Skip to content

Cover multi-service log injection #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 90 commits into from
Mar 26, 2024
Merged

Cover multi-service log injection #94

Show file tree
Hide file tree
Changes from 24 commits
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
5a52340
Add draft of multi-service, message-passing log poc
jeongsoolee09 Feb 13, 2024
bb8fe73
Finalize draft on log injection app
jeongsoolee09 Feb 13, 2024
1e69a23
Remove unnecessary devDependencies in package.json
jeongsoolee09 Feb 13, 2024
c71ef16
Wrong entity name
jeongsoolee09 Feb 13, 2024
810942e
Add draft of SQL injection PoC
jeongsoolee09 Feb 13, 2024
140cee0
Fix CQL expression to be vulnerable to SQL injection
jeongsoolee09 Feb 13, 2024
f354b9d
Add missing `init()` and add some comments
jeongsoolee09 Feb 14, 2024
3f50833
Normalize import path and remove redundant module declaration
jeongsoolee09 Feb 14, 2024
7d2a95f
Introduce variant `ImplMethodCall`
jeongsoolee09 Feb 14, 2024
f8588fb
Add missing await on call to `cds.connect.to`
jeongsoolee09 Feb 14, 2024
a097e04
Add classes predicates
jeongsoolee09 Feb 14, 2024
7a97eb0
Add CDL.qll
jeongsoolee09 Feb 15, 2024
db58714
Fix parsing errors on the cds files
jeongsoolee09 Feb 15, 2024
5bc2a79
Implement and clean up definitions of `Handler`s
jeongsoolee09 Feb 15, 2024
9035377
Fix failing unit tests
jeongsoolee09 Feb 16, 2024
7b28623
Add and reorder classes
jeongsoolee09 Feb 16, 2024
cb2c7b6
Rename ApplicationService to CdsApplicationService
jeongsoolee09 Feb 16, 2024
a95b38d
Fix unit test `requesthandler`
jeongsoolee09 Feb 17, 2024
4d82d20
Fix unit test
jeongsoolee09 Feb 17, 2024
b816eaf
Fix `applicationserviceinstance` unit test
jeongsoolee09 Feb 17, 2024
914e825
Create CAPLogInjection class to accommodate related classes
jeongsoolee09 Feb 17, 2024
a4c0d20
Fix `logger` unit test
jeongsoolee09 Feb 17, 2024
624a91d
Fix `loginjection`/`sqlinjection` unit tests
jeongsoolee09 Feb 20, 2024
286980b
Rename app to something specific
jeongsoolee09 Feb 21, 2024
f747d22
Move existing loginjection.js to a separate directory
jeongsoolee09 Feb 21, 2024
765608d
Add three more variants of `log-injection-with-partial-protocol-none`
jeongsoolee09 Feb 21, 2024
67357f6
Add description to each README and add missing annotation
jeongsoolee09 Feb 22, 2024
69c1bf7
Create `dataflow/` and move `ParseSink` there
jeongsoolee09 Feb 22, 2024
1e63e5d
Add `PackageJson.qll`
jeongsoolee09 Feb 23, 2024
19912c8
Add more classes
jeongsoolee09 Feb 23, 2024
3181a5d
Add more classes and predicates
jeongsoolee09 Feb 24, 2024
34be530
Debug `log-injection-with-partial-protocol-none`
jeongsoolee09 Feb 24, 2024
78b29a2
Add `AsyncStyleCommunication` in `DataFlow.qll`
jeongsoolee09 Feb 24, 2024
c01f19e
Update all log injection test cases
jeongsoolee09 Feb 28, 2024
fabd8c4
Rename existing test case and add new one
jeongsoolee09 Feb 28, 2024
a70d59a
Update script to only run locally and not on Codespaces
jeongsoolee09 Feb 29, 2024
4692365
Change UserDefinedApplicationService to abstract class
jeongsoolee09 Feb 29, 2024
f7846a2
Remove `@protocol: 'none'` in Service1.cds
jeongsoolee09 Mar 1, 2024
818a394
Minor formatting
jeongsoolee09 Mar 1, 2024
3489055
Recompile modified CDS files
jeongsoolee09 Mar 1, 2024
efd09b3
Implement `getHandlerRegistration/1`
jeongsoolee09 Mar 2, 2024
3d80c3b
Add transitive import of FlowSteps
jeongsoolee09 Mar 2, 2024
3b1ec26
Add more fields and getters to `InterServiceCommunication`
jeongsoolee09 Mar 2, 2024
e6e6991
Debug `InterServiceCommunicationStepFromSenderToReceiver`
jeongsoolee09 Mar 2, 2024
14c4807
Minor stylistic change
jeongsoolee09 Mar 2, 2024
a3b8373
Finish first draft of multi-service log injection
jeongsoolee09 Mar 5, 2024
f342004
Debug query for log-injection-with-service2-protocol-none
jeongsoolee09 Mar 5, 2024
c5ecf1e
Add separate script to build database with (compiled) cds files
jeongsoolee09 Mar 6, 2024
f61be3d
Change bit of comment in create-db.sh
jeongsoolee09 Mar 6, 2024
bef79db
Update unit test cases and .expected files
jeongsoolee09 Mar 6, 2024
91c8358
Fix all unit tests
jeongsoolee09 Mar 6, 2024
4cdbcff
Merge branch 'main' of github.com:advanced-security/codeql-sap-js int…
jeongsoolee09 Mar 6, 2024
2be5dab
Fix log-injection-single-file
jeongsoolee09 Mar 7, 2024
37eeac3
Fix `userdefinedservice` test
jeongsoolee09 Mar 7, 2024
cd9bbe7
Fix `requesthandler` unit test
jeongsoolee09 Mar 7, 2024
62b5c91
Fix failing unit tests due to compilation error
jeongsoolee09 Mar 7, 2024
b57a7c6
Fix `applicationserviceinstance` test
jeongsoolee09 Mar 7, 2024
f211169
Update untracked json files compiled from cds files
jeongsoolee09 Mar 8, 2024
3ab3c72
Check diagram svgs into repository
jeongsoolee09 Mar 13, 2024
ecdb36f
Add inline comment to signal CAP/vanilla log injection sinks
jeongsoolee09 Mar 19, 2024
eb5b49e
Fix `log-injection-not-depending-on-request`
jeongsoolee09 Mar 20, 2024
06b685f
Restrict search space to the same application
jeongsoolee09 Mar 20, 2024
3f668c3
Untrack `.json` files compiled from `.cds` files
jeongsoolee09 Mar 20, 2024
a3f5099
Untrack `.json` files compiled from `.cds` files
jeongsoolee09 Mar 20, 2024
054be51
Update `javascript.sarif.expected`
jeongsoolee09 Mar 20, 2024
b166ee1
Untrack `.json` files compiled from `.cds` files
jeongsoolee09 Mar 20, 2024
f86e613
Recognize accompanying .cds files as ".cds.json"
jeongsoolee09 Mar 20, 2024
7518e3a
Update the script to compile `.cds` files
jeongsoolee09 Mar 20, 2024
d393a1d
Update workflow files to ensure presence of `cds` shell command
jeongsoolee09 Mar 21, 2024
abc1942
Debug `Compile CAP CDS files` step
jeongsoolee09 Mar 21, 2024
79fab0d
Remove `npm install` command from both workflows
jeongsoolee09 Mar 21, 2024
c4bc859
Update code_scanning.yml
jeongsoolee09 Mar 21, 2024
a98747e
Update run-codeql-unit-tests-javascript.yml
jeongsoolee09 Mar 21, 2024
8875027
Merge branch 'main' into jeongsoolee09/cover-multi-service-log-i
jeongsoolee09 Mar 25, 2024
e9df248
Update sqlinjection to appease batch CDS compilation
jeongsoolee09 Mar 25, 2024
8278b9f
Merge branch 'jeongsoolee09/cover-multi-service-log-i' of github.com:…
jeongsoolee09 Mar 25, 2024
24748e5
Fix `using` path
jeongsoolee09 Mar 25, 2024
69e4590
Add a debug echo in the workflows
jeongsoolee09 Mar 25, 2024
c9219f7
Add debug echo
jeongsoolee09 Mar 25, 2024
60e3550
Rename files
jeongsoolee09 Mar 25, 2024
cb9a9f6
Rename files
jeongsoolee09 Mar 25, 2024
ad38212
Delete cqlinjection and sqlinjection
jeongsoolee09 Mar 25, 2024
3406c27
update javascript.sarif.expected
jeongsoolee09 Mar 25, 2024
3aefa19
Revert "update javascript.sarif.expected"
jeongsoolee09 Mar 25, 2024
59a3f6c
Update run-codeql-unit-tests-javascript.yml
jeongsoolee09 Mar 25, 2024
118c3b6
Testing by shuffling around the steps a bit
jeongsoolee09 Mar 25, 2024
9ed78dd
Merge branch 'jeongsoolee09/cover-multi-service-log-i' of github.com:…
jeongsoolee09 Mar 25, 2024
c9ce5a8
Revert "Perform missing version ups from 0.5.0 to 0.6.0"
jeongsoolee09 Mar 26, 2024
93704f7
fix paths for json files compiled from cds
mbaluda Mar 26, 2024
66a067c
Add back `cqlinjection`
jeongsoolee09 Mar 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions ...script/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjection.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
import javascript
import DataFlow
import advanced_security.javascript.frameworks.cap.CDS

/**
* A logger obtained by a call to `log` on a CDS facade. Each logger is associated with
* its unique name.
*/
class CdsLogger extends MethodCallNode {
string name;

CdsLogger() {
this = any(CdsFacade cds).getMember("log").getACall() and
name = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue()
}
}

/**
* Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
*/
class CdsLogSink extends DataFlow::Node {
CdsLogSink() {
exists(CdsLogger log, MethodCallNode loggingMethod |
this = loggingMethod.getAnArgument() and
not this.asExpr() instanceof Literal and
not this.asExpr() instanceof TemplateLiteral and
loggingMethod.getReceiver().getALocalSource() = log and
loggingMethod.getMethodName() = ["trace", "debug", "info", "log", "warn", "error"]
)
}
}
124 changes: 124 additions & 0 deletions javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
/**
* A module to reason about CDL, the language to write specification of models of services, parsed into JSON.
*/

import javascript

newtype CdlKind =
Service(string value) { value = "service" } or
Entity(string value) { value = "entity" } or
Event(string value) { value = "event" } or
Action(string value) { value = "action" }

/**
* Any CDL element, including entities, event, actions, and more.
*/
class CdlDefinition extends JsonObject {
CdlDefinition() { exists(JsonObject root | this = root.getPropValue("definitions")) }

JsonObject getElement(string elementName) { result = this.getPropValue(elementName) }

JsonObject getAnElement() { result = this.getElement(_) }
}

abstract class CdlElement extends JsonObject {
abstract string getName();

abstract CdlKind getKind();
}

class CdlService extends CdlElement {
string name;
CdlKind kind;

CdlService() {
exists(CdlDefinition definition |
this = definition.getElement(name) and
kind = Service(this.getPropStringValue("kind"))
)
}

override string getName() { result = name }

override CdlKind getKind() { result = kind }

CdlEntity getEntity(string entityName) {
entityName = result.getName() and
/* WARNING: Hacky! */
entityName.splitAt(".", 0) = name
}
}

class CdlEntity extends CdlElement {
string name;
CdlKind kind;

CdlEntity() {
exists(CdlDefinition definition |
this = definition.getElement(name) and
kind = Entity(this.getPropStringValue("kind"))
)
}

override string getName() { result = name }

override CdlKind getKind() { result = kind }

CdlAttribute getAttribute(string attributeName) {
result = this.getPropValue("elements").getPropValue(attributeName)
}
}

class CdlEvent extends CdlElement {
string name;
CdlKind kind;

CdlEvent() {
exists(CdlDefinition definition |
this = definition.getElement(name) and
kind = Event(this.getPropStringValue("kind"))
)
}

string getBasename() { result = name.splitAt(".", count(name.indexOf("."))) }

override string getName() { result = name }

override CdlKind getKind() { result = kind }

CdlAttribute getAttribute(string attributeName) {
result = this.getPropValue("elements").getPropValue(attributeName)
}
}

class CdlAction extends CdlElement {
string name;
CdlKind kind;

CdlAction() {
exists(CdlDefinition definition |
this = definition.getElement(name) and
kind = Action(this.getPropStringValue("kind"))
)
}

override string getName() { result = name }

override CdlKind getKind() { result = kind }

CdlAttribute getAttribute(string attributeName) {
result = this.getPropValue("elements").getPropValue(attributeName)
}
}

class CdlAttribute extends JsonObject {
string name;

CdlAttribute() {
exists(CdlElement entity | this = entity.getPropValue("elements").getPropValue(name))
}

string getType() { result = this.getPropStringValue("type") }

int getLength() { result = this.getPropValue("length").(JsonPrimitiveValue).getIntValue() }
}
Loading