Skip to content

Adds XSJS CSRF and authorization queries #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Sep 4, 2024
Merged

Adds XSJS CSRF and authorization queries #144

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
62f61b7
Adds XSJS CSRF and authorization queries
mbaluda Aug 28, 2024
061bb78
Merge branch 'main' into mbaluda/xsjs-access
mbaluda Aug 28, 2024
e828e1d
Update expected SARIF file
mbaluda Aug 28, 2024
105d6ad
Merge branch 'main' into mbaluda/xsjs-access
mbaluda Sep 3, 2024
bd546bc
Address review comments
mbaluda Sep 4, 2024
51f421b
239985
mbaluda Sep 4, 2024
75378b2
Remove formatting from metadata
mbaluda Sep 4, 2024
e322c39
Update expected SARIF
mbaluda Sep 4, 2024
32e3e78
Fix test
mbaluda Sep 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/javascript.sarif.expected
View file
Open in desktop

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/Xsaccess.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
import javascript

class ExposedServiceAccessSpec extends File {
ExposedServiceAccessSpec() {
this.getBaseName() = "xs-app.json"
or
// we are only interested in exposed services
this.getBaseName() = ".xsaccess" and
exists(JsonValue v | this = v.getJsonFile() |
v.getPropValue("exposed").getBooleanValue() = false
)
}
}
28 changes: 28 additions & 0 deletions javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Broken XSJS authentication

If you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.

## Recommendation

Use the built-in SAP HANA XS authentication mechanism and session management (cookies).
- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected.
- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.

## Example

The following `xs-app.json` fragment shows disabled XSJS authentication.

```json
{
"welcomeFile": "index.html",
"authenticationMethod": "none",
...
}
```

## References

Copy link
Contributor

@jeongsoolee09 jeongsoolee09 Sep 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A link to the documentation page about xs-app.json may be a useful addition: https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, it might be valuable if we mention that xs-app.json succeeds .xsaccess in XS Advanced.

* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).
* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)
* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)
* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).
38 changes: 38 additions & 0 deletions javascript/frameworks/xsjs/src/XSJSAuthentication/XSJSAuthentication.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/**
* @name Broken XSJS authentication
* @description Disabling XSJS authentication makes the application vulnerable to unauthorized access.
* @kind problem
* @problem.severity warning
* @security-severity 7.5
* @precision medium
* @id js/xsjs-broken-authentication
* @tags security
* external/cwe/cwe-306
*/

import javascript
import advanced_security.javascript.frameworks.xsjs.Xsaccess

from JsonValue value, string msg
where
value.getJsonFile() instanceof ExposedServiceAccessSpec and
(
msg = "Authentication should not be disabled." and
exists(JsonValue v |
value = v.getPropValue(["authentication", "authenticationMethod", "authenticationType"])
|
value.getStringValue() = "none"
or
value instanceof JsonNull
)
or
// the authentication specification is missing from .xsaccess
msg = "Authentication is missing from the configuration." and
value.isTopLevel() and
value.getJsonFile().getBaseName() = ".xsaccess" and
not exists(JsonValue p |
p.getJsonFile() = value.getJsonFile() and
exists(p.getPropValue("authentication"))
)
)
select value, msg
33 changes: 33 additions & 0 deletions javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Disabled XSJS CSRF protection

A web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.

## Recommendation

SAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users.
- In `XS Advanced` CSRF protection is enabled by default and should not be disabled.
- In `XS Classic` CSRF protection should be enabled explicitly.

## Example

The following `xs-app.json` fragment enables CSRF protection in XSJS.

```json
"routes": [
{
"source": "/bad/(.*)",
"destination": "srv_api",
"csrfProtection": true,
...
}
]
...
}
]
```

## References

* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).
* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).
* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).
35 changes: 35 additions & 0 deletions javascript/frameworks/xsjs/src/XSJSCsrfDisabled/XSJSCsrfDisabled.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
/**
* @name Disabled XSJS CSRF protection
* @description Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.
* @kind problem
* @problem.severity error
* @security-severity 8.8
* @precision high
* @id js/xsjs-disabled-csrf-protection
* @tags security
* external/cwe/cwe-352
*/

import javascript
import advanced_security.javascript.frameworks.xsjs.Xsaccess

from JsonValue value, string msg
where
value.getJsonFile() instanceof ExposedServiceAccessSpec and
(
msg = "CSRF protection should not be disabled." and
exists(JsonValue v |
value = v.getPropValue(["prevent_xsrf", "csrfProtection"]) and
value.getBooleanValue() = false
)
or
// the CSRF protection is missing from .xsaccess
msg = "CSRF protection is missing from the configuration." and
value.isTopLevel() and
value.getJsonFile().getBaseName() = ".xsaccess" and
not exists(JsonValue p |
p.getJsonFile() = value.getJsonFile() and
exists(p.getPropValue("prevent_xsrf"))
)
)
select value, msg
4 changes: 4 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
| service/exposed/.xsaccess:4:23:4:26 | null | Authentication should not be disabled. |
| service/missing_auth/.xsaccess:1:1:4:1 | {\\n " ... true\\n} | Authentication is missing from the configuration. |
| service/xs-app.json:3:29:3:34 | "none" | Authentication should not be disabled. |
| service/xs-app.json:15:35:15:40 | "none" | Authentication should not be disabled. |
1 change: 1 addition & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSAuthentication.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
XSJSAuthentication/XSJSAuthentication.ql
2 changes: 2 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
| service/exposed/.xsaccess:1:1:4:1 | {\\n " ... null\\n} | CSRF protection is missing from the configuration. |
| service/xs-app.json:14:31:14:35 | false | CSRF protection should not be disabled. |
1 change: 1 addition & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/XSJSCsrfDisabled.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
XSJSCsrfDisabled/XSJSCsrfDisabled.ql
5 changes: 5 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
{
"exposed": true,
"prevent_xsrf": false,
"authentication": null
}
4 changes: 4 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"exposed": false,
"authentication": null
}
4 changes: 4 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{
"exposed": false,
"prevent_xsrf": true
}
1 change: 1 addition & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
var webRequest1 = $.request;
18 changes: 18 additions & 0 deletions javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"welcomeFile": "index.html",
"authenticationMethod": "none",
"routes": [
{
"source": "/good/(.*)",
"destination": "srv_api",
"csrfProtection": true,
"authenticationType": "xsuaa"
},
{
"source": "/bad/(.*)",
"destination": "srv_api",
"csrfProtection": false,
"authenticationType": "none"
}
]
}
Loading