Add qldoc comments to address PR review

data-douser · data-douser · commit dafc39ad7e2d · 2026-01-29T11:36:54.000-07:00
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll
@@ -27,6 +27,13 @@ private class RemoteControlHandlerParameter extends RemoteControlAPISource, Call
   }
 }
 
+/**
+ * A remote flow source representing user-provided data fetched from UI5 input controls.
+ *
+ * This class models data obtained from control references (such as `HTML` or `CodeEditor`)
+ * or from handler parameters, via property reads or getter methods like `getValue()` or
+ * `getCurrentValue()`. These represent user input that could potentially be tainted.
+ */
 private class UserDataFromRemoteControlAPISource extends RemoteFlowSource {
   UserDataFromRemoteControlAPISource() {
     exists(RemoteControlAPISource remoteControlAPISource |
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
@@ -398,6 +398,13 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
   }
 }
 
+/**
+ * A data flow step from published event data to subscribed event handlers via the UI5 EventBus.
+ *
+ * This step connects data passed to `EventBus.publish()` calls to the corresponding
+ * data received by matching `EventBus.subscribe()` handlers, enabling taint tracking
+ * across event-driven communication patterns in UI5 applications.
+ */
 class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
   override predicate step(DataFlow::Node start, DataFlow::Node end) {
     exists(

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,13 @@ private class RemoteControlHandlerParameter extends RemoteControlAPISource, Call`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
	`30`	`+/**`
	`31`	`+ * A remote flow source representing user-provided data fetched from UI5 input controls.`
	`32`	`+ *`
	`33`	+ * This class models data obtained from control references (such as `HTML` or `CodeEditor`)
	`34`	+ * or from handler parameters, via property reads or getter methods like `getValue()` or
	`35`	+ * `getCurrentValue()`. These represent user input that could potentially be tainted.
	`36`	`+ */`
`30`	`37`	`private class UserDataFromRemoteControlAPISource extends RemoteFlowSource {`
`31`	`38`	`UserDataFromRemoteControlAPISource() {`
`32`	`39`	`exists(RemoteControlAPISource remoteControlAPISource \|`
Original file line number	Diff line number	Diff line change
`@@ -398,6 +398,13 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {`
`398`	`398`	`}`
`399`	`399`	`}`
`400`	`400`
	`401`	`+/**`
	`402`	`+ * A data flow step from published event data to subscribed event handlers via the UI5 EventBus.`
	`403`	`+ *`
	`404`	+ * This step connects data passed to `EventBus.publish()` calls to the corresponding
	`405`	+ * data received by matching `EventBus.subscribe()` handlers, enabling taint tracking
	`406`	`+ * across event-driven communication patterns in UI5 applications.`
	`407`	`+ */`
`401`	`408`	`class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {`
`402`	`409`	`override predicate step(DataFlow::Node start, DataFlow::Node end) {`
`403`	`410`	`exists(`