Implement UnnecessarilyGrantedPrivilegedAccessRights

[jeongsoolee09]

What this PR contributes

This PR aims to:

1. Add UnnecessarilyGrantedPrivilegedAccessRights.ql (previously DynamicallyGeneratedPrivileged.ql).
2. Fix wrong assumptions on cds.requires in test cases: previously cds.requires had service-1 and service-2.

Adding UnnecessarilyGrantedPrivilegedAccessRights

This query was previously named DynamicallyGeneratedPrivileged but renamed to UnnecessarilyGrantedPrivilegedAccessRights to better illustrate its core concerns: the fact that a privileged user is dynamically generated is itself not a problem, but that it's used to grant elevated access rights is.

UnnecessarilyGrantedPrivilegedAccessRights aims to find transactions that accesses an entity which requires nontrivial access rights (i.e. not trivial ones such as @(restrict: [{grant: 'READ'}])) in the context of cds.User.Privileged. This is a powerful role that bypasses all authorization checks that may be abused in the real world; a programmer may wish to access local entities without restrictions since they can already be accessed by other services in the same application. However, from the perspective of authorization this is an unnecessarily elevated access right and therefore a mistake in access control.

Fixing wrong assumptions

cds.requires in package.json of each test case in bad-authn-authz had service-1 and service-2 that pointed to the implementation details:

{
  "cds": {
    "requires": {
      "service-1": {
        "impl": "srv/service1.js"
      },
      "service-2": {
        "impl": "srv/service2.js"
      }
    }
  }
}

and the name "service-1" and "service-2" were used as handles to connect to the associated service:

const Service2 = await cds.connect.to("service-2");

However, some back-and-forth with a CAP expert from SAP revealed that this is not only necessary but wrong in some cases. Therefore, this PR remove such cds.requires section and changes the argument "service-2" to "Service2", to directly reference the service without an intermediary handle.

Others

• Refactor CDS.qll to make ServiceInstance a subclass of DataFlow::SourceNode, not DataFlow::Node, and use it to simplify all cases of ServiceInstance as well as its key member predicate getASrvMethodCall. Move this member predicate to the abstract class level.
• Clean up CDS.qll by moving type trackers into their own module.
• Add class EntityReference that models references to entities which are either variables containing a value of a property of srv.entities, or string/template literals which resolve to the entity: Service1.Service1Entity1.

[mbaluda]

I did a first review and left a few comments

[mbaluda]

Ship it! 🚀