Model sap/ui/core/EventBus

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -3,6 +3,7 @@ extensions:
       pack: codeql/javascript-all
       extensible: "typeModel"
     data:
+      - ["SapUICoreInstance", "global", "Member[sap].Member[ui].Member[getCore].ReturnValue"]
       - ["Control", "Control", "Instance"]
       - ["Control", "sap/ui/core/Control", ""]
       - ["Control", "global", "Member[sap].Member[ui].Member[core].Member[Control]"]
@@ -71,6 +72,19 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Publishing and Subscribing to Events
+      - ["UI5EventBusInstance", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue"]
+      - ["UI5EventBusPublish", "UI5EventBusInstance", "Member[publish]"]
+      - ["UI5EventBusPublishedEventData", "UI5EventBusPublish", "Argument[2]"]
+      - ["UI5EventBusSubscribe", "UI5EventBusInstance", "Member[subscribe]"]
+      - ["UI5EventSubscriptionHandlerDataParameter", "UI5EventBusSubscribe", "Argument[2].Parameter[2]"]
+      - ["SapUICoreEventBusInstance", "SapUICoreInstance", "Member[getEventBus].ReturnValue"]
+      - ["SapUICoreEventBusPublish", "SapUICoreEventBusInstance", "Member[publish]"]
+      - ["SapUICoreEventBusPublishedEventData", "SapUICoreEventBusPublish", "Argument[2]"]
+      - ["SapUICoreEventBusSubscribe", "SapUICoreEventBusInstance", "Member[subscribe]"]
+      - ["SapUICoreEventSubscriptionHandlerDataParameter", "SapUICoreEventBusSubscribe", "Argument[2].Parameter[2]"]
+      # Extend Calls
+      # -
 
   - addsTo:
       pack: codeql/javascript-all

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -1,6 +1,7 @@
 import javascript
 import DataFlow
 import advanced_security.javascript.frameworks.ui5.JsonParser
+import advanced_security.javascript.frameworks.ui5.dataflow.TypeTrackers
 import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.UI5HTML
@@ -138,6 +139,15 @@ class WebApp extends HTML::HtmlFile {
  * by a call to `sap.ui.getCore()`.
  */
 class SapUiCore extends MethodCallNode {
+  /*
+   * NOTE: Ideally, we'd like to use `ModelOutput::getATypeNode("SapUICore").asSource()` to
+   * take advantage of the inter-procedural flexibility of MaD, but doing so causes
+   * non-monotomic recursion.
+   *
+   * So, we opt to use `SourceNode.getAPropertyRead/1` and `SourceNode.getAMethodCall/1`
+   * instead and get away with local flow tracking they provide.
+   */
+
   SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
@@ -459,7 +469,8 @@ class CustomController extends SapExtendCall {
   }
 
   Component getOwnerComponent() {
-    exists(ManifestJson manifestJson, JsonObject rootObj | manifestJson = result.getManifestJson() |
+    exists(ManifestJson manifestJson, JsonObject rootObj |
+      manifestJson = result.getManifestJson() and
       rootObj
           .getPropValue("targets")
           .(JsonObject)
@@ -764,7 +775,7 @@ class Component extends SapExtendCall {
         ]).getAMemberCall("extend")
   }
 
-  string getId() { result = this.getName().regexpCapture("([a-zA-Z0-9.]+).Component", 1) }
+  string getId() { result = this.getName().regexpCapture("(.+).Component", 1) }
 
   ManifestJson getManifestJson() {
     this.getMetadata().getAPropertySource("manifest").asExpr().(StringLiteral).getValue() = "json" and
@@ -1428,18 +1439,158 @@ class PropertyMetadata extends ObjectLiteralNode {
   }
 }
 
-module TypeTrackers {
-  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
-    t.start() and
-    exists(UserModule d |
-      d.getADependency() = dependencyPath and
-      result = d.getRequiredObject(dependencyPath).asSourceNode()
-    )
-    or
-    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+module EventBus {
+  abstract class EventBusPublishCall extends CallNode {
+    abstract EventBusSubscribeCall getAMatchingSubscribeCall();
+
+    abstract DataFlow::Node getPublishedData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  abstract class EventBusSubscribeCall extends CallNode {
+    abstract EventBusPublishCall getMatchingPublishCall();
+
+    abstract DataFlow::Node getSubscriptionData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  class GlobalEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    GlobalEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("UI5EventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override GlobalEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("UI5EventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class SapUICoreEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    SapUICoreEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("SapUICoreEventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override SapUICoreEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("SapUICoreEventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusPublishCall extends EventBusPublishCall {
+    CustomController controller;
+    Component component;
+
+    ComponentEventBusPublishCall() {
+      component = controller.getOwnerComponent() and
+      this = controller.getOwnerComponentRef().getAMemberCall("publish")
+    }
+
+    override ComponentEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType() and
+      result.getComponent() = this.getComponent()
+    }
+
+    override DataFlow::Node getPublishedData() { result = this.getArgument(2) }
+
+    Component getComponent() { result = component }
+  }
+
+  class GlobalEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    GlobalEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("UI5EventBusSubscribe") and
+      this = subscribeMethod.getACall()
+    }
+
+    override GlobalEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
   }
 
-  SourceNode hasDependency(string dependencyPath) {
-    result = hasDependency(TypeTracker::end(), dependencyPath)
+  class SapUICoreEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    SapUICoreEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("SapUICoreInstance") and
+      this = subscribeMethod.getACall()
+    }
+
+    override SapUICoreEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("SapUICoreEventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusSubscribeCall extends EventBusSubscribeCall {
+    CustomController controller;
+    Component component;
+
+    ComponentEventBusSubscribeCall() {
+      component = controller.getOwnerComponent() and
+      this = controller.getOwnerComponentRef().getAMemberCall("subscribe")
+    }
+
+    override ComponentEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType() and
+      result.getComponent() = this.getComponent()
+    }
+
+    override DataFlow::Node getSubscriptionData() { result = this.getABoundCallbackParameter(2, 2) }
+
+    Component getComponent() { result = component }
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -366,3 +366,16 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
     logArgumentToListener(start, end)
   }
 }
+
+class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    exists(
+      EventBus::EventBusPublishCall publishCall, EventBus::EventBusSubscribeCall subscribeCall
+    |
+      publishCall.getAMatchingSubscribeCall() = subscribeCall
+    |
+      start = publishCall.getPublishedData() and
+      end = subscribeCall.getSubscriptionData()
+    )
+  }
+}

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/TypeTrackers.qll

@@ -0,0 +1,46 @@
+import javascript
+import DataFlow
+
+module TypeTrackers {
+  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
+    t.start() and
+    exists(UserModule d |
+      d.getADependency() = dependencyPath and
+      result = d.getRequiredObject(dependencyPath).asSourceNode()
+    )
+    or
+    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+  }
+
+  SourceNode hasDependency(string dependencyPath) {
+    result = hasDependency(TypeTracker::end(), dependencyPath)
+  }
+
+  private MethodCallNode getOwnerComponentRef(TypeTracker t, CustomController customController) {
+    customController.getAThisNode() = result.getReceiver() and
+    result.getMethodName() = "getOwnerComponent"
+    or
+    exists(TypeTracker t2 | result = getOwnerComponentRef(t2, customController).track(t2, t))
+  }
+
+  /* owner component ref */
+  MethodCallNode getOwnerComponentRef(CustomController customController) {
+    result = getOwnerComponentRef(TypeTracker::end(), customController)
+  }
+
+  private class ObjFieldStep extends SharedTypeTrackingStep {
+    override predicate step(DataFlow::Node start, DataFlow::Node end) {
+      exists(SapExtendCall sapExtendCall, ObjectLiteralNode wrappedObject, string name |
+        wrappedObject = sapExtendCall.getContent() and
+        start = getAnAlias(wrappedObject).getAPropertyWrite(name).getRhs() and
+        end = getAnAlias(wrappedObject).getAPropertyRead(name)
+      )
+    }
+  }
+
+  private DataFlow::SourceNode getAnAlias(DataFlow::SourceNode object) {
+    result = object
+    or
+    result = getAnAlias(object).getAPropertySource().(DataFlow::FunctionNode).getReceiver()
+  }
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.expected

@@ -0,0 +1,25 @@
+nodes
+| webapp/controller/app.controller.js:26:11:26:15 | value |
+| webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() |
+| webapp/controller/app.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/app.controller.js:27:56:27:60 | value |
+| webapp/controller/app.controller.js:30:34:30:38 | model |
+| webapp/controller/app.controller.js:32:30:32:34 | model |
+| webapp/controller/app.controller.js:32:30:32:42 | model.message |
+| webapp/view/app.view.xml:5:3:8:29 | value={/input} |
+| webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
+edges
+| webapp/controller/app.controller.js:15:9:15:19 | input: null | webapp/view/app.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/app.controller.js:16:9:16:21 | output1: null | webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/app.controller.js:18:20:18:39 | new JSONModel(oData) | webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/app.controller.js:26:11:26:15 | value | webapp/controller/app.controller.js:27:56:27:60 | value |
+| webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/app.controller.js:26:11:26:15 | value |
+| webapp/controller/app.controller.js:27:45:27:62 | { message: value } | webapp/controller/app.controller.js:30:34:30:38 | model |
+| webapp/controller/app.controller.js:27:56:27:60 | value | webapp/controller/app.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/app.controller.js:30:34:30:38 | model | webapp/controller/app.controller.js:32:30:32:34 | model |
+| webapp/controller/app.controller.js:32:30:32:34 | model | webapp/controller/app.controller.js:32:30:32:42 | model.message |
+| webapp/view/app.view.xml:5:3:8:29 | value={/input} | webapp/controller/app.controller.js:15:9:15:19 | input: null |
+| webapp/view/app.view.xml:5:3:8:29 | value={/input} | webapp/controller/app.controller.js:18:20:18:39 | new JSONModel(oData) |
+| webapp/view/app.view.xml:11:3:12:37 | content={/output1} | webapp/controller/app.controller.js:16:9:16:21 | output1: null |
+#select
+| webapp/controller/app.controller.js:32:30:32:42 | model.message | webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/app.controller.js:32:30:32:42 | model.message | XSS vulnerability due to $@. | webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.qlref

@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql