Models the flow between the getContent and setContent methods in an HTML control, taking sanitization into account

mbaluda · mbaluda · commit a71ec8290c03 · 2026-01-28T15:29:15.000+01:00
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll
@@ -31,6 +31,14 @@ module UI5Xss implements DataFlow::ConfigSig {
     node.(DataFlow::CallNode).getReceiver().asExpr().(PropAccess).getQualifiedName() = "jQuery.sap" and
     node.(DataFlow::CallNode).getCalleeName() =
       ["encodeCSS", "encodeJS", "encodeURL", "encodeURLParameters", "encodeXML", "encodeHTML"]
+    or
+    /* Flow through `setContent/getContent` of a sanitized UI5Control */
+    exists(UI5Control control, DataFlow::MethodCallNode content |
+      control.asJsControl() = content.getReceiver().getALocalSource() and
+      control.isHTMLSanitized() and
+      content.getMethodName() = ["setContent", "getContent"] and
+      node = [content, content.getArgument(0)]
+    )
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -56,6 +64,19 @@ module UI5Xss implements DataFlow::ConfigSig {
 
       end = h.getParameter(0)
     )
+    or
+    /* Flow from `setContent` to `getContent` of a control */
+    exists(
+      UI5Control control, DataFlow::MethodCallNode getContent, DataFlow::MethodCallNode setContent
+    |
+      control.asJsControl() = setContent.getReceiver().getALocalSource() and
+      control.asJsControl() = getContent.getReceiver().getALocalSource() and
+      setContent.getMethodName() = "setContent" and
+      getContent.getMethodName() = "getContent" and
+      start = setContent.getArgument(0) and
+      end = getContent and
+      not control.isHTMLSanitized()
+    )
   }
 }
 
@@ -93,10 +114,6 @@ private class UI5ExtHtmlISink extends DataFlow::Node {
   }
 }
 
-private class HTMLControlInstantiation extends ElementInstantiation {
-  HTMLControlInstantiation() { typeModel("UI5HTMLControl", this.getImportPath(), _) }
-}
-
 private module TrackPlaceAtCallConfigFlow = TaintTracking::Global<TrackPlaceAtCallConfig>;
 
 abstract class DynamicallySetElementValueOfHTML extends DataFlow::Node { }
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/UI5Xss.expected
@@ -0,0 +1,22 @@
+nodes
+| webapp/controller/app.controller.js:10:17:10:27 | input: null |
+| webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') |
+| webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') |
+| webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| webapp/view/app.view.xml:8:5:8:79 | content={/output} |
+edges
+| webapp/controller/app.controller.js:10:17:10:27 | input: null | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') |
+| webapp/controller/app.controller.js:10:17:10:27 | input: null | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') |
+| webapp/controller/app.controller.js:10:17:10:27 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| webapp/controller/app.controller.js:11:17:11:28 | output: null | webapp/view/app.view.xml:8:5:8:79 | content={/output} |
+| webapp/controller/app.controller.js:13:26:13:45 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:79 | content={/output} |
+| webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:10:17:10:27 | input: null |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:13:26:13:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:8:5:8:79 | content={/output} | webapp/controller/app.controller.js:11:17:11:28 | output: null |
+#select
+| webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:16:35:16:62 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
+| webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:19:36:19:63 | oModel. ... input') | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
+| webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | user-provided value |
+| webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:20:35:20:58 | unsanit ... ntent() | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-sanitized/webapp/controller/app.controller.js
@@ -15,10 +15,14 @@ sap.ui.define([
 
             jQuery.sap.globalEval(oModel.getProperty('/input')); // UNSAFE: evaluating user input
 
-            var sanitizer = new HTML();
-            sanitizer.setSanitizeContent(true);
-            sanitizer.setContent(oModel.getProperty('/input')); // SAFE: content is sanitized before eval
-            jQuery.sap.globalEval(sanitizer.getContent()); // SAFE: content is sanitized before eval
+            var unsanitized = new HTML();
+            unsanitized.setContent(oModel.getProperty('/input')); // UNSAFE: evaluating user input
+            jQuery.sap.globalEval(unsanitized.getContent()); // UNSAFE: setContent->getContent flow step
+
+            var sanitized = new HTML();
+            sanitized.setSanitizeContent(true);
+            sanitized.setContent(oModel.getProperty('/input')); // SAFE: content is sanitized before eval
+            jQuery.sap.globalEval(sanitized.getContent()); // SAFE: content is sanitized before eval
 
             let htmlSanitized = this.getView().byId("htmlSanitized");
             jQuery.sap.globalEval(htmlSanitized.getContent()); // SAFE: content is sanitized declaratively in the view
