advanced-security
diff --git a/‎.github/workflows/javascript.sarif.expected‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/javascript.sarif.expected‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎javascript/frameworks/cap/lib/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions b/‎javascript/frameworks/cap/lib/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎javascript/frameworks/cap/src/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions b/‎javascript/frameworks/cap/src/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎javascript/frameworks/cap/test/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions b/‎javascript/frameworks/cap/test/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions b/‎javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml‎
Lines changed: 13 additions & 13 deletions
diff --git a/‎javascript/frameworks/ui5/ext/ui5.model.yml‎
Lines changed: 5 additions & 1 deletion b/‎javascript/frameworks/ui5/ext/ui5.model.yml‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll‎
Lines changed: 16 additions & 28 deletions b/‎javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll‎
Lines changed: 16 additions & 28 deletions
@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.12
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.18
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.38
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.38
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.14
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.38
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.38
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.22
+    version: 2.0.24
   codeql/util:
-    version: 2.0.25
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.38
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.38
+    version: 1.0.40
 compiled: false
@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.12
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.18
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.38
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.38
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.14
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.38
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.38
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.22
+    version: 2.0.24
   codeql/util:
-    version: 2.0.25
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.38
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.38
+    version: 1.0.40
 compiled: false
@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.12
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.18
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.38
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.38
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.14
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.38
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.38
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.22
+    version: 2.0.24
   codeql/util:
-    version: 2.0.25
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.38
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.38
+    version: 1.0.40
 compiled: false
@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.12
+    version: 0.0.14
   codeql/controlflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/dataflow:
-    version: 2.0.22
+    version: 2.0.24
   codeql/javascript-all:
-    version: 2.6.18
+    version: 2.6.20
   codeql/mad:
-    version: 1.0.38
+    version: 1.0.40
   codeql/regex:
-    version: 1.0.38
+    version: 1.0.40
   codeql/ssa:
-    version: 2.0.14
+    version: 2.0.16
   codeql/threat-models:
-    version: 1.0.38
+    version: 1.0.40
   codeql/tutorial:
-    version: 1.0.38
+    version: 1.0.40
   codeql/typetracking:
-    version: 2.0.22
+    version: 2.0.24
   codeql/util:
-    version: 2.0.25
+    version: 2.0.27
   codeql/xml:
-    version: 1.0.38
+    version: 1.0.40
   codeql/yaml:
-    version: 1.0.38
+    version: 1.0.40
 compiled: false
@@ -6,14 +6,17 @@ extensions:
       - ["SapUICoreInstance", "global", "Member[sap].Member[ui].Member[getCore].ReturnValue"]
       - ["Control", "Control", "Instance"]
       - ["Control", "sap/ui/core/Control", ""]
+      - ["Control", "UI5HTMLControl", ""]
+      - ["Control", "UI5InputControl", ""]
+      - ["Control", "CustomControl", ""]
       - ["Control", "global", "Member[sap].Member[ui].Member[core].Member[Control]"]
       - ["Controller", "Controller", "Instance"]
       - ["Controller", "sap/ui/core/mvc/Controller", ""]
       - ["Component", "sap/ui/core/mvc/Component", ""]
       - ["Component", "sap/ui/core/UIComponent", ""]
       - ["Renderer", "Control", "Member[extend].Argument[1].Member[renderer]"]
       - ["Renderer", "sap/ui/core/RenderManager", "Member[extend].Argument[1].Member[renderer]"]
-      - ["Renderer", "sap/ui/core/Renderer", "Member[extend].Argument[1]"]  # ?
+      - ["Renderer", "sap/ui/core/Renderer", "Member[extend].Argument[1]"]
       - ["RenderManager", "RenderManager", "Instance"]
       - ["RenderManager", "sap/ui/core/RenderManager", ""]
       - ["RenderManager", "Renderer", "Parameter[0]"]
@@ -112,6 +115,7 @@ extensions:
     data:
       - ["UI5InputControl", "Member[value]", "remote"]
       - ["UI5InputControl", "Member[getValue].ReturnValue", "remote"]
+      - ["UI5HTMLControl", "Member[getContent].ReturnValue", "remote"]
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
 
@@ -27,6 +27,13 @@ private class RemoteControlHandlerParameter extends RemoteControlAPISource, Call
   }
 }
 
+/**
+ * A remote flow source representing user-provided data fetched from UI5 input controls.
+ *
+ * This class models data obtained from control references (such as `HTML` or `CodeEditor`)
+ * or from handler parameters, via property reads or getter methods like `getValue()` or
+ * `getCurrentValue()`. These represent user input that could potentially be tainted.
+ */
 private class UserDataFromRemoteControlAPISource extends RemoteFlowSource {
   UserDataFromRemoteControlAPISource() {
     exists(RemoteControlAPISource remoteControlAPISource |
@@ -143,42 +150,23 @@ class ODataServiceModel extends UI5ExternalModel {
   override string getSourceType() { result = "ODataServiceModel" }
 
   ODataServiceModel() {
-    exists(MethodCallNode setModelCall, CustomController controller |
-      /*
-       * 1. This flows from a DF node corresponding to the parent component's model
-       * to the `this.setModel` call. e.g.
-       *
-       * `this.getOwnerComponent().getModel("someModelName")` as in
-       * `this.getView().setModel(this.getOwnerComponent().getModel("someModelName"))`.
-       */
-
-      modelName = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() and
+    exists(CustomController controller |
       this.getCalleeName() = "getModel" and
-      controller.getOwnerComponentRef().flowsTo(this.(MethodCallNode).getReceiver()) and
-      this.flowsTo(setModelCall.getArgument(0)) and
-      setModelCall = controller.getAViewReference().getAMemberCall("setModel") and
-      /*
-       * 2. The component's `manifest.json` declares the DataSource as being of OData type.
-       */
-
+      modelName = this.getArgument(0).getALocalSource().getStringValue() and
       controller.getOwnerComponent().getExternalModelDef(modelName).getDataSource() instanceof
-        ODataDataSourceManifest
+        ODataDataSourceManifest // A component's `manifest.json` declares the data source as being of OData type.
     )
     or
     /*
-     * A constructor call to sap.ui.model.odata.v2.ODataModel or sap.ui.model.odata.v4.ODataModel.
+     * A constructor call to `sap.ui.model.odata.v2.ODataModel` or `sap.ui.model.odata.v4.ODataModel`.
      */
 
     this instanceof NewNode and
-    (
-      exists(RequiredObject oDataModel |
-        oDataModel.asSourceNode().flowsTo(this.getCalleeNode()) and
-        oDataModel.getDependency() in [
-            "sap/ui/model/odata/v2/ODataModel", "sap/ui/model/odata/v4/ODataModel"
-          ]
-      )
-      or
-      this.getCalleeName() = "ODataModel"
+    exists(RequiredObject oDataModel |
+      oDataModel.asSourceNode().flowsTo(this.getCalleeNode()) and
+      oDataModel.getDependency() in [
+          "sap/ui/model/odata/v2/ODataModel", "sap/ui/model/odata/v4/ODataModel"
+        ]
     ) and
     modelName = "<no name>"
   }