Skip to content

002_0005 - AvoidSystemEntityAssociation

Avoid using system storage objects directly

Remove direct associations with the System Domain Model. Use inheritance instead (i.e. Generalization in the entity properties).

Metadata

authors:
- Xiwen Cheng <x@cinaq.com>
category: Security
input: '*/DomainModels$DomainModel.yaml'
rulename: AvoidSystemEntityAssociation
rulenumber: '002_0005'
scope: package
severity: HIGH

Description

Always inherit for filedocuments and images. Never implement direct assocations to the System Domain Model, because of limits on the configuration of security.

Remediation

Remove direct associations with the System Domain Model. Use inheritance instead (i.e. Generalization in the entity properties).

Test cases

package app.mendix.domain_model.avoid_system_entity_association
import rego.v1


# Test data
negative = {
    "Name": "HELLO_THERE1",
    "Child": "SomeModule.FileDocument",
}

positive = {
    "Name": "HELLO_THERE2",
    "Child": "System.FileDocument",
}


# Test cases

test_no_cross_associations if {
    allow with input as {"CrossAssociations": null}
}

test_negative if {
    allow with input as {"CrossAssociations": [negative]}
}

test_positive if {
    not allow with input as {"CrossAssociations": [positive]}
}

test_mixed if {
    not allow with input as {"CrossAssociations": [negative, positive]}
}