Ensure that the channel name and the message types are matched

jeongsoolee09 · jeongsoolee09 · commit 7a020d2a9fa4 · 2025-12-11T14:42:57.000-05:00
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -71,8 +71,10 @@ extensions:
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
       # Publishing and Subscribing to Events
-      - ["UI5PublishedEventData", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[publish].Argument[2]"]
-      - ["UI5EventSubscriptionHandlerDataParameter", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[subscribe].Argument[2].Parameter[2]"]
+      - ["UI5EventBusPublish", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[publish]"]
+      - ["UI5EventBusPublishedEventData", "UI5EventBusPublish", "Argument[2]"]
+      - ["UI5EventBusSubscribe", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[subscribe]"]
+      - ["UI5EventSubscriptionHandlerDataParameter", "UI5EventBusSubscribe", "Argument[2].Parameter[2]"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
@@ -369,7 +369,29 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
 
 class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
   override predicate step(DataFlow::Node start, DataFlow::Node end) {
-    start = ModelOutput::getATypeNode("UI5PublishedEventData").getInducingNode() and
-    end = ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter").getInducingNode()
+    exists(
+      API::Node publishMethod, API::Node publishedData, API::Node subscribeMethod,
+      API::Node subscribeMethodCallbackDataParameter
+    |
+      publishMethod = ModelOutput::getATypeNode("UI5EventBusPublish") and
+      publishedData = ModelOutput::getATypeNode("UI5EventBusPublishedEventData") and
+      subscribeMethod = ModelOutput::getATypeNode("UI5EventBusSubscribe") and
+      subscribeMethodCallbackDataParameter =
+        ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter")
+    |
+      /* Ensure that `publishedData` belongs to `publishMethod`. */
+      publishMethod.getASuccessor*() = publishedData and
+      /* Ensure that `subscribeMethodCallbackDataParameter` belongs to `subscribeMethod`. */
+      subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+      /* Ensure that the published and subscribed channels are the same. */
+      publishMethod.getACall().getArgument(0).getALocalSource().getStringValue() =
+        subscribeMethod.getACall().getArgument(0).getALocalSource().getStringValue() and
+      /* Ensure that the published and subscribed message types are the same. */
+      publishMethod.getACall().getArgument(1).getALocalSource().getStringValue() =
+        subscribeMethod.getACall().getArgument(1).getALocalSource().getStringValue() and
+      /* Wire into the start and end of this step. */
+      start = publishedData.getInducingNode() and
+      end = subscribeMethodCallbackDataParameter.getInducingNode()
+    )
   }
 }
