Improve UI5Xss detection for fragments_samples 1

Author: data-douser

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -71,6 +71,10 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Fragment API - byId returns a Control (models static Fragment.byId() calls)
+      - ["Fragment", "Fragment", "Instance"]
+      - ["Fragment", "sap/ui/core/Fragment", ""]
+      - ["UI5InputControl", "Fragment", "Member[byId].ReturnValue"]
 
   - addsTo:
       pack: codeql/javascript-all

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -141,6 +141,16 @@ class SapUiCore extends MethodCallNode {
   SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
+/**
+ * A reference to the Fragment module (`sap/ui/core/Fragment`).
+ * Used for static methods like `Fragment.byId(viewId, controlId)`.
+ */
+class FragmentModule extends DataFlow::SourceNode {
+  FragmentModule() {
+    this = DataFlow::moduleImport("sap/ui/core/Fragment")
+  }
+}
+
 /**
  * A user-defined module through `sap.ui.define` or `jQuery.sap.declare`.
  */
@@ -334,14 +344,25 @@ class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
-    this.getArgument(0).getALocalSource().getStringValue() = controlId and
     (
-      exists(CustomController controller |
-        this = controller.getAViewReference().getAMemberCall("byId") or
-        this = controller.getAThisNode().getAMemberCall("byId")
+      // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
+      this.getArgument(0).getALocalSource().getStringValue() = controlId and
+      (
+        exists(CustomController controller |
+          this = controller.getAViewReference().getAMemberCall("byId") or
+          this = controller.getAThisNode().getAMemberCall("byId")
+        )
+        or
+        exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
       )
-      or
-      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
+    )
+    or
+    // Fragment.byId(viewId, controlId) - static method with 2 arguments
+    (
+      this.getNumArgument() = 2 and
+      this.getArgument(1).getALocalSource().getStringValue() = controlId and
+      this.getMethodName() = "byId" and
+      exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
     )
   }
 

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -890,11 +890,23 @@ class UI5Control extends TUI5Control {
 
   /**
    * Gets a reference to this control. Currently supports only such references made through `byId`.
+   * Handles both:
+   * - `this.byId("controlId")` or `this.getView().byId("controlId")` - ID in argument 0
+   * - `Fragment.byId(viewId, "controlId")` - ID in argument 1
    */
   ControlReference getAReference() {
     result.getMethodName() = "byId" and
-    result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() =
-      this.getProperty("id").getValue()
+    (
+      // Standard byId: ID in first argument
+      result.getNumArgument() = 1 and
+      result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() =
+        this.getProperty("id").getValue()
+      or
+      // Fragment.byId: ID in second argument
+      result.getNumArgument() = 2 and
+      result.getArgument(1).getALocalSource().asExpr().(StringLiteral).getValue() =
+        this.getProperty("id").getValue()
+    )
   }
 
   /** Gets a property of this control having the name. */

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.expected

@@ -0,0 +1,12 @@
+nodes
+| webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData |
+| webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() |
+| webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" |
+| webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData |
+| webapp/view/Main.view.html:4:10:4:34 | data-content={/payload} |
+edges
+| webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData | webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData |
+| webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | webapp/controller/Main.controller.js:20:17:20:29 | sAttackerData |
+| webapp/controller/Main.controller.js:24:45:24:57 | sAttackerData | webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" |
+#select
+| webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" | webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | webapp/controller/Main.controller.js:24:34:24:69 | "<span> ... /span>" | XSS vulnerability due to $@. | webapp/controller/Main.controller.js:20:33:20:97 | Fragmen ... Value() | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/UI5Xss.qlref

@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "ui5-xss-fragment-static-byid",
+  "version": "1.0.0",
+  "main": "index.js"
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/ui5.yaml

@@ -0,0 +1,7 @@
+specVersion: '3.0'
+metadata:
+  name: ui5-xss-fragment-static-byid
+type: application
+framework:
+  name: SAPUI5
+  version: "1.115.0"

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/controller/Main.controller.js

@@ -0,0 +1,27 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/core/Fragment"
+], function (Controller, Fragment) {
+    "use strict";
+    return Controller.extend("ui5-xss-fragment-static-byid.controller.Main", {
+        onInit: function () {
+            // Load fragment with view ID prefix
+            Fragment.load({
+                id: this.getView().getId(),
+                name: "ui5-xss-fragment-static-byid.view.PayloadForm",
+                controller: this
+            }).then(function (oFragment) {
+                this.byId("fragmentArea").addContent(oFragment);
+            }.bind(this));
+        },
+
+        onSubmitPayload: function () {
+            // XSS vulnerability: Fragment.byId() static method to access fragment controls
+            var sAttackerData = Fragment.byId(this.getView().getId(), "attackerInput").getValue();
+            var oHtmlSink = Fragment.byId(this.getView().getId(), "vulnerableOutput");
+            
+            // Sink: setContent with unsanitized user input
+            oHtmlSink.setContent("<span>" + sAttackerData + "</span>");
+        }
+    });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>UI5 XSS Fragment Static ById Test</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:ui5-xss-fragment-static-byid/index" 
+        data-sap-ui-resourceroots='{
+            "ui5-xss-fragment-static-byid": "./"
+        }'>
+    </script>
+</head>
+<body class="sapUiBody" id="content">
+</body>
+</html>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-static-byid/webapp/index.js

@@ -0,0 +1,10 @@
+sap.ui.define([
+    "sap/ui/core/mvc/HTMLView"
+], function (HTMLView) {
+    "use strict";
+    HTMLView.create({
+        viewName: "ui5-xss-fragment-static-byid.view.Main"
+    }).then(function (oView) {
+        oView.placeAt("content");
+    });
+});