Adds a local source for separate Control implementations.

mbaluda · mbaluda · commit a40522a18818 · 2026-03-12T15:22:04.000+01:00
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll
@@ -61,6 +61,22 @@ class LocalModelContentBoundBidirectionallyToHtmlISinkControl extends DomBasedXs
   UI5Control getControlDeclaration() { result = controlDeclaration }
 }
 
+/**
+ * A local source for cases where the Control implementation is separate from the complete UI5 app.
+ */
+class LocalModelStringPropertySource extends DomBasedXss::Source {
+  LocalModelStringPropertySource() {
+    exists(UI5BindingPath bindingPath |
+      this =
+        bindingPath
+            .getControlDeclaration()
+            .getDefinition()
+            .getMetadata()
+            .getProperty(bindingPath.getPropertyName())
+    )
+  }
+}
+
 module UI5PathGraph<PathNodeSig ConfigPathNode, PathGraphSig<ConfigPathNode> ConfigPathGraph> {
   private newtype TNode =
     TUI5BindingPathNode(UI5BindingPath path) or
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:32:14:49 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:32:14:49 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:28:14:45 | oControl.getText() | webapp/control/xss.js:7:19:7:36 | { type: "string" } | webapp/control/xss.js:14:28:14:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:19:7:36 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:28:14:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:28:14:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/control/xssBase.js:5:15:5:32 | { type: "string" } | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xssBase.js:5:15:5:32 | { type: "string" } | user-provided value |
 | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xssRenderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/UI5Xss.expected
@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/renderer.js:8:28:8:45 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/renderer.js:8:28:8:45 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
