Additional flow steps do not cross application boundaries

Adds a test comprising of 2 separate UI5 apps

Author: mbaluda

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5LogsToHttpQuery.qll

@@ -26,12 +26,15 @@ module UI5LogEntryToHttp implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(
     DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState
   ) {
-    UI5LogInjection::isAdditionalFlowStep(start, end) and
-    preState = postState
-    or
-    logArgumentToListener(start, end) and
-    preState = "not-logged-not-accessed" and
-    postState = "logged-and-accessed"
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      UI5LogInjection::isAdditionalFlowStep(start, end) and
+      preState = postState
+      or
+      logArgumentToListener(start, end) and
+      preState = "not-logged-not-accessed" and
+      postState = "logged-and-accessed"
+    )
   }
 
   predicate isSink(DataFlow::Node node, FlowState state) {

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll

@@ -49,33 +49,36 @@ module UI5Xss implements DataFlow::ConfigSig {
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
-    /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
-    DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
-    or
-    /* TODO: Legacy code */
-    /* Handler argument node to handler parameter */
-    exists(UI5Handler h |
-      start = h.getBindingPath().getNode() and
-      /*
-       * Ideally we would like to show an intermediate node where
-       * the handler is bound to a control, but there is no sourceNode there
-       * `end = h.getBindingPath() or start = h.getBindingPath()`
-       */
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
+      DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
+      or
+      /* TODO: Legacy code */
+      /* Handler argument node to handler parameter */
+      exists(UI5Handler h |
+        start = h.getBindingPath().getNode() and
+        /*
+         * Ideally we would like to show an intermediate node where
+         * the handler is bound to a control, but there is no sourceNode there
+         * `end = h.getBindingPath() or start = h.getBindingPath()`
+         */
 
-      end = h.getParameter(0)
-    )
-    or
-    /* Flow from `setContent` to `getContent` of a control */
-    exists(
-      UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
-    |
-      control.asJsControl() = setContent.getReceiver().getALocalSource() and
-      control.asJsControl() = getContent.getReceiver().getALocalSource() and
-      setContent.getMethodName() = "setContent" and
-      getContent.getMethodName() = "getContent" and
-      start = setContent.getArgument(0) and
-      end = getContent and
-      not control.isHTMLSanitized()
+        end = h.getParameter(0)
+      )
+      or
+      /* Flow from `setContent` to `getContent` of a control */
+      exists(
+        UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
+      |
+        control.asJsControl() = setContent.getReceiver().getALocalSource() and
+        control.asJsControl() = getContent.getReceiver().getALocalSource() and
+        setContent.getMethodName() = "setContent" and
+        getContent.getMethodName() = "getContent" and
+        start = setContent.getArgument(0) and
+        end = getContent and
+        not control.isHTMLSanitized()
+      )
     )
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -263,24 +263,27 @@ module TrackPlaceAtCallConfig implements DataFlow::ConfigSig {
    * - [ ] Heuristic by prefix: not an attractive option since heuristics can fail
    */
   predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
-    exists(DataFlow::PropWrite propWrite |
-      start = propWrite.getRhs() and
-      end = propWrite.getBase()
-    )
-    or
-    exists(DataFlow::MethodCallNode maybeAddingChildAPICall |
-      start = maybeAddingChildAPICall.getAnArgument() and
-      end = maybeAddingChildAPICall.getReceiver()
-    )
-    or
-    exists(DataFlow::MethodCallNode call |
-      start = call.getReceiver() and
-      end = call
-    )
-    or
-    exists(DataFlow::NewNode new |
-      start = new.getAnArgument() and
-      end = new
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      exists(DataFlow::PropWrite propWrite |
+        start = propWrite.getRhs() and
+        end = propWrite.getBase()
+      )
+      or
+      exists(DataFlow::MethodCallNode maybeAddingChildAPICall |
+        start = maybeAddingChildAPICall.getAnArgument() and
+        end = maybeAddingChildAPICall.getReceiver()
+      )
+      or
+      exists(DataFlow::MethodCallNode call |
+        start = call.getReceiver() and
+        end = call
+      )
+      or
+      exists(DataFlow::NewNode new |
+        start = new.getAnArgument() and
+        end = new
+      )
     )
   }
 }