Skip to content

Commit dafc39a

Browse files
committed
Add qldoc comments to address PR review
1 parent a3b8a1c commit dafc39a

File tree

2 files changed

+14
-0
lines changed

2 files changed

+14
-0
lines changed

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,13 @@ private class RemoteControlHandlerParameter extends RemoteControlAPISource, Call
2727
}
2828
}
2929

30+
/**
31+
* A remote flow source representing user-provided data fetched from UI5 input controls.
32+
*
33+
* This class models data obtained from control references (such as `HTML` or `CodeEditor`)
34+
* or from handler parameters, via property reads or getter methods like `getValue()` or
35+
* `getCurrentValue()`. These represent user input that could potentially be tainted.
36+
*/
3037
private class UserDataFromRemoteControlAPISource extends RemoteFlowSource {
3138
UserDataFromRemoteControlAPISource() {
3239
exists(RemoteControlAPISource remoteControlAPISource |

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -398,6 +398,13 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
398398
}
399399
}
400400

401+
/**
402+
* A data flow step from published event data to subscribed event handlers via the UI5 EventBus.
403+
*
404+
* This step connects data passed to `EventBus.publish()` calls to the corresponding
405+
* data received by matching `EventBus.subscribe()` handlers, enabling taint tracking
406+
* across event-driven communication patterns in UI5 applications.
407+
*/
401408
class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
402409
override predicate step(DataFlow::Node start, DataFlow::Node end) {
403410
exists(

0 commit comments

Comments
 (0)