Fix code-scanning alerts for insecure tmp files

Fixes newly introduced code-scanning alerts due to insecure use of files
created under the system `/tmp/` directory in some recently implemented
unit tests.

Author: data-douser

extractors/cds/tools/cds-extractor.ts

@@ -80,7 +80,7 @@ if (typedProjectMap.__debugParserSuccess) {
 }
 
 // Install dependencies of discovered CAP/CDS projects
-console.log('Ensuring depencencies are installed in cache for required CDS compiler versions...');
+console.log('Ensuring dependencies are installed in cache for required CDS compiler versions...');
 const projectCacheDirMap = installDependencies(projectMap, sourceRoot, codeqlExePath);
 
 const cdsFilePathsToProcess: string[] = [];

extractors/cds/tools/eslint.config.mjs

@@ -40,7 +40,7 @@ export default defineConfig([
       // @ts-expect-error - typescript-eslint is a valid plugin
       '@typescript-eslint': fixupPluginRules(typescriptEslint),
       // @ts-expect-error - import is a valid plugin
-      'import': fixupPluginRules(_import),
+      import: fixupPluginRules(_import),
       // @ts-expect-error - prettier is a valid plugin
       prettier: fixupPluginRules(prettier),
     },
@@ -55,7 +55,7 @@ export default defineConfig([
       sourceType: 'module',
       parserOptions: {
         project: './tsconfig.json',
-        tsconfigRootDir: '/Users/data-douser/Git/data-douser/codeql-sap-js/extractors/cds/tools',
+        tsconfigRootDir: __dirname,
         createDefaultProgram: true,
       },
     },

extractors/cds/tools/package.json

@@ -16,12 +16,14 @@
     "test:coverage": "jest --coverage --collectCoverageFrom='src/**/*.ts'"
   },
   "dependencies": {
+    "@types/tmp": "^0.2.6",
     "child_process": "^1.0.2",
     "fs": "^0.0.1-security",
     "glob": "^11.0.2",
     "os": "^0.1.2",
     "path": "^0.12.7",
-    "shell-quote": "^1.8.2"
+    "shell-quote": "^1.8.2",
+    "tmp": "^0.2.3"
   },
   "devDependencies": {
     "@eslint/compat": "^1.2.9",

extractors/cds/tools/src/cds/compiler/compile.ts

@@ -173,19 +173,6 @@ function compileIndividualFile(
     'warn',
   ];
 
-  /**
-   * using the `--parse` flag changes how the data is shown in the generated .cds.json file,
-   * where annotations and other metadata will show up under the `extensions` property instead
-   * of the `definitions` property, as used in previous versions of the CDS extractor.
-   *
-   * DELETE this comment if the `--parse` flag is definitely not needed in the future.
-   *
-   * // For root CDS files in project-aware mode, add --parse flag to ensure complete model
-   *if (projectBasedCompilation) {
-   *  compileArgs.push('--parse');
-   *}
-   */
-
   // CRITICAL: Use the provided spawnOptions which has sourceRoot as cwd
   const result = spawnSync(cdsCommand, compileArgs, spawnOptions);
 

extractors/cds/tools/src/cds/compiler/project.ts

@@ -1,3 +1,5 @@
+import { relative } from 'path';
+
 /**
  * Helper functions for mapping CDS files to their projects and cache directories
  */
@@ -15,15 +17,20 @@ export function findProjectForCdsFile(
   projectMap: Map<string, { cdsFiles: string[] }>,
 ): string | undefined {
   // Get the relative path to the project directory for this CDS file
-  const relativeCdsFilePath = cdsFilePath.startsWith(sourceRoot)
-    ? cdsFilePath.substring(sourceRoot.length + 1)
-    : cdsFilePath;
+  const relativeCdsFilePath = relative(sourceRoot, cdsFilePath);
+
+  // If the file is outside the source root, path.relative() will start with '../'
+  // In this case, we should also check against the absolute path
+  const isOutsideSourceRoot = relativeCdsFilePath.startsWith('../');
 
   // Find the project this file belongs to
   for (const [projectDir, project] of projectMap.entries()) {
     if (
       project.cdsFiles.some(
-        cdsFile => cdsFile === relativeCdsFilePath || relativeCdsFilePath.startsWith(projectDir),
+        cdsFile =>
+          cdsFile === relativeCdsFilePath ||
+          relativeCdsFilePath.startsWith(projectDir) ||
+          (isOutsideSourceRoot && cdsFile === cdsFilePath),
       )
     ) {
       return projectDir;

extractors/cds/tools/test/src/cds/parser/files-to-compile.test.ts

@@ -1,24 +1,44 @@
-import { mkdirSync, writeFileSync, rmSync } from 'fs';
-import { tmpdir } from 'os';
-import { join } from 'path';
+import { mkdirSync, writeFileSync } from 'fs';
+import { resolve, relative } from 'path';
+
+import * as tmp from 'tmp';
 
 import { determineCdsFilesToCompile } from '../../../../src/cds/parser/functions';
 
+/**
+ * Validates that a path is safe to use within a base directory.
+ * Prevents path traversal attacks by ensuring the resolved path stays within the base directory.
+ */
+function validateSafePath(basePath: string, ...pathSegments: string[]): string {
+  const resolvedBase = resolve(basePath);
+  const targetPath = resolve(basePath, ...pathSegments);
+
+  // Check if the resolved target path is within the base directory
+  const relativePath = relative(resolvedBase, targetPath);
+  if (relativePath.startsWith('..') || relativePath.includes('..')) {
+    throw new Error(`Path traversal detected: ${pathSegments.join('/')}`);
+  }
+
+  return targetPath;
+}
+
 describe('determineCdsFilesToCompile', () => {
   let tempDir: string;
   let sourceRoot: string;
+  let tmpCleanup: (() => void) | undefined;
 
   beforeEach(() => {
-    // Create a unique temporary directory for each test
-    tempDir = join(tmpdir(), `test-${Date.now()}-${Math.random().toString(36).substring(7)}`);
+    // Create a secure temporary directory for each test
+    const tmpObj = tmp.dirSync({ unsafeCleanup: true });
+    tempDir = tmpObj.name;
     sourceRoot = tempDir;
-    mkdirSync(tempDir, { recursive: true });
+    tmpCleanup = tmpObj.removeCallback;
   });
 
   afterEach(() => {
-    // Clean up temporary directory
-    if (tempDir) {
-      rmSync(tempDir, { recursive: true, force: true });
+    // Clean up temporary directory using tmp library's cleanup function
+    if (tmpCleanup) {
+      tmpCleanup();
     }
   });
 
@@ -48,8 +68,8 @@ describe('determineCdsFilesToCompile', () => {
 
   it('should return only root files for non-CAP projects with imports', () => {
     // Create test CDS files in a flat structure (not CAP-like)
-    writeFileSync(join(sourceRoot, 'service.cds'), 'using from "./schema";');
-    writeFileSync(join(sourceRoot, 'schema.cds'), 'entity Test {}');
+    writeFileSync(validateSafePath(sourceRoot, 'service.cds'), 'using from "./schema";');
+    writeFileSync(validateSafePath(sourceRoot, 'schema.cds'), 'entity Test {}');
 
     const project = {
       projectDir: '.',
@@ -79,10 +99,10 @@ describe('determineCdsFilesToCompile', () => {
 
   it('should use project-level compilation for CAP projects with srv and db directories', () => {
     // Create test CDS files
-    mkdirSync(join(sourceRoot, 'srv'), { recursive: true });
-    mkdirSync(join(sourceRoot, 'db'), { recursive: true });
-    writeFileSync(join(sourceRoot, 'srv/service.cds'), 'using from "../db/schema";');
-    writeFileSync(join(sourceRoot, 'db/schema.cds'), 'entity Test {}');
+    mkdirSync(validateSafePath(sourceRoot, 'srv'), { recursive: true });
+    mkdirSync(validateSafePath(sourceRoot, 'db'), { recursive: true });
+    writeFileSync(validateSafePath(sourceRoot, 'srv/service.cds'), 'using from "../db/schema";');
+    writeFileSync(validateSafePath(sourceRoot, 'db/schema.cds'), 'entity Test {}');
 
     const project = {
       projectDir: '.',
@@ -111,11 +131,11 @@ describe('determineCdsFilesToCompile', () => {
 
   it('should use project-level compilation for CAP projects with multiple services', () => {
     // Create test CDS files
-    mkdirSync(join(sourceRoot, 'srv'), { recursive: true });
-    mkdirSync(join(sourceRoot, 'db'), { recursive: true });
-    writeFileSync(join(sourceRoot, 'srv/service1.cds'), 'using from "../db/schema";');
-    writeFileSync(join(sourceRoot, 'srv/service2.cds'), 'using from "../db/schema";');
-    writeFileSync(join(sourceRoot, 'db/schema.cds'), 'entity Test {}');
+    mkdirSync(validateSafePath(sourceRoot, 'srv'), { recursive: true });
+    mkdirSync(validateSafePath(sourceRoot, 'db'), { recursive: true });
+    writeFileSync(validateSafePath(sourceRoot, 'srv/service1.cds'), 'using from "../db/schema";');
+    writeFileSync(validateSafePath(sourceRoot, 'srv/service2.cds'), 'using from "../db/schema";');
+    writeFileSync(validateSafePath(sourceRoot, 'db/schema.cds'), 'entity Test {}');
 
     const project = {
       projectDir: '.',

extractors/cds/tools/test/src/cds/parser/project-aware-compilation.test.ts

@@ -1,37 +1,55 @@
-import { mkdirSync, rmSync, writeFileSync } from 'fs';
-import { tmpdir } from 'os';
-import { join } from 'path';
+import { mkdirSync, writeFileSync } from 'fs';
+import { resolve, relative } from 'path';
+
+import * as tmp from 'tmp';
 
 import { determineCdsFilesToCompile } from '../../../../src/cds/parser/functions';
 
+/**
+ * Validates that a path is safe to use within a base directory.
+ * Prevents path traversal attacks by ensuring the resolved path stays within the base directory.
+ */
+function validateSafePath(basePath: string, ...pathSegments: string[]): string {
+  const resolvedBase = resolve(basePath);
+  const targetPath = resolve(basePath, ...pathSegments);
+
+  // Check if the resolved target path is within the base directory
+  const relativePath = relative(resolvedBase, targetPath);
+  if (relativePath.startsWith('..') || relativePath.includes('..')) {
+    throw new Error(`Path traversal detected: ${pathSegments.join('/')}`);
+  }
+
+  return targetPath;
+}
+
 describe('Project-aware compilation for CAP projects', () => {
   let tempDir: string;
+  let tmpCleanup: (() => void) | undefined;
 
   beforeEach(() => {
-    // Create a temporary directory for each test
-    tempDir = join(tmpdir(), `cds-test-${Date.now()}-${Math.random().toString(36).substring(7)}`);
-    mkdirSync(tempDir, { recursive: true });
+    // Create a secure temporary directory for each test
+    const tmpObj = tmp.dirSync({ unsafeCleanup: true });
+    tempDir = tmpObj.name;
+    tmpCleanup = tmpObj.removeCallback;
   });
 
   afterEach(() => {
-    // Clean up temporary directory
-    try {
-      rmSync(tempDir, { recursive: true, force: true });
-    } catch (error: unknown) {
-      console.warn(`Warning: Could not clean up temp directory ${tempDir}: ${String(error)}`);
+    // Clean up temporary directory using tmp library's cleanup function
+    if (tmpCleanup) {
+      tmpCleanup();
     }
   });
 
   it('should use project-level compilation for log injection test case structure', () => {
     // Create the log injection test case structure
-    const projectPath = join(tempDir, 'log-injection-without-protocol-none');
+    const projectPath = validateSafePath(tempDir, 'log-injection-without-protocol-none');
     mkdirSync(projectPath, { recursive: true });
-    mkdirSync(join(projectPath, 'db'), { recursive: true });
-    mkdirSync(join(projectPath, 'srv'), { recursive: true });
+    mkdirSync(validateSafePath(projectPath, 'db'), { recursive: true });
+    mkdirSync(validateSafePath(projectPath, 'srv'), { recursive: true });
 
     // Create package.json with CAP dependencies
     writeFileSync(
-      join(projectPath, 'package.json'),
+      validateSafePath(projectPath, 'package.json'),
       JSON.stringify({
         name: 'log-injection-test',
         dependencies: {
@@ -42,7 +60,7 @@ describe('Project-aware compilation for CAP projects', () => {
 
     // Create CDS files
     writeFileSync(
-      join(projectPath, 'db', 'schema.cds'),
+      validateSafePath(projectPath, 'db', 'schema.cds'),
       `namespace advanced_security.log_injection.sample_entities;
 
 entity Entity1 {
@@ -57,7 +75,7 @@ entity Entity2 {
     );
 
     writeFileSync(
-      join(projectPath, 'srv', 'service1.cds'),
+      validateSafePath(projectPath, 'srv', 'service1.cds'),
       `using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
 
 service Service1 @(path: '/service-1') {
@@ -70,7 +88,7 @@ service Service1 @(path: '/service-1') {
     );
 
     writeFileSync(
-      join(projectPath, 'srv', 'service2.cds'),
+      validateSafePath(projectPath, 'srv', 'service2.cds'),
       `using { advanced_security.log_injection.sample_entities as db_schema } from '../db/schema';
 
 service Service2 @(path: '/service-2') {
@@ -128,12 +146,12 @@ service Service2 @(path: '/service-2') {
 
   it('should still use individual file compilation for simple projects without CAP structure', () => {
     // Create a simple project without typical CAP structure
-    const simpleProjectPath = join(tempDir, 'simple-project');
+    const simpleProjectPath = validateSafePath(tempDir, 'simple-project');
     mkdirSync(simpleProjectPath, { recursive: true });
 
     // Create CDS files in flat structure
     writeFileSync(
-      join(simpleProjectPath, 'main.cds'),
+      validateSafePath(simpleProjectPath, 'main.cds'),
       `using from "./model";
 
 service MainService {
@@ -142,7 +160,7 @@ service MainService {
     );
 
     writeFileSync(
-      join(simpleProjectPath, 'model.cds'),
+      validateSafePath(simpleProjectPath, 'model.cds'),
       `namespace model;
 
 entity Item {