Skip to content

Implement queries for authentication / authorization related issues #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 82 commits into from
Aug 12, 2024
Merged

Implement queries for authentication / authorization related issues #113

merged 82 commits into from
Aug 12, 2024

Conversation

jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Apr 12, 2024
edited
Loading

What this PR contributes

Queries

This PR contributes three queries:

  1. DefaultUserIsPrivileged.ql
  2. EntityExposedWithoutAuthn.ql
  3. NonProductionStrategyUsed.ql

DefaultUserIsPrivileged.ql

Addresses #107's misused-privilged-user/default-is-privileged PoC.

EntityExposedWithoutAuthn.ql

Addresses #107's entities-with-no-authn PoC.

NonProductionStrategyUsed.ql

Addresses #107's nonprod-authn-strategy PoC.

Libraries

  • Thoroughly debugged CqlClause in CQL.qll.
  • Improved and added more classes to CDS.qll.
    • Better handling of global variable definitions using type tracker.
    • Added classes on cds.user and privileged users.
    • Added classes on transactions.
    • Classes now also capture await expressions as well as their non-await expressions.
  • Added Conditionals.qll to find expressions and statements that act as conditionals.
  • Added more classes to PackageJson.qll.

Tests

  • Added model tests on authz-annotations, conditionalstatements.
  • Added model tests on entityreference where the entity resolving mechanism is tested.

Future Work

@jeongsoolee09
Add class AuthenticationStrategy
5971d61
@jeongsoolee09
Refactor and add some predicates
d18ccfb
@jeongsoolee09
Minor comment reflow
3b3fc24
@jeongsoolee09
Add NonProductionStrategyUsed.ql
9bb88cf
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/auth-queries
4301952
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/auth-queries
a673eef
@jeongsoolee09
Add DefaultUserIsPrivileged.ql
c44d9f8
@jeongsoolee09
Merge branch 'jeongsoolee09/auth-queries' of https://github.com/advan…
9611102 
…ced-security/codeql-sap-js into jeongsoolee09/auth-queries
@jeongsoolee09
Remove unnecessary type cast
845de60
@jeongsoolee09
Add CustomPrivilegedUser
ee5c36a
@jeongsoolee09
Debug CqlClause
b44ac70
@jeongsoolee09
Add member predicate flow/0
d995fec
@jeongsoolee09
Add authz-annotations model tests
3419af7
@jeongsoolee09
Add model test for transactions
056e0ef
@jeongsoolee09
Update scripts
913057f 
Don't use $FOLDER_NAME as is; append a `db`
so that it can be locally ignored.
@jeongsoolee09
Add classes to reason about @restricts
c99884c
@jeongsoolee09
Add CdsTransaction
aec2c5c
@jeongsoolee09
Update CQL.qll
d5931ff
@jeongsoolee09
Debug TCqlClause and add type related predicates
7acf540
@jeongsoolee09
Minor comment formatting
4286348
@jeongsoolee09
Debug getAnExecutedCqlClause
600d299
@jeongsoolee09
Add FP/Error/Warning on the cases
5c8c9da
@jeongsoolee09
Debug PoC of dynamically-generated-privileged
7d911ac
@jeongsoolee09
Minor comment
44ee421
@jeongsoolee09
Minor comment
4219abe
@jeongsoolee09
Add CdsReference
d228638
@jeongsoolee09
Initial commit of entityreference.js
15839c3
@jeongsoolee09
Add test entityreference
4451e0b
@jeongsoolee09
Update entityreference.js
14ff647
@jeongsoolee09
Loop over only directories
67f9754
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review July 29, 2024 21:59
@jeongsoolee09 jeongsoolee09 requested a review from mbaluda July 29, 2024 21:59
@mbaluda mbaluda assigned mbaluda and unassigned mbaluda Jul 30, 2024
mbaluda
mbaluda requested changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@mbaluda mbaluda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of thoughts:

  • Remove dynamically-generated-privileged and dependencies if it's not in scope right now
  • DefaultUserIsPrivileged should be a path-preoblem
  • EntityExposedWithoutAuthn missing description
  • EntityExposedWithoutAuthn do not repeat the primary location link

@jeongsoolee09 jeongsoolee09 requested a review from mbaluda August 9, 2024 18:01
mbaluda
mbaluda approved these changes Aug 12, 2024
View reviewed changes
Copy link
Contributor

@mbaluda mbaluda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@jeongsoolee09 jeongsoolee09 merged commit 6d548c0 into main Aug 12, 2024
9 checks passed
@jeongsoolee09 jeongsoolee09 deleted the jeongsoolee09/auth-queries branch August 12, 2024 16:34
@jeongsoolee09 jeongsoolee09 mentioned this pull request Aug 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbaluda mbaluda mbaluda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeongsoolee09 @mbaluda