Skip to content

Commit 24714aa

Browse files
committed
Merge branch 'main' into knewbury01/e2-pii-cap
2 parents b2b2892 + 1e27135 commit 24714aa

File tree

75 files changed

+1585
-332
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

75 files changed

+1585
-332
lines changed

.github/actions/install-codeql/action.yml

Lines changed: 0 additions & 109 deletions
This file was deleted.

.github/actions/install-qlt/action.yml

Lines changed: 0 additions & 86 deletions
This file was deleted.

.github/codeql/codeql-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,9 @@ name: "My CodeQL config"
22

33
queries:
44
- uses: security-extended
5-
# for ui5/cap queries
65
- uses: ./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls
76
- uses: ./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls
7+
- uses: ./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls
88

99
paths-ignore:
1010
- "**/frameworks/*/test/models"

.github/workflows/javascript.sarif.expected

Lines changed: 2 additions & 1 deletion
Large diffs are not rendered by default.

.github/workflows/run-codeql-unit-tests-javascript.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222

2323
- name: Install QLT
2424
id: install-qlt
25-
uses: ./.github/actions/install-qlt
25+
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
2626
with:
2727
qlt-version: 'latest'
2828
add-to-path: true
@@ -47,7 +47,7 @@ jobs:
4747

4848
- name: Install QLT
4949
id: install-qlt
50-
uses: ./.github/actions/install-qlt
50+
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
5151
with:
5252
qlt-version: 'latest'
5353
add-to-path: true
@@ -134,7 +134,7 @@ jobs:
134134

135135
- name: Install QLT
136136
id: install-qlt
137-
uses: ./.github/actions/install-qlt
137+
uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
138138
with:
139139
qlt-version: 'latest'
140140
add-to-path: true

README.md

Lines changed: 5 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -1,38 +1,5 @@
1-
# SAP UI5 with CodeQL
2-
3-
CodeQL queries and supporting models for the SAP UI5 JavaScript framework
4-
5-
### Queries
6-
- [XSS](javascript/frameworks/UI5/src/UI5Xss/UI5Xss.ql)
7-
- [Log Injection](javascript/frameworks/UI5/src/UI5LogInjection/UI5LogInjection.ql)
8-
- [Clickjacking](javascript/frameworks/UI5/src/UI5Clickjacking/UI5Clickjacking.ql)
9-
10-
### Modeled UI5 framework elements
11-
- UI5 AMD-style components (also via jQuery)
12-
- MVC elements:
13-
- UI5 Controllers and Data Models (literal/external JSON models)
14-
- UI5 [declarative Views](DeclarativeApp.png) (XML/JSON/HTML/JS)
15-
- Library/custom UI5 Controls
16-
- Project naming conventions (e.g. Control-Renderer)
17-
- Source/Sink definition via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97)
18-
- Controls inheritance via [ModelAsData extensions](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L42-L59)
19-
20-
### Supported Features with tests
21-
The following tables list the main supported features with corresponding test cases
22-
#### Detecting XSS and Log injection vulnerabilities
23-
|test | library controls | [MaD sources sinks](javascript/frameworks/UI5/ext/ui5-data-extensions.yml#L61-L97) | custom controls | UI5View | JS dataflow | HTML APIs | sanitizer | acc.path via handler |
24-
| - | :-: | :-: | :-: | :-: | :-: | :-: | :-: | :-: |
25-
| [xss-html-control](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1033) | ✅︎ | ✅︎ | | XMLView |
26-
| [xss-custom-control-api1](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/1051)| ✅︎ | ✅︎ | ✅︎ | XMLView | | classic |
27-
| [xss-custom-control-api2](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/250)| ✅︎ | ✅︎ | ✅︎ | XMLView | | DOM |
28-
| [xss-json-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/247)<br/>[xss-html-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/245)<br/>[xss-js-view](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/246) | ✅︎ | ✅︎ | | JsonView<br/>HTMLView<br/>JSView |
29-
| [log-html-control-df](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/275) | ✅︎ | ✅︎ | |XMLView| ✅︎ |
30-
| [sanitized](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/277)| ✅︎ | ✅︎ | ✅︎ | XMLView | ✅︎ | DOM | ✅︎ |
31-
| [xss-event-handlers](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/335)| ✅︎ | ✅︎ | ✅︎ | XMLView | | | | ✅︎ |
32-
33-
#### Detecting Clickjacking vulnerabilities
34-
| test | secure | insecure frameOptions | missing frameOptions |
35-
| - | :-: | :-: | :-: |
36-
| [clickjacking-deny-all](javascript/frameworks/UI5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html#L10) | ✅︎ | |
37-
| [clickjacking-allow-all:l9](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/240)<br/>[clickjacking-allow-all:l28](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/241) | | ✅︎ |
38-
| [clickjacking-default-all](https://github.com/advanced-security/codeql-sap-js/security/code-scanning/330) | | | ✅︎ |
1+
# Overview
2+
[CodeQL](https://codeql.github.com/) models and queries for the SAP frameworks:
3+
- [CAP](javascript/frameworks/cap) (https://cap.cloud.sap/)
4+
- [UI5](javascript/frameworks/ui5) (https://sapui5.hana.ondemand.com/)
5+
- [XSJS](javascript/frameworks/xsjs) (https://www.npmjs.com/package/@sap/async-xsjs)

javascript/frameworks/cap/ext/qlpack.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ library: true
33
name: advanced-security/javascript-sap-cap-models
44
version: 0.2.0
55
extensionTargets:
6-
codeql/javascript-all: "^0.9.1"
7-
codeql/javascript-queries: "^0.8.16"
6+
codeql/javascript-all: "^1.1.0"
7+
codeql/javascript-queries: "^1.0.3"
88
dataExtensions:
99
- "*.model.yml"

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,12 @@ class CdsLogger extends MethodCallNode {
2222
string getName() { result = name }
2323
}
2424

25+
class ConstantOnlyTemplateLiteral extends TemplateLiteral {
26+
ConstantOnlyTemplateLiteral() {
27+
forall(Expr e | e = this.getAnElement() | e instanceof TemplateElement)
28+
}
29+
}
30+
2531
/**
2632
* Arguments of calls to `cds.log.{trace, debug, info, log, warn, error}`
2733
*/
@@ -31,7 +37,7 @@ class CdsLogSink extends DataFlow::Node {
3137
this = loggingMethod.getAnArgument() and
3238
loggingMethod.getMethodName() = ["trace", "debug", "info", "log", "warn", "error"] and
3339
not this.asExpr() instanceof Literal and
34-
not this.asExpr() instanceof TemplateLiteral and
40+
not this.asExpr() instanceof ConstantOnlyTemplateLiteral and
3541
loggingMethod.getReceiver().getALocalSource() = log
3642
)
3743
}

javascript/frameworks/cap/lib/codeql-pack.lock.yml

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2,23 +2,23 @@
22
lockVersion: 1.0.0
33
dependencies:
44
codeql/dataflow:
5-
version: 0.2.7
5+
version: 1.0.3
66
codeql/javascript-all:
7-
version: 0.9.1
7+
version: 1.1.0
88
codeql/mad:
9-
version: 0.2.16
9+
version: 1.0.3
1010
codeql/regex:
11-
version: 0.2.16
11+
version: 1.0.3
1212
codeql/ssa:
13-
version: 0.2.16
13+
version: 1.0.3
1414
codeql/tutorial:
15-
version: 0.2.16
15+
version: 1.0.3
1616
codeql/typetracking:
17-
version: 0.2.16
17+
version: 1.0.3
1818
codeql/util:
19-
version: 0.2.16
19+
version: 1.0.3
2020
codeql/xml:
21-
version: 0.0.3
21+
version: 1.0.3
2222
codeql/yaml:
23-
version: 0.2.16
23+
version: 1.0.3
2424
compiled: false

javascript/frameworks/cap/lib/qlpack.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,5 @@ version: 0.2.0
55
suites: codeql-suites
66
extractor: javascript
77
dependencies:
8-
codeql/javascript-all: "^0.9.1"
8+
codeql/javascript-all: "^1.1.0"
99
advanced-security/javascript-sap-cap-models: "^0.2.0"

0 commit comments

Comments
 (0)