UI5 XSS detect default OData model w/ bindElement

The setModel check in UI5BindingPath.getASource() was globally scoped, causing
detection to fail when apps with explicit setModel calls were in the same
database as apps using default OData models from manifest.json.

Changes:
- Bindings.qll: Add getBindElementCall() method to Binding class
- RemoteFlowSources.qll: Fix DefaultODataServiceModel.asBinding() to use
  getBindElementCall() for proper context binding matching
- UI5View.qll: Scope setModel check to same webapp using inSameWebApp()
- Add test case xss-fragment-odata-default-model validating the fix

All 26 UI5Xss tests pass.

Author: data-douser

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll

@@ -748,4 +748,9 @@ class Binding extends TBinding {
   BindingPath getBindingPath() { result.getBinding() = this }
 
   BindingTarget getBindingTarget() { result.getBinding() = this }
+
+  /**
+   * Gets the `BindElementMethodCallNode` for this binding, if it is a context binding via `bindElement`.
+   */
+  BindElementMethodCallNode getBindElementCall() { this = TLateJavaScriptContextBinding(result, _) }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -126,7 +126,12 @@ class DefaultODataServiceModel extends UI5ExternalModel {
 
   override string getName() { result = "" }
 
-  Binding asBinding() { result.getBindingTarget().asDataFlowNode() = this }
+  /**
+   * Gets bindings associated with this default OData model source.
+   * Since `DefaultODataServiceModel` represents a `bindElement` call,
+   * we match context bindings whose `bindElement` call is this node.
+   */
+  Binding asBinding() { result.getBindElementCall() = this }
 }
 
 /** Model which gains content from an SAP OData service. */

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -133,10 +133,13 @@ abstract class UI5BindingPath extends BindingPath {
         not exists(this.getModelName())
       )
       or
-      /* 5.  There is no call to `setModel` at all and a default model exists that is related to the binding path this refers to */
+      /* 5.  There is no call to `setModel` in the same webapp and a default model exists that is related to the binding path this refers to */
       exists(DefaultODataServiceModel defaultModel |
         result = defaultModel and
-        not exists(MethodCallNode viewSetModelCall | viewSetModelCall.getMethodName() = "setModel") and
+        not exists(MethodCallNode viewSetModelCall |
+          viewSetModelCall.getMethodName() = "setModel" and
+          inSameWebApp(this.getLocation().getFile(), viewSetModelCall.getFile())
+        ) and
         /*
          * this binding path can occur in a fragment that is the receiver object for the bindElement model approximation
          * i.e. checks that the default model is relevant

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/UI5Xss.expected

@@ -0,0 +1,8 @@
+nodes
+| webapp/controller/App.controller.js:21:17:21:53 | oFragme ... es(1)") |
+| webapp/fragments/DataDisplay.fragment.xml:7:9:7:42 | content={message} |
+edges
+| webapp/controller/App.controller.js:21:17:21:53 | oFragme ... es(1)") | webapp/fragments/DataDisplay.fragment.xml:7:9:7:42 | content={message} |
+| webapp/fragments/DataDisplay.fragment.xml:7:9:7:42 | content={message} | webapp/controller/App.controller.js:21:17:21:53 | oFragme ... es(1)") |
+#select
+| webapp/fragments/DataDisplay.fragment.xml:7:9:7:42 | content={message} | webapp/controller/App.controller.js:21:17:21:53 | oFragme ... es(1)") | webapp/fragments/DataDisplay.fragment.xml:7:9:7:42 | content={message} | XSS vulnerability due to $@. | webapp/controller/App.controller.js:21:17:21:53 | oFragme ... es(1)") | user-provided value |

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/UI5Xss.qlref

@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "xss-fragment-odata-default-model",
+  "version": "1.0.0",
+  "description": "Test case for XSS vulnerability via default OData model in fragment with bindElement"
+}

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/ui5.yaml

@@ -0,0 +1,7 @@
+specVersion: "3.1"
+type: application
+metadata:
+  name: xss-fragment-odata-default-model
+framework:
+  name: SAPUI5
+  version: "1.120.0"

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/webapp/Component.js

@@ -0,0 +1,13 @@
+sap.ui.define([
+    "sap/ui/core/UIComponent"
+], function (UIComponent) {
+    "use strict";
+    return UIComponent.extend("xss.fragment.odata.defaultmodel.Component", {
+        metadata: {
+            manifest: "json"
+        },
+        init: function () {
+            UIComponent.prototype.init.apply(this, arguments);
+        }
+    });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/webapp/controller/App.controller.js

@@ -0,0 +1,28 @@
+sap.ui.define([
+    "sap/ui/core/mvc/Controller",
+    "sap/ui/core/Fragment"
+], function (Controller, Fragment) {
+    "use strict";
+
+    return Controller.extend("xss.fragment.odata.defaultmodel.controller.App", {
+        onInit: function () {
+            // XSS vulnerability pattern:
+            // 1. OData model is configured as default model in manifest.json
+            // 2. Fragment is loaded dynamically
+            // 3. Fragment is bound to OData entity via bindElement
+            // 4. Fragment contains HTML control that renders OData content
+            
+            Fragment.load({
+                id: this.getView().getId(),
+                name: "xss.fragment.odata.defaultmodel.fragments.DataDisplay",
+                controller: this
+            }).then(function (oFragment) {
+                // Bind fragment to an OData entity - vulnerability is in the backend data
+                oFragment.bindElement("/Messages(1)");
+                
+                // Add the fragment to the page content
+                this.byId("page").addContent(oFragment);
+            }.bind(this));
+        }
+    });
+});

javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/webapp/fragments/DataDisplay.fragment.xml

@@ -0,0 +1,9 @@
+<core:FragmentDefinition
+    xmlns="sap.m"
+    xmlns:core="sap.ui.core">
+    <VBox class="sapUiSmallMargin">
+        <Label text="Message from OData:" />
+        <!-- XSS vulnerability: HTML content bound to OData property containing unsanitized data -->
+        <core:HTML content="{message}" />
+    </VBox>
+</core:FragmentDefinition>