Add sensitive information exposure query

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -129,6 +129,35 @@ class CdlAttribute extends JsonObject {
   int getLength() { result = this.getPropValue("length").(JsonPrimitiveValue).getIntValue() }
 }
 
+/**
+ * any `JsonValue` that has a `PersonalData` like annotation above it
+ */
+class SensitiveAnnotatedElement extends JsonValue {
+  string annotationName;
+  string fieldOrEntityName;
+
+  SensitiveAnnotatedElement() {
+    exists(JsonValue annotationval, JsonValue entityOrField |
+      annotationval = this.getPropValue(annotationName) and
+      annotationName.matches("@PersonalData%") and
+      this = entityOrField.getPropValue(fieldOrEntityName)
+    )
+  }
+
+  /**
+   * Gets the name of this annotation, without the leading `@` character.
+   */
+  string getAnnotationName() { "@" + result = annotationName }
+
+  /**
+   * Gets the name of this field or entity that is annotated
+   */
+  string getEntityOrFieldName() { result = fieldOrEntityName }
+}
+
+/**
+ * CDL annotations specifically associated to `CdlElement`s
+ */
 abstract class CdlAnnotation extends JsonValue {
   string annotationName;
   CdlElement element;

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.md

@@ -0,0 +1,47 @@
+ # CAP Insertion of Sensitive Information into Log File
+
+If sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.
+
+Data annotated as `@PersonalData` should not be logged.
+
+## Recommendation
+
+CAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.
+
+## Examples
+
+This CAP service directly logs the sensitive information.
+
+```cds
+namespace advanced_security.log_exposure.sample_entities;
+
+entity Sample {
+    name         : String(111);
+}
+
+// annotations for Data Privacy
+annotate Sample with
+@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }
+{
+  name  @PersonalData.IsPotentiallySensitive;
+}
+```
+
+``` javascript
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+        LOG.info("Received: ", Sample.name); // CAP log exposure alert
+    }
+
+}
+```
+
+## References
+
+- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).
+- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).

javascript/frameworks/cap/src/sensitive-exposure/SensitiveExposure.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Insertion of sensitive information into log files
+ * @description Writing sensitive information to log files can allow that
+ *              information to be leaked to an attacker more easily.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision medium
+ * @id javascript/sensitive-log
+ * @tags security
+ *       external/cwe/cwe-532
+ */
+
+import javascript
+import advanced_security.javascript.frameworks.cap.CDS
+import advanced_security.javascript.frameworks.cap.CAPLogInjectionQuery
+import DataFlow::PathGraph
+
+class SensitiveExposureSource extends DataFlow::Node {
+  SensitiveExposureSource() {
+    exists(PropRead p, SensitiveAnnotatedElement c |
+      p.getPropertyName() = c.getEntityOrFieldName() and
+      this = p
+    )
+  }
+}
+
+class SensitiveLogExposureConfig extends TaintTracking::Configuration {
+  SensitiveLogExposureConfig() { this = "SensitiveLogExposure" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof SensitiveExposureSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof CdsLogSink }
+}
+
+from SensitiveLogExposureConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink, "Log entry depends on a potentially sensitive piece of information."

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds

@@ -0,0 +1,14 @@
+namespace advanced_security.log_exposure.sample_entities;
+
+entity Sample {
+    name         : String(111);
+    dateOfBirth  : Date;
+}
+
+// annotations for Data Privacy
+annotate Sample with
+@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }
+{
+  name  @PersonalData.IsPotentiallySensitive;
+  dateOfBirth     @PersonalData.IsPotentiallyPersonal; 
+}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected

@@ -0,0 +1,8 @@
+nodes
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+| sensitive-exposure.js:10:32:10:42 | Sample.name |
+edges
+| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name |
+#select
+| sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | sensitive-exposure.js:10:32:10:42 | Sample.name | Log entry depends on a potentially sensitive piece of information. |

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js

@@ -0,0 +1,13 @@
+import cds from '@sap/cds'
+const LOG = cds.log("logger");
+
+const { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')
+
+class SampleVulnService extends cds.ApplicationService {
+    init() {
+	/* A sensitive info log sink. */
+
+        LOG.info("Received: ", Sample.name); // CAP log exposure alert
+    }
+
+}

javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.qlref

@@ -0,0 +1 @@
+sensitive-exposure/SensitiveExposure.ql