Update

jeongsoolee09 · jeongsoolee09 · commit c378a6775deb · 2024-08-12T11:33:06.000-07:00
diff --git a/javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged.md b/javascript/frameworks/cap/src/bad-authn-authz/DefaultUserIsPrivileged.md
@@ -0,0 +1,50 @@
+# Default User is overwritten as privileged
+
+The user whose request cannot be verified as authenticated is represented as `cds.User.default` internally. If this property is set to `cds.User.Privileged`, then a service may provide assets to some user who has no rights to access them.
+
+## Recommendation
+
+### Set up a development profile that uses non-production authentication
+
+It may be tempting to overwrite the `cds.User.default` as `cds.User.Privileged`, for ease of development. However, this may slip through production undeleted since the assignment to `cds.User.default` can be hard to detect because it may take various forms; e.g. the programmer may choose to store `cds.User` to a variable `v` and access `cds.User.default` by `v.default`.
+
+A safer and more elegant solution is to set up a development profile and opt in to use a non-production strategy such as basic, dummy, or mocked during its use. This can be done in `package.json` of the CAP application at its project root:
+
+``` json
+{
+  "requires": {
+    "[dev]": {
+      "auth": "dummy"
+    }
+  }
+}
+```
+
+Setting `"dummy"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.
+
+```shell
+cds serve --profile dev
+```
+
+## Example
+
+Setting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. The following is the server.js that provides the top-level definition of a CAP application, overwriting the property with the problematic class.
+
+``` javascript
+const cds = require("@sap/cds");
+const app = require("express")();
+
+/*
+ * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`
+ */
+cds.User.default = cdsUser.Privileged;
+
+cds.serve("all").in(app);
+```
+
+## References
+
+- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).
+- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).
+- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).
+- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
diff --git a/javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWithoutAuthn.md b/javascript/frameworks/cap/src/bad-authn-authz/EntityExposedWithoutAuthn.md
@@ -1,11 +1,13 @@
-# CAP Entities Exposed without Access Controls
+# CAP Definitions Exposed without Access Controls
+
+Although using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.
 
 ## Recommendation
 
 ### Use CDS-based authorization
 
 CDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).
- 
+
 #### Check the original CDS entity it is derived from
 
 CDS entities may be derived from other entities by means of selection and projection. These derived definitions inherit its identical conditions for access control or can choose to override them. Therefore, in order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected (that is, the inspection should go up the chain of derivation).
@@ -80,6 +82,6 @@ module.exports = class Service1 extends cds.ApplicationService {
 [@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).
 - SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).
 - SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).
+- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).
 - Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).
-- Commoon Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
-
+- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
