Adds a local source for separate Control implementations. (#329)

* Adds a local source for separate Control implementations.

* Remove refereence to Controller

* Adds test for separate control implementation

* fix expected file

* Additional flow steps do not cross application boundaries
Adds a test comprising of 2 separate UI5 apps

* Fix expected file

* Fix sarif expected file

Author: mbaluda

.github/workflows/javascript.sarif.expected

@@ -26,12 +26,15 @@ module UI5LogEntryToHttp implements DataFlow::StateConfigSig {
   predicate isAdditionalFlowStep(
     DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState
   ) {
-    UI5LogInjection::isAdditionalFlowStep(start, end) and
-    preState = postState
-    or
-    logArgumentToListener(start, end) and
-    preState = "not-logged-not-accessed" and
-    postState = "logged-and-accessed"
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      UI5LogInjection::isAdditionalFlowStep(start, end) and
+      preState = postState
+      or
+      logArgumentToListener(start, end) and
+      preState = "not-logged-not-accessed" and
+      postState = "logged-and-accessed"
+    )
   }
 
   predicate isSink(DataFlow::Node node, FlowState state) {

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5LogsToHttpQuery.qll

@@ -49,33 +49,36 @@ module UI5Xss implements DataFlow::ConfigSig {
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
-    /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
-    DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
-    or
-    /* TODO: Legacy code */
-    /* Handler argument node to handler parameter */
-    exists(UI5Handler h |
-      start = h.getBindingPath().getNode() and
-      /*
-       * Ideally we would like to show an intermediate node where
-       * the handler is bound to a control, but there is no sourceNode there
-       * `end = h.getBindingPath() or start = h.getBindingPath()`
-       */
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
+      DomBasedXss::DomBasedXssConfig::isAdditionalFlowStep(start, _, end, _)
+      or
+      /* TODO: Legacy code */
+      /* Handler argument node to handler parameter */
+      exists(UI5Handler h |
+        start = h.getBindingPath().getNode() and
+        /*
+         * Ideally we would like to show an intermediate node where
+         * the handler is bound to a control, but there is no sourceNode there
+         * `end = h.getBindingPath() or start = h.getBindingPath()`
+         */
 
-      end = h.getParameter(0)
-    )
-    or
-    /* Flow from `setContent` to `getContent` of a control */
-    exists(
-      UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
-    |
-      control.asJsControl() = setContent.getReceiver().getALocalSource() and
-      control.asJsControl() = getContent.getReceiver().getALocalSource() and
-      setContent.getMethodName() = "setContent" and
-      getContent.getMethodName() = "getContent" and
-      start = setContent.getArgument(0) and
-      end = getContent and
-      not control.isHTMLSanitized()
+        end = h.getParameter(0)
+      )
+      or
+      /* Flow from `setContent` to `getContent` of a control */
+      exists(
+        UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
+      |
+        control.asJsControl() = setContent.getReceiver().getALocalSource() and
+        control.asJsControl() = getContent.getReceiver().getALocalSource() and
+        setContent.getMethodName() = "setContent" and
+        getContent.getMethodName() = "getContent" and
+        start = setContent.getArgument(0) and
+        end = getContent and
+        not control.isHTMLSanitized()
+      )
     )
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll

@@ -61,6 +61,15 @@ class LocalModelContentBoundBidirectionallyToHtmlISinkControl extends DomBasedXs
   UI5Control getControlDeclaration() { result = controlDeclaration }
 }
 
+/**
+ * A local source for cases where the Control implementation is separate from the complete UI5 app.
+ */
+class LocalModelStringPropertySource extends DomBasedXss::Source {
+  LocalModelStringPropertySource() {
+    this = any(PropertyMetadata propMeta | propMeta.isUnrestrictedStringType())
+  }
+}
+
 module UI5PathGraph<PathNodeSig ConfigPathNode, PathGraphSig<ConfigPathNode> ConfigPathGraph> {
   private newtype TNode =
     TUI5BindingPathNode(UI5BindingPath path) or
@@ -254,24 +263,27 @@ module TrackPlaceAtCallConfig implements DataFlow::ConfigSig {
    * - [ ] Heuristic by prefix: not an attractive option since heuristics can fail
    */
   predicate isAdditionalFlowStep(DataFlow::Node start, DataFlow::Node end) {
-    exists(DataFlow::PropWrite propWrite |
-      start = propWrite.getRhs() and
-      end = propWrite.getBase()
-    )
-    or
-    exists(DataFlow::MethodCallNode maybeAddingChildAPICall |
-      start = maybeAddingChildAPICall.getAnArgument() and
-      end = maybeAddingChildAPICall.getReceiver()
-    )
-    or
-    exists(DataFlow::MethodCallNode call |
-      start = call.getReceiver() and
-      end = call
-    )
-    or
-    exists(DataFlow::NewNode new |
-      start = new.getAnArgument() and
-      end = new
+    inSameWebApp(start.getFile(), end.getFile()) and
+    (
+      exists(DataFlow::PropWrite propWrite |
+        start = propWrite.getRhs() and
+        end = propWrite.getBase()
+      )
+      or
+      exists(DataFlow::MethodCallNode maybeAddingChildAPICall |
+        start = maybeAddingChildAPICall.getAnArgument() and
+        end = maybeAddingChildAPICall.getReceiver()
+      )
+      or
+      exists(DataFlow::MethodCallNode call |
+        start = call.getReceiver() and
+        end = call
+      )
+      or
+      exists(DataFlow::NewNode new |
+        start = new.getAnArgument() and
+        end = new
+      )
     )
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -13,3 +13,4 @@ edges
 | webapp/controls/Book.js:133:8:133:26 | oControl.getTitle() | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" |
 #select
 | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | webapp/controller/App.Controller.js:23:25:23:47 | oSearch ... Value() | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | XSS vulnerability due to $@. | webapp/controller/App.Controller.js:23:25:23:47 | oSearch ... Value() | user-provided value |
+| webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | webapp/controls/Book.js:17:13:17:30 | { type: "string" } | webapp/controls/Book.js:132:7:134:15 | "<div>T ... </div>" | XSS vulnerability due to $@. | webapp/controls/Book.js:17:13:17:30 | { type: "string" } | user-provided value |

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll

@@ -14,4 +14,5 @@ edges
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
 | webapp/view/app.view.xml:8:5:8:38 | text={/input} | webapp/controller/app.controller.js:9:17:9:27 | input: null |
 #select
+| webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/control/xss.js:7:23:7:40 | { type: "string" } | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
 | webapp/control/xss.js:14:23:14:40 | oControl.getText() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/control/xss.js:14:23:14:40 | oControl.getText() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/UI5Xss.expected

@@ -0,0 +1,37 @@
+nodes
+| xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } |
+| xss-custom-control-api3/webapp/control/xss.js:8:24:8:41 | { type: "string" } |
+| xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() |
+| xss-custom-control-api3/webapp/control/xss.js:16:32:16:50 | oControl.getText2() |
+| xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| xss-custom-control-api3/webapp/view/app.view.xml:8:5:8:38 | text={/input} |
+| xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } |
+| xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() |
+| xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| xss-custom-control.api2/webapp/view/app.view.xml:8:5:8:38 | text={/input} |
+edges
+| xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() |
+| xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control-api3/webapp/control/xss.js:8:24:8:41 | { type: "string" } | xss-custom-control-api3/webapp/control/xss.js:16:32:16:50 | oControl.getText2() |
+| xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } |
+| xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control-api3/webapp/view/app.view.xml:8:5:8:38 | text={/input} |
+| xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control-api3/webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
+| xss-custom-control-api3/webapp/view/app.view.xml:8:5:8:38 | text={/input} | xss-custom-control-api3/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() |
+| xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } |
+| xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null | xss-custom-control.api2/webapp/view/app.view.xml:8:5:8:38 | text={/input} |
+| xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+| xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control.api2/webapp/controller/app.controller.js:11:26:11:45 | new JSONModel(oData) |
+| xss-custom-control.api2/webapp/view/app.view.xml:8:5:8:38 | text={/input} | xss-custom-control.api2/webapp/controller/app.controller.js:9:17:9:27 | input: null |
+#select
+| xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() | xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() | XSS vulnerability due to $@. | xss-custom-control-api3/webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
+| xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() | xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control-api3/webapp/control/xss.js:15:32:15:49 | oControl.getText() | XSS vulnerability due to $@. | xss-custom-control-api3/webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
+| xss-custom-control-api3/webapp/control/xss.js:16:32:16:50 | oControl.getText2() | xss-custom-control-api3/webapp/control/xss.js:8:24:8:41 | { type: "string" } | xss-custom-control-api3/webapp/control/xss.js:16:32:16:50 | oControl.getText2() | XSS vulnerability due to $@. | xss-custom-control-api3/webapp/control/xss.js:8:24:8:41 | { type: "string" } | user-provided value |
+| xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() | xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } | xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | xss-custom-control.api2/webapp/control/xss.js:7:23:7:40 | { type: "string" } | user-provided value |
+| xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() | xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} | xss-custom-control.api2/webapp/control/xss.js:14:32:14:49 | oControl.getText() | XSS vulnerability due to $@. | xss-custom-control.api2/webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |