exports = cds.service.impl ((srv) => {
+ *   srv.on("SomeEvent1", (req) => { ... })
+ * })
  * ```
  */
 class ImplMethodCallApplicationServiceDefinition extends MethodCallNode,

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/RemoteFlowSources.qll

@@ -56,7 +56,9 @@ class UserProvidedPropertyReadOfHandlerParameterOfExposedService extends RemoteF
 
   UserProvidedPropertyReadOfHandlerParameterOfExposedService() {
     /* 1. `req.(data|params|headers|id)` */
-    this = handlerParameterOfExposedService.getAPropertyRead(["data", "params", "headers", "id"])
+    this =
+      handlerParameterOfExposedService
+          .getAPropertyRead(["data", "params", "headers", "id", "_queryOptions"])
     or
     /* 2. APIs stemming from `req.http.req`: Defined by Express.js */
     exists(PropRead reqHttpReq |