Skip to content

Commit 17f2897

Browse files
jeongsoolee09jeongsoolee09
committed
Port over UI5Xss 
1 parent a97afee commit 17f2897

2 files changed

Lines changed: 37 additions & 35 deletions

File tree

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll

Lines changed: 25 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,18 @@
11
import javascript
22
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow
33
import advanced_security.javascript.frameworks.ui5.UI5View
4-
import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
4+
private import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
55

6-
class Configuration extends DomBasedXss::Configuration {
7-
override predicate isSource(DataFlow::Node start) {
8-
super.isSource(start)
6+
module UI5Xss implements DataFlow::ConfigSig {
7+
predicate isSource(DataFlow::Node start) {
8+
DomBasedXss::DomBasedXssConfig::isSource(start, _)
99
or
1010
start instanceof RemoteFlowSource
1111
}
1212

13-
override predicate isAdditionalFlowStep(
14-
DataFlow::Node start, DataFlow::Node end, DataFlow::FlowLabel inLabel,
15-
DataFlow::FlowLabel outLabel
16-
) {
17-
/* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
18-
super.isAdditionalFlowStep(start, end, inLabel, outLabel)
19-
or
20-
/* TODO: Legacy code */
21-
/* Handler argument node to handler parameter */
22-
exists(UI5Handler h |
23-
start = h.getBindingPath().getNode() and
24-
/*
25-
* Ideally we would like to show an intermediate node where
26-
* the handler is bound to a control, but there is no sourceNode there
27-
* `end = h.getBindingPath() or start = h.getBindingPath()`
28-
*/
29-
30-
end = h.getParameter(0)
31-
)
32-
}
33-
34-
override predicate isBarrier(DataFlow::Node node) {
13+
predicate isBarrier(DataFlow::Node node) {
3514
/* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */
36-
super.isSanitizer(node)
15+
DomBasedXss::DomBasedXssConfig::isBarrier(node)
3716
or
3817
/* 2. Value read from a non-string control property */
3918
exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m)
@@ -53,10 +32,28 @@ class Configuration extends DomBasedXss::Configuration {
5332
["encodeCSS", "encodeJS", "encodeURL", "encodeURLParameters", "encodeXML", "encodeHTML"]
5433
}
5534

56-
override predicate isSink(DataFlow::Node node) {
35+
predicate isSink(DataFlow::Node node) {
5736
node instanceof UI5ExtHtmlISink or
5837
node instanceof UI5ModelHtmlISink
5938
}
39+
40+
predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
41+
/* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
42+
DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
43+
or
44+
/* TODO: Legacy code */
45+
/* Handler argument node to handler parameter */
46+
exists(UI5Handler h |
47+
start = h.getBindingPath().getNode() and
48+
/*
49+
* Ideally we would like to show an intermediate node where
50+
* the handler is bound to a control, but there is no sourceNode there
51+
* `end = h.getBindingPath() or start = h.getBindingPath()`
52+
*/
53+
54+
end = h.getParameter(0)
55+
)
56+
}
6057
}
6158

6259
/**

javascript/frameworks/ui5/src/UI5Xss/UI5Xss.ql

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,17 +13,22 @@
1313
*/
1414

1515
import javascript
16-
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow
17-
import UI5DataFlow::UI5PathGraph
16+
import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
1817
import advanced_security.javascript.frameworks.ui5.UI5XssQuery
1918

19+
module UI5XssFlow = TaintTracking::Global<UI5Xss>;
20+
21+
module UI5XssUI5PathGraph = UI5PathGraph<UI5XssFlow::PathNode, UI5XssFlow::PathGraph>;
22+
23+
import UI5XssUI5PathGraph
24+
2025
from
21-
Configuration config, UI5PathGraph::UI5PathNode source, UI5PathGraph::UI5PathNode sink,
22-
UI5PathGraph::UI5PathNode primarySource, UI5PathGraph::UI5PathNode primarySink
26+
UI5XssUI5PathGraph::UI5PathNode source, UI5XssUI5PathGraph::UI5PathNode sink,
27+
UI5XssUI5PathGraph::UI5PathNode primarySource, UI5XssUI5PathGraph::UI5PathNode primarySink
2328
where
24-
config.hasFlowPath(source.getPathNode(), sink.getPathNode()) and
25-
config.isSource(source.asDataFlowNode()) and
26-
config.isSink(sink.asDataFlowNode()) and
29+
UI5XssFlow::flowPath(source.getPathNode(), sink.getPathNode()) and
30+
UI5Xss::isSource(source.asDataFlowNode()) and
31+
UI5Xss::isSink(sink.asDataFlowNode()) and
2732
primarySource = source.getAPrimarySource() and
2833
primarySink = sink.getAPrimaryHtmlISink()
2934
select primarySink, primarySource, primarySink, "XSS vulnerability due to $@.", primarySource,

0 commit comments

Comments
 (0)