compass asApp/asUser

Author: dxu2-atlassian

crates/forge_analyzer/src/checkers.rs

@@ -1119,6 +1119,9 @@ impl<'cx> Dataflow<'cx> for PermissionDataflow {
                     interp.bitbucket_permission_resolver,
                     interp.bitbucket_regex_map,
                 ),
+                IntrinsicName::RequestCompass => {
+                    (interp.compass_permission_resolver, interp.compass_regex_map)
+                }
                 IntrinsicName::Other => {
                     (&PermissionHashMap::new(), &HashMap::<String, Regex>::new())
                 }

crates/forge_analyzer/src/definitions.rs

@@ -629,6 +629,7 @@ pub enum IntrinsicName {
     RequestConfluence,
     RequestJira,
     RequestBitbucket,
+    RequestCompass,
     Other,
 }
 
@@ -1192,6 +1193,25 @@ impl FunctionAnalyzer<'_> {
                 package.cloned().map(Intrinsic::SecretFunction)
             }
 
+            // graphqlGateway's compass
+            // import graphqlGateway from "@atlassian/forge-graphql";
+            // const { errors, data} = await graphqlGateway.compass.asApp().getComponent({ componentId });
+            // [PropPath::Def(def), PropPath::Static(ref compass), ref auth
+            [PropPath::Def(def), PropPath::Static(ref compass), ref authn @ .., PropPath::Static(ref function_name)]
+                if *compass == *"compass"
+                    && Some(&ImportKind::Default)
+                        == self.res.is_imported_from(def, "@atlassian/forge-graphql") =>
+            {
+                match authn.first() {
+                    Some(PropPath::MemberCall(name)) if name == "asApp" => {
+                        Some(Intrinsic::ApiCall(IntrinsicName::RequestCompass))
+                    }
+                    Some(PropPath::MemberCall(name)) if name == "asUser" => {
+                        Some(Intrinsic::SafeCall(IntrinsicName::RequestCompass))
+                    }
+                    _ => None,
+                }
+            }
             _ => None,
         }
     }

crates/forge_analyzer/src/interp.rs

@@ -396,12 +396,14 @@ pub struct Interp<'cx, C: Runner<'cx>> {
     pub jira_permission_resolver: &'cx PermissionHashMap,
     pub confluence_permission_resolver: &'cx PermissionHashMap,
     pub bitbucket_permission_resolver: &'cx PermissionHashMap,
+    pub compass_permission_resolver: &'cx PermissionHashMap,
     pub jira_any_regex_map: &'cx HashMap<String, Regex>,
     pub jira_software_regex_map: &'cx HashMap<String, Regex>,
     pub jira_service_management_regex_map: &'cx HashMap<String, Regex>,
     pub jira_regex_map: &'cx HashMap<String, Regex>,
     pub confluence_regex_map: &'cx HashMap<String, Regex>,
     pub bitbucket_regex_map: &'cx HashMap<String, Regex>,
+    pub compass_regex_map: &'cx HashMap<String, Regex>,
     _checker: PhantomData<C>,
 }
 
@@ -526,6 +528,8 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> {
         confluence_regex_map: &'cx HashMap<String, Regex>,
         bitbucket_permission_resolver: &'cx PermissionHashMap,
         bitbucket_regex_map: &'cx HashMap<String, Regex>,
+        compass_permission_resolver: &'cx PermissionHashMap,
+        compass_regex_map: &'cx HashMap<String, Regex>,
     ) -> Self {
         let call_graph = CallGraph::new(env);
 
@@ -558,12 +562,14 @@ impl<'cx, C: Runner<'cx>> Interp<'cx, C> {
             jira_permission_resolver,
             confluence_permission_resolver,
             bitbucket_permission_resolver,
+            compass_permission_resolver,
             jira_any_regex_map,
             jira_software_regex_map,
             jira_service_management_regex_map,
             jira_regex_map,
             confluence_regex_map,
             bitbucket_regex_map,
+            compass_regex_map,
             _checker: PhantomData,
             runner_visited: RefCell::new(FxHashSet::default()),
         }

crates/forge_permission_resolver/src/permissions_resolver.rs

@@ -142,6 +142,11 @@ pub fn get_permission_resolver_bitbucket() -> (PermissionHashMap, HashMap<String
     get_permission_resolver(bitbucket_url)
 }
 
+pub fn get_permission_resolver_compass() -> (PermissionHashMap, HashMap<String, Regex>) {
+    let compass_url = "https://developer.atlassian.com/cloud/compass/swagger.v3.json";
+    get_permission_resolver(compass_url)
+}
+
 pub fn get_permission_resolver(url: &str) -> (PermissionHashMap, HashMap<String, Regex>) {
     let mut endpoint_map: PermissionHashMap = HashMap::default();
     let mut endpoint_regex: HashMap<String, Regex> = HashMap::default();
@@ -408,6 +413,22 @@ mod test {
         );
     }
 
+    #[test]
+    #[ignore]
+    fn test_resolving_compass_permissions() {
+        // TODO: it seems no permissions are being returned for compass urls
+        let (permission_map, regex_map) = get_permission_resolver_compass();
+
+        let url = "/compass/v1/events";
+        let request_type = RequestType::Post;
+        let result = check_url_for_permissions(&permission_map, &regex_map, request_type, url);
+
+        assert!(
+            !result.is_empty(),
+            "Should have parsed permissions for compass endpoint"
+        );
+    }
+
     #[test]
     fn test_get_issues_for_epic() {
         let (permission_map, regex_map) = get_permission_resolver_jira_software();

crates/fsrt/src/main.rs

@@ -6,9 +6,10 @@ mod test;
 
 use clap::{Parser, ValueHint};
 use forge_permission_resolver::permissions_resolver::{
-    get_permission_resolver_bitbucket, get_permission_resolver_confluence,
-    get_permission_resolver_jira, get_permission_resolver_jira_any,
-    get_permission_resolver_jira_service_management, get_permission_resolver_jira_software,
+    get_permission_resolver_bitbucket, get_permission_resolver_compass,
+    get_permission_resolver_confluence, get_permission_resolver_jira,
+    get_permission_resolver_jira_any, get_permission_resolver_jira_service_management,
+    get_permission_resolver_jira_software,
 };
 use glob::glob;
 use std::{
@@ -418,6 +419,7 @@ pub(crate) fn scan_directory<'a>(
     let (confluence_permission_resolver, confluence_regex_map) =
         get_permission_resolver_confluence();
     let (bitbucket_permission_resolver, bitbucket_regex_map) = get_permission_resolver_bitbucket();
+    let (compass_permission_resolver, compass_regex_map) = get_permission_resolver_compass();
 
     let mut definition_analysis_interp = Interp::<DefinitionAnalysisRunner>::new(
         &proj.env,
@@ -436,6 +438,8 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
+        &compass_regex_map,
     );
 
     let mut interp = Interp::new(
@@ -455,6 +459,8 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
+        &compass_regex_map,
     );
     let mut authn_interp = Interp::new(
         &proj.env,
@@ -473,6 +479,8 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
+        &compass_regex_map,
     );
 
     let mut reporter = Reporter::new();
@@ -493,6 +501,8 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
+        &compass_regex_map,
     );
     reporter.add_app(opts.appkey.clone().unwrap_or_default(), name.to_owned());
 
@@ -513,6 +523,8 @@ pub(crate) fn scan_directory<'a>(
         &confluence_regex_map,
         &bitbucket_permission_resolver,
         &bitbucket_regex_map,
+        &compass_permission_resolver,
+        &compass_regex_map,
     );
     for func in &proj.funcs {
         let mut def_checker = DefinitionAnalysisRunner::new();

crates/fsrt/src/test.rs

@@ -1187,3 +1187,47 @@ fn no_extra_scope_bitbucket() {
     let scan_result = scan_directory_test(test_forge_project);
     assert!(scan_result.contains_vulns(0));
 }
+
+#[test] // Tests manifest with no extra scopes, we expect no vulns.
+fn graphql_compass() {
+    let test_forge_project = MockForgeProject::files_from_string(
+        "// src/index.tsx
+        import ForgeUI, { render, Fragment, Macro, Text } from '@forge/ui';
+        import graphqlGateway from '@atlassian/forge-graphql';
+
+        const App = () => {
+            const {
+                errors,
+                data
+            } = await graphqlGateway.compass.asApp().getComponent(1);
+
+            return (
+                <Fragment>
+                <Text>Hello world!</Text>
+                </Fragment>
+            );
+        };
+        export const run = render(<Macro app={<App />} />);
+
+        // manifest.yaml
+        modules:
+            macro:
+              - key: basic-hello-world
+                function: main
+                title: basic
+                handler: nothing
+                description: Inserts Hello world!
+            function:
+              - key: main
+                handler: index.run
+        app:
+            id: ari:cloud:ecosystem::app/07b89c0f-949a-4905-9de9-6c9521035986
+        permissions:
+            scopes:
+            ",
+    );
+
+    let scan_result = scan_directory_test(test_forge_project);
+    assert!(scan_result.contains_authz_vuln(1));
+    dbg!(scan_result.into_vulns()[0].description());
+}