More potential detection improvements for UI5 XSS

Author: data-douser

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -173,3 +173,22 @@ private class UI5ExtRemoteSource extends RemoteFlowSource {
     result = "Remote flow" // Don't discriminate between UI5-specific remote flows and vanilla ones
   }
 }
+
+/**
+ * URLSearchParams.get() and getAll() return URL query parameter values which are user-controlled.
+ * e.g., `new URLSearchParams(window.location.search).get("param")`
+ */
+private class UrlSearchParamsSource extends RemoteFlowSource {
+  UrlSearchParamsSource() {
+    exists(DataFlow::NewNode newCall, DataFlow::MethodCallNode getCall |
+      // Match: new URLSearchParams(...)
+      newCall.getCalleeName() = "URLSearchParams" and
+      // Match: .get() or .getAll() on the URLSearchParams instance
+      getCall.getMethodName() = ["get", "getAll"] and
+      newCall.flowsTo(getCall.getReceiver()) and
+      this = getCall
+    )
+  }
+
+  override string getSourceType() { result = "URL query parameter" }
+}

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -11,8 +11,10 @@ private module WebAppResourceRootJsonReader implements JsonParser::MakeJsonReade
   class JsonReader extends WebApp {
     string getJson() {
       // We match on the lowercase to cover all the possible variants of writing the attribute name.
+      // Support both "data-sap-ui-resourceroots" and "data-sap-ui-resource-roots" (with hyphen)
       exists(string resourceRootAttributeName |
-        resourceRootAttributeName.toLowerCase() = "data-sap-ui-resourceroots"
+        resourceRootAttributeName.toLowerCase() =
+          ["data-sap-ui-resourceroots", "data-sap-ui-resource-roots"]
       |
         result = this.getCoreScript().getAttributeByName(resourceRootAttributeName).getValue()
       )
@@ -146,9 +148,7 @@ class SapUiCore extends MethodCallNode {
  * Used for static methods like `Fragment.byId(viewId, controlId)`.
  */
 class FragmentModule extends DataFlow::SourceNode {
-  FragmentModule() {
-    this = DataFlow::moduleImport("sap/ui/core/Fragment")
-  }
+  FragmentModule() { this = DataFlow::moduleImport("sap/ui/core/Fragment") }
 }
 
 /**
@@ -344,26 +344,22 @@ class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
+    // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
+    this.getArgument(0).getALocalSource().getStringValue() = controlId and
     (
-      // Standard byId patterns: this.byId("id"), this.getView().byId("id"), sap.ui.getCore().byId("id")
-      this.getArgument(0).getALocalSource().getStringValue() = controlId and
-      (
-        exists(CustomController controller |
-          this = controller.getAViewReference().getAMemberCall("byId") or
-          this = controller.getAThisNode().getAMemberCall("byId")
-        )
-        or
-        exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
+      exists(CustomController controller |
+        this = controller.getAViewReference().getAMemberCall("byId") or
+        this = controller.getAThisNode().getAMemberCall("byId")
       )
+      or
+      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
     )
     or
     // Fragment.byId(viewId, controlId) - static method with 2 arguments
-    (
-      this.getNumArgument() = 2 and
-      this.getArgument(1).getALocalSource().getStringValue() = controlId and
-      this.getMethodName() = "byId" and
-      exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
-    )
+    this.getNumArgument() = 2 and
+    this.getArgument(1).getALocalSource().getStringValue() = controlId and
+    this.getMethodName() = "byId" and
+    exists(FragmentModule fragment | this = fragment.getAMemberCall("byId"))
   }
 
   CustomControl getDefinition() {

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -1,5 +1,36 @@
 import javascript
 import advanced_security.javascript.frameworks.ui5.UI5
+import advanced_security.javascript.frameworks.ui5.UI5View
+
+/**
+ * Step from a value assigned to a JSONModel property to the binding path that reads it.
+ * This enables tracking data flowing INTO a model constructor argument and OUT through XML bindings.
+ *
+ * e.g. Given:
+ * ```javascript
+ * var userInput = getUntrustedData();
+ * var oModel = new JSONModel({ payload: userInput });
+ * this.getView().setModel(oModel);
+ * ```
+ * and
+ * ```xml
+ * <core:HTML content="{/payload}" />
+ * ```
+ *
+ * Creates a flow step from `userInput` (the RHS of the property) to the binding path `{/payload}`.
+ */
+class JsonModelPropertyValueToBindingStep extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    exists(UI5BindingPath bindingPath, DataFlow::PropWrite propWrite |
+      // The binding path resolves to a property write in a JSONModel
+      bindingPath.getNode() = propWrite and
+      // The start is the RHS value being assigned to that property
+      start = propWrite.getRhs() and
+      // The end is the binding path itself (as a node representing where data flows to)
+      end = propWrite
+    )
+  }
+}
 
 /**
  * Step from a part of internal model to a relevant control property.

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.expected

@@ -0,0 +1,36 @@
+nodes
+| webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) |
+| webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery |
+| webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") |
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" |
+| webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+edges
+| webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery | webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) | webapp/controller/Display.controller.js:10:17:10:25 | oUrlQuery |
+| webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/controller/Display.controller.js:10:29:10:71 | new URL ... search) |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload | webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload | webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload |
+| webapp/controller/Display.controller.js:11:34:11:42 | oUrlQuery | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") |
+| webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/controller/Display.controller.js:11:17:11:30 | sRemotePayload |
+| webapp/controller/Display.controller.js:14:61:14:74 | sRemotePayload | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" |
+| webapp/controller/Display.controller.js:18:30:20:14 | new JSO ...      }) | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:18:30:20:14 | new JSO ...      }) | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} |
+| webapp/controller/Display.controller.js:19:32:19:45 | sRemotePayload | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:19:17:19:45 | remoteP ... Payload |
+#select
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/controller/Display.controller.js:14:51:14:85 | "<div>" ... </div>" | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/fragments/Content.fragment.xml:7:9:7:49 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:10:49:10:70 | window. ... .search | user-provided value |
+| webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | webapp/view/Display.view.xml:6:13:6:53 | content={/remotePayload} | XSS vulnerability due to $@. | webapp/controller/Display.controller.js:11:34:11:57 | oUrlQue ... yload") | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/UI5Xss.qlref

@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/package.json

@@ -0,0 +1,4 @@
+{
+  "name": "ui5-xss-urlparams-jsonmodel",
+  "version": "1.0.0"
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/ui5.yaml

@@ -0,0 +1,4 @@
+specVersion: "3.0"
+metadata:
+  name: ui5-xss-urlparams-jsonmodel
+type: application

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/controller/Display.controller.js

@@ -0,0 +1,33 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/model/json/JSONModel",
+    "sap/ui/core/HTML",
+    "sap/ui/core/Fragment"
+], function (Controller, JSONModel, HTML, Fragment) {
+    "use strict";
+    return Controller.extend("ui5-xss-urlparams-jsonmodel.controller.Display", {
+        onInit: function () {
+            var oUrlQuery = new URLSearchParams(window.location.search);
+            var sRemotePayload = oUrlQuery.get("payload");
+            
+            // Test 1: Direct sink in onInit - tests if URLSearchParams.get() is detected as source
+            var oDirectHtml = new HTML({ content: "<div>" + sRemotePayload + "</div>" });
+            this.getView().addContent(oDirectHtml);
+            
+            // Test 2: Flow through JSONModel to View XML binding
+            var oViewModel = new JSONModel({
+                remotePayload: sRemotePayload
+            });
+            this.getView().setModel(oViewModel);
+            
+            // Test 3: Flow through JSONModel to Fragment XML binding (mirrors app6c pattern)
+            Fragment.load({
+                id: this.getView().getId(),
+                name: "ui5-xss-urlparams-jsonmodel.fragments.Content",
+                controller: this
+            }).then(function (oFragment) {
+                this.byId("page").addContent(oFragment);
+            }.bind(this));
+        }
+    });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/fragments/Content.fragment.xml

@@ -0,0 +1,9 @@
+<core:FragmentDefinition
+    xmlns="sap.m"
+    xmlns:core="sap.ui.core">
+    <VBox class="sapUiSmallMargin">
+        <Label text="Message from URL:" />
+        <!-- XSS sink: HTML content bound to user-controlled model property -->
+        <core:HTML content="{/remotePayload}" />
+    </VBox>
+</core:FragmentDefinition>

javascript/frameworks/ui5/test/queries/UI5Xss/xss-urlparams-jsonmodel/webapp/index.html

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>UI5 XSS URLSearchParams JSONModel Test</title>
+    <script src="https://sdk.openui5.org/resources/sap-ui-core.js" 
+        data-sap-ui-libs="sap.m"
+        data-sap-ui-onInit="module:ui5-xss-urlparams-jsonmodel/index" 
+        data-sap-ui-resourceroots='{
+            "ui5-xss-urlparams-jsonmodel": "./"
+        }'>
+    </script>
+</head>
+<body class="sapUiBody" id="content">
+</body>
+</html>