Add modelling for binding paths and default models when those are used through fragments

Author: knewbury01

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll

@@ -597,6 +597,8 @@ class BindingTarget extends TBindingTarget {
         this = TLateJavaScriptBindingTarget(target, _)
         or
         this = TEarlyJavaScriptPropertyBindingTarget(target, _)
+        or
+        this = TLateJavaScriptBindingTarget(target.(BindElementMethodCallNode).getReceiver(), _)
       ) and
       result = target
     )
@@ -727,6 +729,22 @@ class Binding extends TBinding {
     )
   }
 
+  DataFlow::Node asDataFlowNode() {
+    exists(DataFlow::Node target |
+      (
+        this = TEarlyJavaScriptPropertyBinding(_, target)
+        or
+        this = TLateJavaScriptPropertyBinding(_, target)
+        or
+        exists(BindElementMethodCallNode bindElementCall |
+          target = bindElementCall.getReceiver() and
+          this = TLateJavaScriptContextBinding(bindElementCall, _)
+        )
+      ) and
+      result = target
+    )
+  }
+
   BindingPath getBindingPath() { result.getBinding() = this }
 
   BindingTarget getBindingTarget() { result.getBinding() = this }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll

@@ -48,4 +48,9 @@ class FragmentLoad extends InvokeNode, MethodCallNode {
       result = config.getAPropertyWrite("controller").getRhs()
     )
   }
+
+  DataFlow::ParameterNode getCallbackObjectReference() {
+    //the load invoke node is actually just a part of the chained load.then.bind
+    result = this.getAMemberCall(_).getABoundCallbackParameter(_, _)
+  }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -110,6 +110,25 @@ abstract class UI5ExternalModel extends UI5Model, RemoteFlowSource {
   abstract string getName();
 }
 
+/** Default model which gains content from an SAP OData service (ie no model name is explicitly specified). */
+class DefaultODataServiceModel extends UI5ExternalModel {
+  DefaultODataServiceModel() {
+    exists(ExternalModelManifest model |
+      //an OData default model exists
+      model.getName() = "" and
+      model.getDataSource() instanceof ODataDataSourceManifest and
+      //therefore the bindElement calls that exist may be sources and also approximates the model itself
+      this.getCalleeName() = "bindElement"
+    )
+  }
+
+  override string getSourceType() { result = "DefaultODataServiceModel" }
+
+  override string getName() { result = "" }
+
+  Binding asBinding() { result.getBindingTarget().asDataFlowNode() = this }
+}
+
 /** Model which gains content from an SAP OData service. */
 class ODataServiceModel extends UI5ExternalModel {
   string modelName;

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -132,6 +132,24 @@ abstract class UI5BindingPath extends BindingPath {
         not exists(controlSetModelCall.getArgument(1)) and
         not exists(this.getModelName())
       )
+      or
+      /* 5.  There is no call to `setModel` at all and a default model exists that is related to the binding path this refers to */
+      exists(DefaultODataServiceModel defaultModel |
+        result = defaultModel and
+        not exists(MethodCallNode viewSetModelCall | viewSetModelCall.getMethodName() = "setModel") and
+        /*
+         * this binding path can occur in a fragment that is the receiver object for the bindElement model approximation
+         * i.e. checks that the default model is relevant
+         */
+
+        exists(FragmentLoad load |
+          load.getCallbackObjectReference().flowsTo(defaultModel.asBinding().asDataFlowNode()) and
+          load.getNameArgument()
+              .getStringValue()
+              .matches("%" +
+                  this.getLocation().getFile().getBaseName().replaceAll(".fragment.xml", "") + "%")
+        )
+      )
     )
     // and
     // /* This binding path and the resulting model should live inside the same webapp */