Added @sap/hdbext.loadProccedure as sql sink.

Author: Napalys

javascript/ql/lib/ext/hana-db-client.model.yml

@@ -4,5 +4,5 @@ extensions:
       extensible: sinkModel
     data:
       - ["@sap/hana-client", "Member[createConnection].ReturnValue.Member[exec,prepare].Argument[0]", "sql-injection"]
-
       - ["hdb", "Member[createClient].ReturnValue.Member[exec,prepare,execute].Argument[0]", "sql-injection"]
+      - ["@sap/hdbext", "Member[loadProcedure].Argument[2]", "sql-injection"]

javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected

@@ -14,6 +14,7 @@
 | hana.js:17:35:17:100 | `SELECT ... usInput | hana.js:16:32:16:39 | req.body | hana.js:17:35:17:100 | `SELECT ... usInput | This query string depends on a $@. | hana.js:16:32:16:39 | req.body | user-provided value |
 | hana.js:24:33:24:96 | `INSERT ... usInput | hana.js:23:32:23:39 | req.body | hana.js:24:33:24:96 | `INSERT ... usInput | This query string depends on a $@. | hana.js:23:32:23:39 | req.body | user-provided value |
 | hana.js:31:31:31:97 | "SELECT ... usInput | hana.js:30:30:30:37 | req.body | hana.js:31:31:31:97 | "SELECT ... usInput | This query string depends on a $@. | hana.js:30:30:30:37 | req.body | user-provided value |
+| hana.js:54:38:54:66 | 'PROC_D ... usInput | hana.js:47:24:47:31 | req.body | hana.js:54:38:54:66 | 'PROC_D ... usInput | This query string depends on a $@. | hana.js:47:24:47:31 | req.body | user-provided value |
 | hana.js:71:44:71:99 | "INSERT ... usInput | hana.js:68:24:68:31 | req.body | hana.js:71:44:71:99 | "INSERT ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
 | hana.js:73:17:73:54 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:73:17:73:54 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
 | hana.js:74:17:74:54 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:74:17:74:54 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
@@ -175,6 +176,13 @@ edges
 | hana.js:30:13:30:42 | maliciousInput | hana.js:31:84:31:97 | maliciousInput | provenance |  |
 | hana.js:30:30:30:37 | req.body | hana.js:30:13:30:42 | maliciousInput | provenance |  |
 | hana.js:31:84:31:97 | maliciousInput | hana.js:31:31:31:97 | "SELECT ... usInput | provenance |  |
+| hana.js:47:7:47:36 | maliciousInput | hana.js:48:39:48:52 | maliciousInput | provenance |  |
+| hana.js:47:7:47:36 | maliciousInput | hana.js:50:76:50:89 | maliciousInput | provenance |  |
+| hana.js:47:7:47:36 | maliciousInput | hana.js:54:53:54:66 | maliciousInput | provenance |  |
+| hana.js:47:24:47:31 | req.body | hana.js:47:7:47:36 | maliciousInput | provenance |  |
+| hana.js:48:39:48:52 | maliciousInput | hana.js:50:76:50:89 | maliciousInput | provenance |  |
+| hana.js:50:76:50:89 | maliciousInput | hana.js:54:53:54:66 | maliciousInput | provenance |  |
+| hana.js:54:53:54:66 | maliciousInput | hana.js:54:38:54:66 | 'PROC_D ... usInput | provenance |  |
 | hana.js:68:7:68:36 | maliciousInput | hana.js:71:86:71:99 | maliciousInput | provenance |  |
 | hana.js:68:7:68:36 | maliciousInput | hana.js:73:41:73:54 | maliciousInput | provenance |  |
 | hana.js:68:7:68:36 | maliciousInput | hana.js:74:41:74:54 | maliciousInput | provenance |  |
@@ -557,6 +565,12 @@ nodes
 | hana.js:30:30:30:37 | req.body | semmle.label | req.body |
 | hana.js:31:31:31:97 | "SELECT ... usInput | semmle.label | "SELECT ... usInput |
 | hana.js:31:84:31:97 | maliciousInput | semmle.label | maliciousInput |
+| hana.js:47:7:47:36 | maliciousInput | semmle.label | maliciousInput |
+| hana.js:47:24:47:31 | req.body | semmle.label | req.body |
+| hana.js:48:39:48:52 | maliciousInput | semmle.label | maliciousInput |
+| hana.js:50:76:50:89 | maliciousInput | semmle.label | maliciousInput |
+| hana.js:54:38:54:66 | 'PROC_D ... usInput | semmle.label | 'PROC_D ... usInput |
+| hana.js:54:53:54:66 | maliciousInput | semmle.label | maliciousInput |
 | hana.js:68:7:68:36 | maliciousInput | semmle.label | maliciousInput |
 | hana.js:68:24:68:31 | req.body | semmle.label | req.body |
 | hana.js:71:44:71:99 | "INSERT ... usInput | semmle.label | "INSERT ... usInput |

javascript/ql/test/query-tests/Security/CWE-089/untyped/hana.js

@@ -44,14 +44,14 @@ app1.use(hdbext.middleware(hanaConfig));
 
 app1.get('/execute-query', function (req, res) {
   var client = req.db;
-  let maliciousInput = req.body.data; // $ MISSING: Source
+  let maliciousInput = req.body.data; // $ Source
   client.exec('SELECT * FROM DUMMY' + maliciousInput, function (err, rs) {}); // $ MISSING: Alert
 
   dbStream.createProcStatement(client, 'CALL PROC_DUMMY (?, ?, ?, ?, ?)' + maliciousInput, function (err, stmt) { // $ MISSING: Alert
     stmt.exec({ A: maliciousInput, B: 4 }, function (err, params, dummyRows, tablesRows) {}); // maliciousInput is treated as a parameter
   });
 
-  hdbext.loadProcedure(client, null, 'PROC_DUMMY' + maliciousInput, function(err, sp) { // $ MISSING: Alert
+  hdbext.loadProcedure(client, null, 'PROC_DUMMY' + maliciousInput, function(err, sp) { // $ Alert
     sp(3, maliciousInput, function(err, parameters, dummyRows, tablesRows) {}); // maliciousInput is treated as a parameter
   });
 });