Skip to content

Adds support for npm and xsjslib modules #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 42 commits into from
Closed

Adds support for npm and xsjslib modules #143

wants to merge 42 commits into from

Conversation

mbaluda
Copy link
Contributor

@mbaluda mbaluda commented Aug 26, 2024
edited
Loading

This pull request includes several updates to the XSJS framework adding support for NPM and xsjslib modules.

  • npm modules with $.require import syntax (from v2.19.0)
  • add dataflow edges and support for @sap/xss-secure XSS sanitizers
  • xsjslib modules with $.import("relative/path.xsjslib") syntax using literal relative path
  • test cases using existing queries

@mbaluda mbaluda self-assigned this Aug 26, 2024
jeongsoolee09
jeongsoolee09 requested changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some questions/comments for starters. I think you should take an alternative call to $.import: import(package, library) → {Object} and its real-world implications into account.

@mbaluda mbaluda marked this pull request as draft September 4, 2024 09:08
@mbaluda
Copy link
Contributor Author

mbaluda commented Sep 4, 2024
edited
Loading

sorry @jeongsoolee09 this PR was not yet ready for review

@mbaluda mbaluda changed the base branch from main to mbaluda/external-cds September 17, 2024 09:00
@mbaluda
Merge branch 'mbaluda/external-cds' into mbaluda/xsjslib
61bc15e
@mbaluda
Deals with external .cds files
62c0d0a 
- Update CodeQL version
- Standardize query ids
- Include `.cds` files in the DB
- Implement `CdlObject` location in the `.cds` file
- Modified `EntityExposedWithoutAuthn` error message to include the name of the exposed element
- Modified `SensitiveExposure` error message to include the name of the exposed element
Base automatically changed from mbaluda/external-cds to mbaluda/cds September 19, 2024 09:13
@mbaluda mbaluda changed the base branch from mbaluda/cds to main September 23, 2024 10:58
@mbaluda mbaluda changed the base branch from main to mbaluda/cds September 23, 2024 10:59
@mbaluda
Deals with external .cds files
ce599be 
- Update CodeQL version
- Standardize query ids
- Include `.cds` files in the DB
- Implement `CdlObject` location in the `.cds` file
- Modified `EntityExposedWithoutAuthn` error message to include the name of the exposed element
- Modified `SensitiveExposure` error message to include the name of the exposed element
@mbaluda
Address review
73ac321
@mbaluda
Update to CodeQL v2.19.0
2ffb055
@mbaluda
Update code_scanning.yml
fe26838
@mbaluda
index cds files
ddbfcc9
@mbaluda
update expected file
18896cb
@mbaluda
Xsjslib modules
a310fd0
@mbaluda mbaluda changed the base branch from mbaluda/cds to main September 23, 2024 11:45
@mbaluda mbaluda changed the base branch from main to mbaluda/cds September 23, 2024 11:45
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 23, 2024
View reviewed changes
javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs
@@ -10,7 +10,7 @@
function test1(requestParameters) {
let someParameterValue1 = requestParameters.get("someParameter1");
$.response.contentType = "text/html";
$.response.setBody(requestParameterHandler(someParameterValue1));
$.response.setBody(requestParameterHandler(someParameterValue1)); // js/xsjs-reflected-xss

Check failure

Code scanning / CodeQL

XSJS Reflected XSS High test

Reflected XSS vulnerability due to
user-provided value
Loading
.
javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs
function test4(requestParameters) {
let someParameterValue4 = requestParameters.get("someParameter4");
$.response.contentType = "text/html";
$.response.setBody(requestParameterHandler(xssSecure.encodeHTML(someParameterValue4)));

Check failure

Code scanning / CodeQL

XSJS Reflected XSS High test

Reflected XSS vulnerability due to user-provided value.
Base automatically changed from mbaluda/cds to main September 24, 2024 07:49
@mbaluda mbaluda changed the base branch from main to mbaluda/cds-lint September 26, 2024 10:21
@mbaluda mbaluda changed the base branch from mbaluda/cds-lint to main September 26, 2024 10:22
@mbaluda mbaluda marked this pull request as ready for review September 26, 2024 10:28
@mbaluda mbaluda closed this Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeongsoolee09 jeongsoolee09 jeongsoolee09 requested changes

Assignees

@mbaluda mbaluda

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mbaluda @jeongsoolee09