Skip to content

Implement UnnecessarilyGrantedPrivilegedAccessRights #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 48 commits into from
Sep 5, 2024
Merged

Implement UnnecessarilyGrantedPrivilegedAccessRights #139

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
48 commits
Select commit Hold shift + click to select a range
788593a
Match the service name with `UserDefinedApplicationService.getUnquali…
jeongsoolee09 Aug 14, 2024
095e108
Merge branch 'main' into jeongsoolee09/fix-package-json-assumptions
jeongsoolee09 Aug 14, 2024
e6dfde3
Fix entities-exposed-with-cds-authz
jeongsoolee09 Aug 15, 2024
9f2c0fd
Fix entities-exposed-with-js-authz
jeongsoolee09 Aug 15, 2024
5a946e6
Fix entities-exposed-with-js-authz-cds-serve
jeongsoolee09 Aug 15, 2024
64b56ef
Fix entities-exposed-with-no-authz
jeongsoolee09 Aug 15, 2024
126a7fb
Fix default-is-privileged
jeongsoolee09 Aug 15, 2024
65e1edc
Fix basic-authentication
jeongsoolee09 Aug 15, 2024
2871fe3
Fix dummy-authentication
jeongsoolee09 Aug 15, 2024
8a7c6d5
Fix mocked-authentication
jeongsoolee09 Aug 15, 2024
1f576a3
Add back dynamically-generated-privileged
jeongsoolee09 Aug 15, 2024
9402be3
Fix test case and expected output
jeongsoolee09 Aug 15, 2024
43cf975
Update `javascript.sarif.expected`
jeongsoolee09 Aug 15, 2024
9e530aa
Update and fix unit tests
jeongsoolee09 Aug 16, 2024
3f7063b
Merge branch 'main' into jeongsoolee09/fix-package-json-assumptions
jeongsoolee09 Aug 23, 2024
0dbdd58
Fix entities-with-no-authz/entities-exposed-with-js-authz-cds-serve
jeongsoolee09 Aug 23, 2024
5f6e18d
rename dynamicaly-generated-privileged to unnecessarily-granted-privi…
jeongsoolee09 Aug 23, 2024
8dfdb7b
Rename DynamicallyGeneratedPrivileged to UnnecessarilyGrantedPrivileg…
jeongsoolee09 Aug 23, 2024
28734b0
Fix unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 23, 2024
f961f71
Fix service1.js of unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 23, 2024
dc0f326
Add help file to UnnecessarilyGrantedPrivilegedAccessRights
jeongsoolee09 Aug 23, 2024
d144eee
Update name and description
jeongsoolee09 Aug 23, 2024
40a2dc8
Update unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 24, 2024
bf3730a
Minor
jeongsoolee09 Aug 24, 2024
ef0d728
Fix unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 26, 2024
08d04ca
Debug and add support for getCqlDefinition for all types of EntityRef…
jeongsoolee09 Aug 26, 2024
9e89368
Ad CAPUnnecessarilyGrantedPrivilegedAccessRightsQuery
jeongsoolee09 Aug 26, 2024
bcae1e6
Fix unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 27, 2024
fbe60da
Fix unnecessarily-granted-privileged-access-rights
jeongsoolee09 Aug 27, 2024
2e14d55
Separate TypeTrackers and make ServiceInstance extend SourceNode
jeongsoolee09 Aug 27, 2024
a78fc47
Refactor
jeongsoolee09 Aug 27, 2024
43a28e3
Finish CAPUnnecessarilyGrantedPrivilegedAccessRightsQuery
jeongsoolee09 Aug 27, 2024
ddce8ae
Fix definition of `RemoteEntityReference`
jeongsoolee09 Aug 27, 2024
c020a6c
Finalize UnnecessarilyGrantedPrivilegedAccessRights.ql
jeongsoolee09 Aug 27, 2024
118b7a7
Merge branch 'main' into jeongsoolee09/fix-package-json-assumptions
jeongsoolee09 Aug 28, 2024
4bb5d64
Update expected
jeongsoolee09 Aug 28, 2024
8af1ed0
Fix applicationserviceinstance
jeongsoolee09 Sep 3, 2024
4855c17
Merge branch 'main' into jeongsoolee09/fix-package-json-assumptions
jeongsoolee09 Sep 3, 2024
a1c20b0
Updates from editor
jeongsoolee09 Sep 4, 2024
f4fbe10
Update javascript/frameworks/cap/src/bad-authn-authz/UnnecessarilyGra…
jeongsoolee09 Sep 4, 2024
df71616
add test for unnecessarily-granted-privileged-access-rights
jeongsoolee09 Sep 4, 2024
9e3f9ed
Merge branch 'jeongsoolee09/fix-package-json-assumptions' of github.c…
jeongsoolee09 Sep 4, 2024
72364e9
Update test for unnecessarily-granted-privileged-access-rights
jeongsoolee09 Sep 4, 2024
de6cdfb
Remove location to `CdlElement` in EntityExposedWithoutAuthn
jeongsoolee09 Sep 5, 2024
ba8edbb
Update .expected of Code Scanning job
jeongsoolee09 Sep 5, 2024
d0c9308
Merge branch 'main' into jeongsoolee09/fix-package-json-assumptions
jeongsoolee09 Sep 5, 2024
a718d6e
Update `.expected`
jeongsoolee09 Sep 5, 2024
456cff4
Update .expected of code scanning job
jeongsoolee09 Sep 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/javascript.sarif.expected
View file
Open in desktop

Large diffs are not rendered by default.

66 changes: 66 additions & 0 deletions ...security/javascript/frameworks/cap/CAPUnnecessarilyGrantedPrivilegedAccessRightsQuery.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
import javascript
import advanced_security.javascript.frameworks.cap.CDS

/**
* A reference to an entity that is defined in this application.
*/
class LocalEntityReference instanceof EntityReference {
LocalEntityReference() { not this instanceof RemoteEntityReference }

string toString() { result = super.toString() }

Location getLocation() { result = super.getLocation() }

predicate hasRestrictedAccessControl() {
exists(RestrictCondition restrict |
restrict =
this.(EntityReference).getCqlDefinition().getRestrictAnnotation().getARestrictCondition()
|
not restrict.grantsToAnyone(_)
)
}
}

/**
* A reference to an entity that is not defined in this application and
* read from a service instance that is looked up with the name defined in
* package.json.
*/
class RemoteEntityReference instanceof EntityReference {
RemoteEntityReference() { not exists(this.getCqlDefinition()) }

string toString() { result = super.toString() }

Location getLocation() { result = super.getLocation() }
}

abstract class PrivilegedUserInstance extends DataFlow::NewNode { }

class CdsUserPrivilegedProperty extends PrivilegedUserInstance {
CdsUserPrivilegedProperty() {
exists(CdsUser cdsUser |
this =
cdsUser.getInducingNode().(PropRead).getAPropertyRead("Privileged").getAnInstantiation()
)
}
}

class CustomPrivilegedUser extends ClassNode {
CustomPrivilegedUser() {
exists(CdsUser cdsUser | this.getASuperClassNode() = cdsUser.asSource()) and
exists(FunctionNode init |
init = this.getInstanceMethod("is") and
forall(Expr expr | expr = init.asExpr().(Function).getAReturnedExpr() |
expr.mayHaveBooleanValue(true)
)
)
}
}

class CustomPrivilegedUserInstance extends PrivilegedUserInstance, NewNode {
CustomPrivilegedUserInstance() {
exists(CustomPrivilegedUser customPrivilegedUserClass |
this = customPrivilegedUserClass.getAnInstantiation()
)
}
}
33 changes: 9 additions & 24 deletions javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ abstract class CdlElement extends JsonObject {
*/
string getName() { result = name }

/**
* Gets the unqualified name of this CDL element without the leading namespace.
*/
string getUnqualifiedName() {
exists(string qualifiedName | qualifiedName = this.getName() |
result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
)
}

/**
* Gets the kind of this CDL element.
*/
Expand Down Expand Up @@ -128,12 +137,6 @@ class CdlService extends CdlElement {
class CdlEntity extends CdlElement {
CdlEntity() { kind = CdlEntityKind(this.getPropStringValue("kind")) }

string getUnqualifiedName() {
exists(string qualifiedName | qualifiedName = this.getName() |
result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
)
}

predicate isSelectFrom(CdlEntity otherEntity) {
otherEntity.getName() =
this.getPropValue("query")
Expand Down Expand Up @@ -166,24 +169,12 @@ class CdlEntity extends CdlElement {
class CdlEvent extends CdlElement {
CdlEvent() { kind = CdlEventKind(this.getPropStringValue("kind")) }

string getUnqualifiedName() {
exists(string qualifiedName | qualifiedName = this.getName() |
result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
)
}

string getBasename() { result = name.splitAt(".", count(name.indexOf("."))) }
}

class CdlAction extends CdlElement {
CdlAction() { kind = CdlActionKind(this.getPropStringValue("kind")) }

string getUnqualifiedName() {
exists(string qualifiedName | qualifiedName = this.getName() |
result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
)
}

predicate belongsToServiceWithNoAuthn() {
exists(CdlService service | service.hasNoCdsAccessControl() | this = service.getAnAction())
}
Expand All @@ -194,12 +185,6 @@ class CdlFunction extends CdlElement {

JsonObject getReturns() { result = this.getPropValue("returns") }

string getUnqualifiedName() {
exists(string qualifiedName | qualifiedName = this.getName() |
result = qualifiedName.splitAt(".", count(qualifiedName.indexOf(".")))
)
}

predicate belongsToServiceWithNoAuthn() {
exists(CdlService service | service.hasNoCdsAccessControl() | this = service.getAFunction())
}
Expand Down
Loading