Checkpoint

jeongsoolee09 · jeongsoolee09 · commit 05e9a0b74229 · 2025-04-24T08:01:44.000-04:00
1. Minor comment formatting
2. Unify the TypeTrackers into one (hasDependency)
3. Some more modeling
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -155,7 +155,8 @@ abstract class UserModule extends CallExpr {
 class SapDefineModule extends AmdModuleDefinition::Range, MethodCallExpr, UserModule {
   SapDefineModule() {
     /*
-     * NOTE: This only matches a call to the dot expression `sap.ui.define`, and does not consider a flow among `sap`, `ui`, and `define`.
+     * NOTE: This only matches a call to the dot expression `sap.ui.define`, and does not
+     * consider a flow among `sap`, `ui`, and `define`.
      */
 
     exists(GlobalVarAccess sap, DotExpr sapUi, DotExpr sapUiDefine |
@@ -220,50 +221,11 @@ class JQueryDefineModule extends UserModule, MethodCallExpr {
   }
 }
 
-private SourceNode sapControl(TypeTracker t) {
-  t.start() and
-  exists(UserModule d, string dependencyType |
-    dependencyType = ["sap/ui/core/Control", "sap.ui.core.Control"]
-  |
-    d.getADependency() = dependencyType and
-    result = d.getRequiredObject(dependencyType).asSourceNode()
-  )
-  or
-  exists(TypeTracker t2 | result = sapControl(t2).track(t2, t))
-}
-
-private SourceNode sapControl() { result = sapControl(TypeTracker::end()) }
-
-private SourceNode sapController(TypeTracker t) {
-  t.start() and
-  exists(UserModule d, string dependencyType |
-    dependencyType = ["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"]
-  |
-    d.getADependency() = dependencyType and
-    result = d.getRequiredObject(dependencyType).asSourceNode()
-  )
-  or
-  exists(TypeTracker t2 | result = sapController(t2).track(t2, t))
-}
-
-private SourceNode sapController() { result = sapController(TypeTracker::end()) }
-
-private SourceNode sapRenderer(TypeTracker t) {
-  t.start() and
-  exists(UserModule d, string dependencyType |
-    dependencyType = ["sap/ui/core/Renderer", "sap.ui.core.Renderer"]
-  |
-    d.getADependency() = dependencyType and
-    result = d.getRequiredObject(dependencyType).asSourceNode()
-  )
-  or
-  exists(TypeTracker t2 | result = sapController(t2).track(t2, t))
-}
-
-private SourceNode sapRenderer() { result = sapRenderer(TypeTracker::end()) }
-
-private class Renderer extends SapExtendCall {
-  Renderer() { this.getReceiver().getALocalSource() = sapRenderer() }
+class Renderer extends SapExtendCall {
+  Renderer() {
+    this.getReceiver().getALocalSource() =
+      TypeTrackers::hasDependency(["sap/ui/core/Renderer", "sap.ui.core.Renderer"])
+  }
 
   FunctionNode getRenderer() {
     /* 1. Old API */
@@ -276,7 +238,8 @@ private class Renderer extends SapExtendCall {
 
 class CustomControl extends SapExtendCall {
   CustomControl() {
-    this.getReceiver().getALocalSource() = sapControl() or
+    this.getReceiver().getALocalSource() =
+      TypeTrackers::hasDependency(["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"]) or
     exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingModule())
   }
 
@@ -450,7 +413,8 @@ class CustomController extends SapExtendCall {
   string name;
 
   CustomController() {
-    this.getReceiver().getALocalSource() = sapController() and
+    this.getReceiver().getALocalSource() =
+      TypeTrackers::hasDependency(["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"]) and
     name = this.getFile().getBaseName().regexpCapture("([a-zA-Z0-9]+).[cC]ontroller.js", 1)
   }
 
@@ -772,35 +736,24 @@ abstract class UI5InternalModel extends UI5Model, NewNode {
   abstract string getPathString(Property property);
 }
 
-/**
- * Represents models that are loaded from an external source, e.g. OData service.
- * It is the value flowing to a `setModel` call in a handler of a `CustomController` (which is represented by `ControllerHandler`), since it is the closest we can get to the actual model itself.
- */
-private SourceNode sapComponent(TypeTracker t) {
-  t.start() and
-  exists(UserModule d, string dependencyType |
-    dependencyType =
-      [
-        "sap/ui/core/mvc/Component", "sap.ui.core.mvc.Component", "sap/ui/core/UIComponent",
-        "sap.ui.core.UIComponent"
-      ]
-  |
-    d.getADependency() = dependencyType and
-    result = d.getRequiredObject(dependencyType).asSourceNode()
-  )
-  or
-  exists(TypeTracker t2 | result = sapComponent(t2).track(t2, t))
-}
-
-private SourceNode sapComponent() { result = sapComponent(TypeTracker::end()) }
-
 import ManifestJson
 
 /**
  * A UI5 Component that may contain other controllers or controls.
  */
 class Component extends SapExtendCall {
-  Component() { this.getReceiver().getALocalSource() = sapComponent() }
+  Component() {
+    this.getReceiver().getALocalSource() =
+      /*
+       * Represents models that are loaded from an external source, e.g. OData service.
+       * It is the value flowing to a `setModel` call in a handler of a `CustomController` (which is represented by `ControllerHandler`), since it is the closest we can get to the actual model itself.
+       */
+
+      TypeTrackers::hasDependency([
+          "sap/ui/core/mvc/Component", "sap.ui.core.mvc.Component", "sap/ui/core/UIComponent",
+          "sap.ui.core.UIComponent"
+        ])
+  }
 
   string getId() { result = this.getName().regexpCapture("([a-zA-Z0-9.]+).Component", 1) }
 
@@ -1490,3 +1443,19 @@ class PropertyMetadata extends ObjectLiteralNode {
     inSameWebApp(this.getFile(), result.getFile())
   }
 }
+
+module TypeTrackers {
+  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
+    t.start() and
+    exists(UserModule d |
+      d.getADependency() = dependencyPath and
+      result = d.getRequiredObject(dependencyPath).asSourceNode()
+    )
+    or
+    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+  }
+
+  SourceNode hasDependency(string dependencyPath) {
+    result = hasDependency(TypeTracker::end(), dependencyPath)
+  }
+}
diff --git a/javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql b/javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql
@@ -27,6 +27,47 @@ class UI5LogInjectionConfiguration extends LogInjection::LogInjectionConfigurati
   }
 }
 
+class UI5Logger extends RequiredObject {
+  UI5Logger() { this.getDependency() = "sap/base/Log" }
+
+  DataFlow::Node getALogListener() {
+    exists(MethodCallNode addLogListenerCall |
+      addLogListenerCall.getCalleeName() = "addLogListener" and
+      result = addLogListenerCall.getArgument(0)
+    )
+  }
+
+  MethodCallNode getLogEntriesCall() {
+    result.getReceiver().getALocalSource() = this.asSourceNode() and
+    result.getMethodName() = "getLogEntries"
+  }
+}
+
+private predicate test(MethodCallNode call, Node receiver, SourceNode receiverSource) {
+  call.getMethodName() = "getLogEntries" and
+  receiver = call.getReceiver() and
+  receiverSource = receiver.getALocalSource()
+}
+
+SourceNode isLogListener(TypeBackTracker t) {
+  t.start() and
+  exists(UI5Logger log | result = log.getALogListener())
+  or
+  exists(DataFlow::TypeBackTracker t2 | result = isLogListener(t2).backtrack(t2, t))
+}
+
+SourceNode isLogListener() { result = isLogListener(TypeBackTracker::end()) }
+
+class LogListener extends DataFlow::Node {
+  LogListener() { this = isLogListener() }
+
+  FunctionNode getOnLogEntryMethod() {
+    exists(DataFlow::PropWrite propWrite | propWrite.getPropertyName() = "onLogEntry" |
+      result = propWrite.getRhs()
+    )
+  }
+}
+
 from
   UI5LogInjectionConfiguration cfg, UI5PathNode source, UI5PathNode sink, UI5PathNode primarySource
 where
