Skip to content

Restrict RemoteFlowSource of CAP to only some properties and method calls on it #208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

Restrict RemoteFlowSource of CAP to only some properties and method calls on it #208

wants to merge 9 commits into from

Conversation

jeongsoolee09
Copy link
Contributor

What This PR Contributes

Future Works

@jeongsoolee09
Refine docstring of HandlerParameterOfExposedService
81fa051
@jeongsoolee09
Make HandlerParameter extend ParameterNode
7958a80
@jeongsoolee09
Add class PayloadPropertyReadOfHandlerParameterOfExposedService
1f027ff
@jeongsoolee09
Finish first draft of class
7ae665c
@jeongsoolee09
Minor comment formatting
0b18c37
@jeongsoolee09
Change indent level to 2
bb57c22
@jeongsoolee09
Refine more on req.http.req
de09d59
@jeongsoolee09
Remove redundant files and add cases
748b12c 
- `service3nocds.js` had a service that was named differently. Clarified the gist of the file using tags.
- `service4.js` was identical to `service3nocds.js`, except for the `cds.serve` call. This is better suited for `server.js`.
- Since `HandlerParameterOfExposedService` is no longer a `RemoteFlowSource`, we place another query for testing it only.
- The case categorization is as follows:
  - `service1`: Exposed service with reads from properties and method calls, some of which are tainted and not tainted.
  - `service2`: Service that both receives data from service1 and service4 but does not propagate it further.
  - `service3`: Service without a CDS declaration, simulating extraction failure. Should be recognized as exposed, from overapproximation. Consists of identical property reads / method calls as those of `service1`.
  - `service4`: Service that is explicitly declared as internal only. Consists of identical property reads / method calls as those of `service1`, but is not a taint source from being unexposed.
@jeongsoolee09
Edit docstring and remove instanceof PropRead constraint
52d49e7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jeongsoolee09