Put CQL query-relevant definitions in a query library

Author: jeongsoolee09

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPCqlInjectionQuery.qll

@@ -0,0 +1,80 @@
+import javascript
+import semmle.javascript.security.dataflow.SqlInjectionCustomizations
+import advanced_security.javascript.frameworks.cap.CQL
+import advanced_security.javascript.frameworks.cap.RemoteFlowSources
+
+/**
+ * A possibly tainted clause
+ * any clause with a string concatenation in it
+ * regardless of where that operand came from
+ */
+class TaintedClause instanceof CqlClause {
+  TaintedClause() { exists(StringConcatenation::getAnOperand(this.getArgument().flow())) }
+
+  string toString() { result = super.toString() }
+
+  Expr getArgument() { result = super.getArgument() }
+
+  Expr asExpr() { result = super.asExpr() }
+}
+
+/**
+ * Call to`cds.db.run`
+ * or
+ * an await surrounding a sql statement
+ */
+class CQLSink extends DataFlow::Node {
+  CQLSink() {
+    this = any(CdsFacade cds).getMember("db").getMember("run").getACall().getAnArgument()
+    or
+    exists(AwaitExpr a, CqlClause clause |
+      a.getAChildExpr() = clause.asExpr() and this.asExpr() = clause.asExpr()
+    )
+  }
+}
+
+/**
+ * a more heurisitic based taint step
+ * captures one of the alternative ways to construct query strings:
+ * `cds.parse.cql(`string`+userInput)`
+ * and considers them tainted if they've been concatenated against
+ * in any manner
+ */
+class ParseCQLTaintedClause extends CallNode {
+  ParseCQLTaintedClause() {
+    this = any(CdsFacade cds).getMember("parse").getMember("cql").getACall() and
+    exists(DataFlow::Node n |
+      n = StringConcatenation::getAnOperand(this.getAnArgument()) and
+      //omit the fact that the arg of cds.parse.cql (`SELECT * from Foo`)
+      //is technically a string concat
+      not n.asExpr() instanceof TemplateElement
+    )
+  }
+}
+
+class CqlIConfiguration extends TaintTracking::Configuration {
+  CqlIConfiguration() { this = "CqlInjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CQLSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof SqlInjection::Sanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    //string concatenation in a clause arg taints the clause
+    exists(TaintedClause clause |
+      clause.getArgument() = pred.asExpr() and
+      clause.asExpr() = succ.asExpr()
+    )
+    or
+    //less precise, any concat in the alternative sql stmt construction techniques
+    exists(ParseCQLTaintedClause parse |
+      parse.getAnArgument() = pred and
+      parse = succ
+    )
+  }
+}

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll

@@ -350,52 +350,3 @@ class CqlDeleteClause extends CqlClause {
     result.asDotExpr().getPropertyName() = "from"
   }
 }
-
-/**
- * A possibly tainted clause
- * any clause with a string concatenation in it
- * regardless of where that operand came from
- */
-class TaintedClause instanceof CqlClause {
-  TaintedClause() { exists(StringConcatenation::getAnOperand(this.getArgument().flow())) }
-
-  string toString() { result = super.toString() }
-
-  Expr getArgument() { result = super.getArgument() }
-
-  Expr asExpr() { result = super.asExpr() }
-}
-
-/**
- * Call to`cds.db.run`
- * or
- * an await surrounding a sql statement
- */
-class CQLSink extends DataFlow::Node {
-  CQLSink() {
-    this = any(CdsFacade cds).getMember("db").getMember("run").getACall().getAnArgument()
-    or
-    exists(AwaitExpr a, CqlClause clause |
-      a.getAChildExpr() = clause.asExpr() and this.asExpr() = clause.asExpr()
-    )
-  }
-}
-
-/**
- * a more heurisitic based taint step
- * captures one of the alternative ways to construct query strings:
- * `cds.parse.cql(`string`+userInput)`
- * and considers them tainted if they've been concatenated against
- * in any manner
- */
-class ParseCQLTaintedClause extends CallNode {
-  ParseCQLTaintedClause() {
-    this = any(CdsFacade cds).getMember("parse").getMember("cql").getACall() and
-    exists(DataFlow::Node n |
-      n = StringConcatenation::getAnOperand(this.getAnArgument()) and
-      //omit the fact that the arg of cds.parse.cql (`SELECT * from Foo`)
-      //is technically a string concat
-      not n.asExpr() instanceof TemplateElement
-    )
-  }
-}

javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql

@@ -12,36 +12,7 @@
 
 import javascript
 import DataFlow::PathGraph
-import semmle.javascript.security.dataflow.SqlInjectionCustomizations::SqlInjection
-import advanced_security.javascript.frameworks.cap.CQL
-import advanced_security.javascript.frameworks.cap.RemoteFlowSources
-
-class CqlIConfiguration extends TaintTracking::Configuration {
-  CqlIConfiguration() { this = "CqlInjection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CQLSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    super.isSanitizer(node) or
-    node instanceof Sanitizer
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-    //string concatenation in a clause arg taints the clause
-    exists(TaintedClause clause |
-      clause.getArgument() = pred.asExpr() and
-      clause.asExpr() = succ.asExpr()
-    )
-    or
-    //less precise, any concat in the alternative sql stmt construction techniques
-    exists(ParseCQLTaintedClause parse |
-      parse.getAnArgument() = pred and
-      parse = succ
-    )
-  }
-}
+import advanced_security.javascript.frameworks.cap.CAPCqlInjectionQuery
 
 from CqlIConfiguration sql, DataFlow::PathNode source, DataFlow::PathNode sink
 where sql.hasFlowPath(source, sink)