- Adds a test case for sanitizers

mbaluda · mbaluda · commit 98a94581f3d3 · 2026-01-27T17:51:44.000+01:00
- Add controls as JsControl
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -6,6 +6,9 @@ extensions:
       - ["SapUICoreInstance", "global", "Member[sap].Member[ui].Member[getCore].ReturnValue"]
       - ["Control", "Control", "Instance"]
       - ["Control", "sap/ui/core/Control", ""]
+      - ["Control", "UI5HTMLControl", ""]
+      - ["Control", "UI5InputControl", ""]
+      - ["Control", "CustomControl", ""]
       - ["Control", "global", "Member[sap].Member[ui].Member[core].Member[Control]"]
       - ["Controller", "Controller", "Instance"]
       - ["Controller", "sap/ui/core/mvc/Controller", ""]
@@ -112,6 +115,7 @@ extensions:
     data:
       - ["UI5InputControl", "Member[value]", "remote"]
       - ["UI5InputControl", "Member[getValue].ReturnValue", "remote"]
+      - ["UI5HTMLControl", "Member[getContent].ReturnValue", "remote"]
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -800,6 +800,8 @@ private newtype TUI5Control =
             .(ArrayLiteralNode)
             .asExpr()
     )
+    or
+    control = ModelOutput::getATypeNode("Control").getAnInvocation()
   }
 
 class UI5Control extends TUI5Control {
@@ -847,7 +849,9 @@ class UI5Control extends TUI5Control {
     )
     or
     exists(NewNode control | control = this.asJsControl() |
-      result = this.asJsControl().asExpr().getAChildExpr().(DotExpr).getQualifiedName()
+      result = control.asExpr().getAChildExpr().(PropAccess).getQualifiedName()
+      or
+      control = API::moduleImport(result).getAnInvocation()
     )
   }
 
@@ -983,11 +987,12 @@ class UI5Control extends TUI5Control {
     )
     or
     /* 3. `sanitizeContent` attribute is set programmatically using a setter. */
-    exists(CallNode node |
-      node =
-        this.getAReference()
-            .getAMemberCall("set" + propName.prefix(1).toUpperCase() + propName.suffix(1)) and
+    exists(CallNode node, string setterName |
+      setterName = "set" + propName.prefix(1).toUpperCase() + propName.suffix(1) and
       not node.getArgument(0).mayHaveBooleanValue(val.booleanNot())
+    |
+      node = this.getAReference().getAMemberCall(setterName) or
+      node = this.asJsControl().getAMemberCall(setterName)
     )
   }
 }
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/package-lock.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/package-lock.json
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/package.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/package.json
@@ -0,0 +1,5 @@
+{
+  "name": "sap-ui5-xss",
+  "version": "1.0.0",
+  "main": "index.js"
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/ui5.yaml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/ui5.yaml
@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: sap-ui5-xss
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/controller/app.controller.js
@@ -0,0 +1,28 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel",
+    "sap/ui/core/HTML"
+], function (Controller, JSONModel, HTML) {
+    "use strict";
+    return Controller.extend("codeql-sap-js.controller.app", {
+        onInit: function () {
+            var oData = {
+                input: null,
+                output: null,
+            };
+            var oModel = new JSONModel(oData);
+            this.getView().setModel(oModel);
+
+            jQuery.sap.globalEval(oModel.getProperty('/input')); // UNSAFE: evaluating user input
+
+            var sanitizer = new HTML();
+            sanitizer.setSanitizeContent(true);
+            sanitizer.setContent(oModel.getProperty('/input')); // SAFE: content is sanitized before eval
+            jQuery.sap.globalEval(sanitizer.getContent()); // SAFE: content is sanitized before eval
+
+            let htmlSanitized = this.getView().byId("htmlSanitized");
+            jQuery.sap.globalEval(htmlSanitized.getContent()); // SAFE: content is sanitized declaratively in the view
+        }
+    });
+}
+);
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/index.html b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/index.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+
+    <meta charset="utf-8">
+    <title>SAPUI5 XSS</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:codeql-sap-js/index" 
+        data-sap-ui-resourceroots='{
+            "codeql-sap-js": "./"
+        }'>
+        </script>
+</head>
+
+<body class="sapUiBody" id="content">
+
+</body>
+
+</html>
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/index.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/index.js
@@ -0,0 +1,11 @@
+sap.ui.define([
+    "sap/ui/core/mvc/XMLView"
+], function (XMLView) {
+    "use strict";
+    XMLView.create({
+        viewName: "codeql-sap-js.view.app"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+
+}); 
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/manifest.json b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/manifest.json
@@ -0,0 +1,5 @@
+{
+    "sap.app": {
+        "id": "sap-ui5-xss"
+    }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/view/app.view.xml b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/view/app.view.xml
@@ -0,0 +1,9 @@
+<mvc:View controllerName="codeql-sap-js.controller.app"
+    xmlns="sap.m"
+    xmlns:core="sap.ui.core"
+    xmlns:mvc="sap.ui.core.mvc">
+    <Input placeholder="Enter Payload (will be sanitized)" 
+        description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;" 
+        value="{/input}" />  <!--User input source sap.m.Input.value -->
+    <core:HTML id="htmlSanitized" content="{/output}" sanitizeContent="true"/> <!--sanitized XSS sink sap.ui.core.HTML.content -->
+</mvc:View>

Original file line number	Diff line number	Diff line change
`@@ -800,6 +800,8 @@ private newtype TUI5Control =`
`800`	`800`	`.(ArrayLiteralNode)`
`801`	`801`	`.asExpr()`
`802`	`802`	`)`
	`803`	`+ or`
	`804`	`+ control = ModelOutput::getATypeNode("Control").getAnInvocation()`
`803`	`805`	`}`
`804`	`806`
`805`	`807`	`class UI5Control extends TUI5Control {`
`@@ -847,7 +849,9 @@ class UI5Control extends TUI5Control {`
`847`	`849`	`)`
`848`	`850`	`or`
`849`	`851`	`exists(NewNode control \| control = this.asJsControl() \|`
`850`		`- result = this.asJsControl().asExpr().getAChildExpr().(DotExpr).getQualifiedName()`
	`852`	`+ result = control.asExpr().getAChildExpr().(PropAccess).getQualifiedName()`
	`853`	`+ or`
	`854`	`+ control = API::moduleImport(result).getAnInvocation()`
`851`	`855`	`)`
`852`	`856`	`}`
`853`	`857`
`@@ -983,11 +987,12 @@ class UI5Control extends TUI5Control {`
`983`	`987`	`)`
`984`	`988`	`or`
`985`	`989`	/* 3. `sanitizeContent` attribute is set programmatically using a setter. */
`986`		`- exists(CallNode node \|`
`987`		`- node =`
`988`		`- this.getAReference()`
`989`		`- .getAMemberCall("set" + propName.prefix(1).toUpperCase() + propName.suffix(1)) and`
	`990`	`+ exists(CallNode node, string setterName \|`
	`991`	`+ setterName = "set" + propName.prefix(1).toUpperCase() + propName.suffix(1) and`
`990`	`992`	`not node.getArgument(0).mayHaveBooleanValue(val.booleanNot())`
	`993`	`+ \|`
	`994`	`+ node = this.getAReference().getAMemberCall(setterName) or`
	`995`	`+ node = this.asJsControl().getAMemberCall(setterName)`
`991`	`996`	`)`
`992`	`997`	`}`
`993`	`998`	`}`