Merge pull request #144 from advanced-security/mbaluda/xsjs-access

Adds XSJS CSRF and authorization queries

Author: jeongsoolee09

.github/workflows/javascript.sarif.expected

@@ -0,0 +1,13 @@
+import javascript
+
+class ExposedServiceAccessSpec extends File {
+  ExposedServiceAccessSpec() {
+    this.getBaseName() = "xs-app.json"
+    or
+    // we are only interested in exposed services
+    this.getBaseName() = ".xsaccess" and
+    exists(JsonValue v | this = v.getJsonFile() |
+      v.getPropValue("exposed").getBooleanValue() = false
+    )
+  }
+}

javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/Xsaccess.qll

@@ -0,0 +1,28 @@
+# Broken XSJS authentication
+
+If you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.
+
+## Recommendation
+
+Use the built-in SAP HANA XS authentication mechanism and session management (cookies). 
+- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. 
+- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.
+
+## Example
+
+The following `xs-app.json` fragment shows disabled XSJS authentication.
+
+```json
+{
+  "welcomeFile": "index.html",
+  "authenticationMethod": "none",
+  ...
+}  
+```
+
+## References
+
+* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).
+* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)
+* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)
+* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).

javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.md

@@ -0,0 +1,38 @@
+/**
+ * @name Broken XSJS authentication
+ * @description Disabling XSJS authentication makes the application vulnerable to unauthorized access.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id js/xsjs-broken-authentication
+ * @tags security
+ *       external/cwe/cwe-306
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.xsjs.Xsaccess
+
+from JsonValue value, string msg
+where
+  value.getJsonFile() instanceof ExposedServiceAccessSpec and
+  (
+    msg = "Authentication should not be disabled." and
+    exists(JsonValue v |
+      value = v.getPropValue(["authentication", "authenticationMethod", "authenticationType"])
+    |
+      value.getStringValue() = "none"
+      or
+      value instanceof JsonNull
+    )
+    or
+    // the authentication specification is missing from .xsaccess
+    msg = "Authentication is missing from the configuration." and
+    value.isTopLevel() and
+    value.getJsonFile().getBaseName() = ".xsaccess" and
+    not exists(JsonValue p |
+      p.getJsonFile() = value.getJsonFile() and
+      exists(p.getPropValue("authentication"))
+    )
+  )
+select value, msg

javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.ql

@@ -0,0 +1,33 @@
+# Disabled XSJS CSRF protection
+
+A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.
+
+## Recommendation
+
+SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. 
+- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. 
+- In `XS Classic` CSRF protection should be enabled explicitly. 
+
+## Example
+
+The following `xs-app.json` fragment enables CSRF protection in XSJS.
+
+```json
+"routes": [
+  {
+    "source": "/bad/(.*)",
+    "destination": "srv_api",
+    "csrfProtection": true,
+    ...
+  }
+]
+    ...
+  }
+]
+```
+
+## References
+
+* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
+* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
+* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).

javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.md

@@ -0,0 +1,35 @@
+/**
+ * @name Disabled XSJS CSRF protection
+ * @description Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id js/xsjs-disabled-csrf-protection
+ * @tags security
+ *       external/cwe/cwe-352
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.xsjs.Xsaccess
+
+from JsonValue value, string msg
+where
+  value.getJsonFile() instanceof ExposedServiceAccessSpec and
+  (
+    msg = "CSRF protection should not be disabled." and
+    exists(JsonValue v |
+      value = v.getPropValue(["prevent_xsrf", "csrfProtection"]) and
+      value.getBooleanValue() = false
+    )
+    or
+    // the CSRF protection is missing from .xsaccess
+    msg = "CSRF protection is missing from the configuration." and
+    value.isTopLevel() and
+    value.getJsonFile().getBaseName() = ".xsaccess" and
+    not exists(JsonValue p |
+      p.getJsonFile() = value.getJsonFile() and
+      exists(p.getPropValue("prevent_xsrf"))
+    )
+  )
+select value, msg

javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.ql

@@ -0,0 +1,4 @@
+| service/exposed/.xsaccess:3:23:3:26 | null | Authentication should not be disabled. |
+| service/missing_auth/.xsaccess:1:1:4:1 | {\\n    " ...  true\\n} | Authentication is missing from the configuration. |
+| service/xs-app.json:3:29:3:34 | "none" | Authentication should not be disabled. |
+| service/xs-app.json:15:35:15:40 | "none" | Authentication should not be disabled. |

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.expected

@@ -0,0 +1 @@
+XSJSAuthentication/XSJSAuthentication.ql

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.qlref

@@ -0,0 +1,2 @@
+| service/exposed/.xsaccess:1:1:4:1 | {\\n    " ...  null\\n} | CSRF protection is missing from the configuration. |
+| service/xs-app.json:14:31:14:35 | false | CSRF protection should not be disabled. |

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.expected

@@ -0,0 +1 @@
+XSJSCsrfDisabled/XSJSCsrfDisabled.ql

javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.qlref

@@ -0,0 +1,5 @@
+{
+    "exposed": true,
+    "prevent_xsrf": false,
+    "authentication": null
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess

@@ -0,0 +1,4 @@
+{
+    "exposed": false,
+    "authentication": null
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess

@@ -0,0 +1,4 @@
+{
+    "exposed": false,
+    "prevent_xsrf": true
+}

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess

@@ -0,0 +1 @@
+var webRequest1 = $.request;

javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs

@@ -0,0 +1,18 @@
+{
+    "welcomeFile": "index.html",
+    "authenticationMethod": "none",
+    "routes": [
+        {
+            "source": "/good/(.*)",
+            "destination": "srv_api",
+            "csrfProtection": true,
+            "authenticationType": "xsuaa"
+        },
+        {
+            "source": "/bad/(.*)",
+            "destination": "srv_api",
+            "csrfProtection": false,
+            "authenticationType": "none"
+        }
+    ]
+}