diff --git a/.github/workflows/run-codeql-unit-tests-javascript.yml b/.github/workflows/run-codeql-unit-tests-javascript.yml index 8a10d70b6..3a3ec23f5 100644 --- a/.github/workflows/run-codeql-unit-tests-javascript.yml +++ b/.github/workflows/run-codeql-unit-tests-javascript.yml @@ -81,7 +81,8 @@ jobs: run: | if ! command -v cds &> /dev/null then - npm install -g @sap/cds-dk + ## Workaround for https://github.tools.sap/cap/issues/issues/17840 + npm install -g @sap/cds-dk@8.6.1 fi # Compile .cds files to .cds.json files. @@ -97,8 +98,8 @@ jobs: echo "I am compiling $cds_file" cds compile $cds_file \ -2 json \ - -o "$cds_file.json" \ - --locations + --locations \ + > "$cds_file.json" 2> "$cds_file.err" done popd done diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh index 092d126a9..7e8dde8e5 100755 --- a/extractors/cds/tools/index-files.sh +++ b/extractors/cds/tools/index-files.sh @@ -36,12 +36,12 @@ then # directory. # # We also ensure we skip node_modules, as we can end up in a recursive loop - find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk \; -execdir npm install --silent \; + find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk@8.6.1 \; -execdir npm install --silent \; # Use the npx command to dynamically install the cds development kit (@sap/cds-dk) package if necessary, # which then provides the cds command line tool in directories which are not covered by the package.json # install command approach above - cds_command="npx -y --package @sap/cds-dk cds" + cds_command="npx -y --package @sap/cds-dk@8.6.1 cds" else cds_command="cds" fi @@ -51,8 +51,11 @@ echo "Processing CDS files to JSON" # Run the cds compile command on each file in the response file, outputting the compiled JSON to a file with # the same name while IFS= read -r cds_file; do - echo "Processing CDS file $cds_file to:" - if ! $cds_command compile "$cds_file" -2 json -o "$cds_file.json" --locations 2> "$cds_file.err"; then + echo "Processing CDS file $cds_file to: $cds_file.json" + # Avoid using the `-o` (or `--dest`) option as it sends output to a new directory, where we want to + # output to a file in the same directory as the input file but with a .json extension. + if ! $cds_command compile "$cds_file" -2 json --locations > "$cds_file.json" 2> "$cds_file.err" + then stderr_truncated=`grep "^\[ERROR\]" "$cds_file.err" | tail -n 4` error_message=$'Could not compile the file '"$cds_file"$'.\nReported error(s):\n```\n'"$stderr_truncated"$'\n```' echo "$error_message" @@ -101,4 +104,4 @@ unset LGTM_INDEX_INCLUDE echo "Extracting the cds.json files" # Invoke the JavaScript autobuilder to index the .cds.json files only -"$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT"/tools/autobuild.sh \ No newline at end of file +"$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT"/tools/autobuild.sh diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml index 6626ed7c3..eb78102bb 100644 --- a/javascript/frameworks/cap/ext/qlpack.yml +++ b/javascript/frameworks/cap/ext/qlpack.yml @@ -1,6 +1,6 @@ --- library: true name: advanced-security/javascript-sap-cap-models -version: 0.3.0 +version: 0.4.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml index 2c46de1df..f17f2704e 100644 --- a/javascript/frameworks/cap/lib/qlpack.yml +++ b/javascript/frameworks/cap/lib/qlpack.yml @@ -1,9 +1,9 @@ --- library: true name: advanced-security/javascript-sap-cap-all -version: 0.3.0 +version: 0.4.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml index 5244626b4..9297aeeea 100644 --- a/javascript/frameworks/cap/src/qlpack.yml +++ b/javascript/frameworks/cap/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-cap-queries -version: 0.3.0 +version: 0.4.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" - advanced-security/javascript-sap-cap-all: "^0.3.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" + advanced-security/javascript-sap-cap-all: "^0.4.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml index 453876558..31a0ab711 100644 --- a/javascript/frameworks/cap/test/qlpack.yml +++ b/javascript/frameworks/cap/test/qlpack.yml @@ -1,9 +1,9 @@ --- name: advanced-security/javascript-sap-cap-queries-tests -version: 0.3.0 +version: 0.4.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-cap-queries: "^0.3.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" - advanced-security/javascript-sap-cap-all: "^0.3.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-cap-queries: "^0.4.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" + advanced-security/javascript-sap-cap-all: "^0.4.0" diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected index 76317f305..5b6e7e207 100644 --- a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected +++ b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected @@ -1,3 +1,7 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (CqlInjection.ql:14,8-27) +WARNING: type 'Configuration' has been deprecated and may be removed in future (CqlInjection.ql:19,33-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,29-47) +WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,56-74) nodes | cqlinjection.js:7:34:7:36 | req | | cqlinjection.js:7:34:7:36 | req | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected index 708cb0500..1be03ae22 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service2.js:6:29:6:31 | msg | | srv/service2.js:6:29:6:31 | msg | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected index 8666c3389..aafdc3254 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service1.js:6:33:6:35 | req | | srv/service1.js:6:33:6:35 | req | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected index 06af9807a..2ae4613b9 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service1.js:6:33:6:35 | req | | srv/service1.js:6:33:6:35 | req | diff --git a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected index 85d27ac4f..0aeb08ed7 100644 --- a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected +++ b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected @@ -1,3 +1,7 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposure.ql:17,8-27) +WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposure.ql:50,42-70) +WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,41-59) +WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,68-86) nodes | sensitive-exposure.js:9:32:9:42 | Sample.name | | sensitive-exposure.js:9:32:9:42 | Sample.name | @@ -5,4 +9,4 @@ nodes edges | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | #select -| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n ... } | name | \ No newline at end of file +| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n ... } | name | diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml index 0d67eb13c..6c146a252 100644 --- a/javascript/frameworks/ui5/ext/qlpack.yml +++ b/javascript/frameworks/ui5/ext/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-ui5-models -version: 0.6.0 +version: 0.7.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll index f427bc9b3..858697bfa 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll @@ -83,8 +83,8 @@ class ODataServiceModel extends UI5ExternalModel { this instanceof NewNode and ( exists(RequiredObject oDataModel | - oDataModel.flowsTo(this.getCalleeNode()) and - oDataModel.getDependencyType() = "sap/ui/model/odata/v2/ODataModel" + oDataModel.asSourceNode().flowsTo(this.getCalleeNode()) and + oDataModel.getDependency() = "sap/ui/model/odata/v2/ODataModel" ) or this.getCalleeName() = "ODataModel" diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll index aeda179ed..8c1e9482e 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll @@ -138,8 +138,8 @@ class Loader extends CallNode { /** * A user-defined module through `sap.ui.define` or `jQuery.sap.declare`. */ -abstract class UserModule extends InvokeNode { - abstract string getADependencyType(); +abstract class UserModule extends CallExpr { + abstract string getADependency(); abstract string getModuleFileRelativePath(); @@ -150,34 +150,44 @@ abstract class UserModule extends InvokeNode { * A user-defined module through `sap.ui.define`. * https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui%23methods/sap.ui.define */ -class SapDefineModule extends CallNode, UserModule { - SapDefineModule() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("define") } +class SapDefineModule extends AmdModuleDefinition::Range, MethodCallExpr, UserModule { + SapDefineModule() { + /* + * NOTE: This only matches a call to the dot expression `sap.ui.define`, and does not consider a flow among `sap`, `ui`, and `define`. + */ - override string getADependencyType() { result = this.getDependencyType(_) } + exists(GlobalVarAccess sap, DotExpr sapUi, DotExpr sapUiDefine | + sap.getName() = "sap" and + sapUi.getBase() = sap and + sapUi.getPropertyName() = "ui" and + this.getReceiver() = sapUiDefine + // and this.getMethodName() = "define" + ) + } - override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } + string getDependency(int i) { result = this.(AmdModuleDefinition).getDependency(i).getValue() } - string getDependencyType(int i) { - result = this.getArgument(0).getALocalSource().(ArrayLiteralNode).getElement(i).getStringValue() - } + override string getADependency() { result = this.getDependency(_) } - override RequiredObject getRequiredObject(string dependencyType) { - exists(int i | - this.getDependencyType(i) = dependencyType and - result = this.getArgument(1).getALocalSource().(FunctionNode).getParameter(i) - ) + override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } + + override RequiredObject getRequiredObject(string name) { + result = this.(AmdModuleDefinition).getDependencyParameter(name) } WebApp getWebApp() { this.getFile() = result.getAResource() } - SapDefineModule getExtendingDefine() { - exists(Extension baseExtension, Extension subclassExtension, SapDefineModule subclassDefine | - baseExtension.getDefine() = this and - subclassDefine = subclassExtension.getDefine() and - any(RequiredObject module_ | - module_ = subclassDefine.getRequiredObject(baseExtension.getName().replaceAll(".", "/")) - ).flowsTo(subclassExtension.getReceiver()) and - result = subclassDefine + /** + * Gets the module defined with sap.ui.define that imports and extends this module. + */ + SapDefineModule getExtendingModule() { + exists(SapExtendCall baseExtendCall, SapExtendCall subclassExtendCall | + baseExtendCall.getDefine() = this and + result = subclassExtendCall.getDefine() and + result + .getRequiredObject(baseExtendCall.getName().replaceAll(".", "/")) + .asSourceNode() + .flowsTo(subclassExtendCall.getReceiver()) ) } } @@ -194,29 +204,27 @@ class JQuerySap extends DataFlow::SourceNode { /** * A user-defined module through `jQuery.sap.declare`. */ -class JQueryDefineModule extends UserModule, DataFlow::MethodCallNode { - JQueryDefineModule() { exists(JQuerySap jquerySap | jquerySap.flowsTo(this.getReceiver())) } +class JQueryDefineModule extends UserModule, MethodCallExpr { + JQueryDefineModule() { exists(JQuerySap jquerySap | jquerySap.asExpr() = this.getReceiver()) } - override string getADependencyType() { - result = this.getArgument(0).asExpr().(StringLiteral).getValue() - } + override string getADependency() { result = this.getArgument(0).getStringValue() } override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } - /** WARNING: toString() Hack! */ + /* WARNING: toString() Hack! */ override RequiredObject getRequiredObject(string dependencyType) { result.toString() = dependencyType and - this.getADependencyType() = dependencyType + this.getADependency() = dependencyType } } -private RequiredObject sapControl(TypeTracker t) { +private SourceNode sapControl(TypeTracker t) { t.start() and exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/Control", "sap.ui.core.Control"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapControl(t2).track(t2, t)) @@ -229,8 +237,8 @@ private SourceNode sapController(TypeTracker t) { exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapController(t2).track(t2, t)) @@ -243,8 +251,8 @@ private SourceNode sapRenderer(TypeTracker t) { exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/Renderer", "sap.ui.core.Renderer"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapController(t2).track(t2, t)) @@ -252,7 +260,7 @@ private SourceNode sapRenderer(TypeTracker t) { private SourceNode sapRenderer() { result = sapRenderer(TypeTracker::end()) } -private class Renderer extends Extension { +private class Renderer extends SapExtendCall { Renderer() { this.getReceiver().getALocalSource() = sapRenderer() } FunctionNode getRenderer() { @@ -264,10 +272,10 @@ private class Renderer extends Extension { } } -class CustomControl extends Extension { +class CustomControl extends SapExtendCall { CustomControl() { this.getReceiver().getALocalSource() = sapControl() or - exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingDefine()) + exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingModule()) } CustomController getController() { this = result.getAControlReference().getDefinition() } @@ -436,7 +444,7 @@ class ControllerReference extends Reference { CustomController getDefinition() { result = viewReference.getDefinition().getController() } } -class CustomController extends Extension { +class CustomController extends SapExtendCall { string name; CustomController() { @@ -775,8 +783,8 @@ private SourceNode sapComponent(TypeTracker t) { "sap.ui.core.UIComponent" ] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapComponent(t2).track(t2, t)) @@ -789,7 +797,7 @@ import ManifestJson /** * A UI5 Component that may contain other controllers or controls. */ -class Component extends Extension { +class Component extends SapExtendCall { Component() { this.getReceiver().getALocalSource() = sapComponent() } string getId() { result = this.getName().regexpCapture("([a-zA-Z0-9.]+).Component", 1) } @@ -1086,8 +1094,8 @@ class JsonModel extends UI5InternalModel { this instanceof NewNode and ( exists(RequiredObject jsonModel | - jsonModel.flowsTo(this.getCalleeNode()) and - jsonModel.getDependencyType() = "sap/ui/model/json/JSONModel" + jsonModel.asSourceNode().flowsTo(this.getCalleeNode()) and + jsonModel.getDependency() = "sap/ui/model/json/JSONModel" ) or /* Fallback */ @@ -1197,8 +1205,8 @@ class XmlModel extends UI5InternalModel { XmlModel() { this instanceof NewNode and exists(RequiredObject xmlModel | - xmlModel.flowsTo(this.getCalleeNode()) and - xmlModel.getDependencyType() = "sap/ui/model/xml/XMLModel" + xmlModel.asSourceNode().flowsTo(this.getCalleeNode()) and + xmlModel.getDependency() = "sap/ui/model/xml/XMLModel" ) } @@ -1234,31 +1242,34 @@ class ResourceModel extends UI5Model, ModelReference { } class BindingMode extends RequiredObject { - BindingMode() { this.getDependencyType() = "sap/ui/model/BindingMode" } + BindingMode() { this.getDependency() = "sap/ui/model/BindingMode" } - PropRead getOneWay() { result = this.getAPropertyRead("OneWay") } + PropRead getOneWay() { result = this.asSourceNode().getAPropertyRead("OneWay") } - PropRead getTwoWay() { result = this.getAPropertyRead("TwoWay") } + PropRead getTwoWay() { result = this.asSourceNode().getAPropertyRead("TwoWay") } - PropRead getDefault() { result = this.getAPropertyRead("Default") } + PropRead getDefault_() { result = this.asSourceNode().getAPropertyRead("Default") } - PropRead getOneTime() { result = this.getAPropertyRead("OneTime") } + PropRead getOneTime() { result = this.asSourceNode().getAPropertyRead("OneTime") } } -class RequiredObject extends SourceNode { +class RequiredObject extends Expr { RequiredObject() { exists(SapDefineModule sapDefineModule | - this = sapDefineModule.getArgument(1).getALocalSource().(FunctionNode).getParameter(_) + this = sapDefineModule.getArgument(1).(Function).getParameter(_) ) or exists(JQueryDefineModule jQueryDefineModule | - this.toString() = - jQueryDefineModule.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() + /* WARNING: toString() Hack! */ + this.toString() = jQueryDefineModule.getArgument(0).(StringLiteral).getValue() ) } - UserModule getDefiningModule() { result.getArgument(1).(FunctionNode).getParameter(_) = this } + pragma[inline] + SourceNode asSourceNode() { result = this.flow() } + + UserModule getDefiningModule() { result.getArgument(1).(Function).getParameter(_) = this } - string getDependencyType() { + string getDependency() { exists(SapDefineModule module_ | this = module_.getRequiredObject(result)) } } @@ -1266,16 +1277,18 @@ class RequiredObject extends SourceNode { /** * `SomeModule.extend(...)` where `SomeModule` stands for a module imported with `sap.ui.define`. */ -class Extension extends InvokeNode, MethodCallNode { - Extension() { +class SapExtendCall extends InvokeNode, MethodCallNode { + SapExtendCall() { /* 1. The receiver object is an imported one */ - any(RequiredObject module_).flowsTo(this.getReceiver()) and + exists(RequiredObject requiredModule | + requiredModule.asSourceNode().flowsTo(this.getReceiver()) + ) and /* 2. The method name is `extend` */ this.(MethodCallNode).getMethodName() = "extend" } FunctionNode getMethod(string methodName) { - result = this.getArgument(1).(ObjectLiteralNode).getAPropertySource(methodName).(FunctionNode) + result = this.getContent().(ObjectLiteralNode).getAPropertySource(methodName).(FunctionNode) } FunctionNode getAMethod() { result = this.getMethod(_) } @@ -1287,22 +1300,22 @@ class Extension extends InvokeNode, MethodCallNode { Metadata getMetadata() { result = this.getContent().getAPropertySource("metadata") or - exists(Extension baseExtension | - baseExtension.getDefine().getExtendingDefine() = this.getDefine() and - result = baseExtension.getMetadata() + exists(SapExtendCall baseExtendCall | + baseExtendCall.getDefine().getExtendingModule() = this.getDefine() and + result = baseExtendCall.getMetadata() ) } /** Gets the `sap.ui.define` call that wraps this extension. */ - SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1).asExpr() } + SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1) } } private newtype TSapElement = - DefinitionOfElement(Extension extension) or + DefinitionOfElement(SapExtendCall extension) or ReferenceOfElement(Reference reference) class SapElement extends TSapElement { - Extension asDefinition() { this = DefinitionOfElement(result) } + SapExtendCall asDefinition() { this = DefinitionOfElement(result) } Reference asReference() { this = ReferenceOfElement(result) } @@ -1331,12 +1344,12 @@ class SapElement extends TSapElement { } /** - * The property metadata found in an Extension. + * The property metadata found in an SapExtendCall. */ class Metadata extends ObjectLiteralNode { - Extension extension; + SapExtendCall extension; - Extension getExtension() { result = extension } + SapExtendCall getExtension() { result = extension } Metadata() { this = extension.getContent().getAPropertySource("metadata") } diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll deleted file mode 100644 index 07a0f9041..000000000 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll +++ /dev/null @@ -1,387 +0,0 @@ -/** - * Provides classes for working with - * [Asynchronous Module Definitions](https://github.com/amdjs/amdjs-api/wiki/AMD). - */ - -import javascript -private import semmle.javascript.internal.CachedStages -private import Expressions.ExprHasNoEffect - -/** - * A IU5 `declare`/`require` call using jQuery. - * - * Example: - * - * ``` - * √("codeql-sap-js.control.xss"); - * - * The first argument is a dependency. - * ``` - */ -abstract class SapJQueryModuleDefinition extends CallExpr { - SapJQueryModuleDefinition() { - inVoidContext(this) and - this.getReceiver().(PropAccess).getQualifiedName() = "jQuery.sap" - } -} - -/** - * `jQuery.sap.declare` call - */ -class SapJQueryDefine extends SapJQueryModuleDefinition { - SapJQueryDefine() { this.getCalleeName() = "declare" } -} - -/** - * `jQuery.sap.require` call - */ -class SapJQueryRequire extends SapJQueryModuleDefinition { - SapJQueryRequire() { this.getCalleeName() = "require" } -} - -/** - * An AMD `define`/`require` call. - * - * Example: - * - * ``` - * sap.ui.define(['fs', 'express'], function(fs, express) { - * ... - * }); - * ``` - * - * The first argument is an (optional) array of dependencies, - * the second a factory method or object. - * - * We also recognize the three-argument form `define('m', ['fs', 'express'], ...)` - * where the first argument is the module name, the second argument an - * array of dependencies, and the third argument a factory method or object. - */ -abstract class SapAmdModuleDefinition extends CallExpr { - SapAmdModuleDefinition() { - inVoidContext(this) and - exists(int n | n = this.getNumArgument() | - n = 1 - or - n = 2 and this.getArgument(0) instanceof ArrayExpr - or - n = 3 and - this.getArgument(0) instanceof ConstantString and - this.getArgument(1) instanceof ArrayExpr - ) - } - - /** Gets the array of module dependencies, if any. */ - ArrayExpr getDependencies() { - result = this.getArgument(0) or - result = this.getArgument(1) - } - - /** Gets the `i`th dependency of this module definition. */ - PathExpr getDependency(int i) { result = this.getDependencies().getElement(i) } - - /** Gets a dependency of this module definition. */ - PathExpr getADependency() { - result = this.getDependency(_) or - result = this.getARequireCall().getAnArgument() - } - - /** - * Gets a data flow node containing the factory value of this module definition. - */ - pragma[nomagic] - DataFlow::SourceNode getFactoryNode() { - result = this.getFactoryNodeInternal() and - result instanceof DataFlow::ValueNode - } - - private DataFlow::Node getFactoryNodeInternal() { - // To avoid recursion, this should not depend on `SourceNode`. - result = DataFlow::valueNode(this.getLastArgument()) or - result = this.getFactoryNodeInternal().getAPredecessor() - } - - /** Gets the expression defining this module. */ - Expr getModuleExpr() { - exists(DataFlow::Node f | f = this.getFactoryNode() | - if f instanceof DataFlow::FunctionNode - then - exists(ReturnStmt ret | ret.getContainer() = f.(DataFlow::FunctionNode).getAstNode() | - result = ret.getExpr() - ) - else result = f.asExpr() - ) - } - - /** Gets a source node whose value becomes the definition of this module. */ - DataFlow::SourceNode getAModuleSource() { result.flowsToExpr(this.getModuleExpr()) } - - /** - * Holds if `p` is the parameter corresponding to dependency `dep`. - */ - predicate dependencyParameter(PathExpr dep, Parameter p) { - exists(int i | - dep = this.getDependency(i) and - p = this.getFactoryParameter(i) - ) - } - - /** - * Gets the parameter corresponding to dependency `name`. - * - * For instance, in the module definition - * - * ``` - * define(['dep1', 'dep2'], function(pdep1, pdep2) { ... }) - * ``` - * - * parameters `pdep1` and `pdep2` correspond to dependencies - * `dep1` and `dep2`. - */ - Parameter getDependencyParameter(string name) { - exists(PathExpr dep | - this.dependencyParameter(dep, result) and - dep.getValue() = name - ) - } - - /** - * Gets the `i`th parameter of the factory function of this module. - */ - private Parameter getFactoryParameter(int i) { - this.getFactoryNodeInternal().asExpr().(Function).getParameter(i) = result - } - - /** - * Gets the parameter corresponding to the pseudo-dependency `require`. - */ - Parameter getRequireParameter() { - result = this.getDependencyParameter("require") - or - // if no dependencies are listed, the first parameter is assumed to be `require` - not exists(this.getDependencies()) and result = this.getFactoryParameter(0) - } - - pragma[noinline] - private Variable getRequireVariable() { result = this.getRequireParameter().getVariable() } - - /** - * Gets the parameter corresponding to the pseudo-dependency `exports`. - */ - Parameter getExportsParameter() { - result = this.getDependencyParameter("exports") - or - // if no dependencies are listed, the second parameter is assumed to be `exports` - not exists(this.getDependencies()) and result = this.getFactoryParameter(1) - } - - /** - * Gets the parameter corresponding to the pseudo-dependency `module`. - */ - Parameter getModuleParameter() { - result = this.getDependencyParameter("module") - or - // if no dependencies are listed, the third parameter is assumed to be `module` - not exists(this.getDependencies()) and result = this.getFactoryParameter(2) - } - - /** - * Gets an abstract value representing one or more values that may flow - * into this module's `module.exports` property. - */ - DefiniteAbstractValue getAModuleExportsValue() { - result = [this.getAnImplicitExportsValue(), this.getAnExplicitExportsValue()] - } - - pragma[noinline, nomagic] - private AbstractValue getAnImplicitExportsValue() { - // implicit exports: anything that is returned from the factory function - result = this.getModuleExpr().analyze().getAValue() - } - - pragma[noinline] - private AbstractValue getAnExplicitExportsValue() { - // explicit exports: anything assigned to `module.exports` - exists(AbstractProperty moduleExports, SapAmdModule m | - this = m.getDefine() and - moduleExports.getBase().(AbstractModuleObject).getModule() = m and - moduleExports.getPropertyName() = "exports" - | - result = moduleExports.getAValue() - ) - } - - /** - * Gets a call to `require` inside this module. - */ - CallExpr getARequireCall() { - result.getCallee().getUnderlyingValue() = this.getRequireVariable().getAnAccess() - } -} - -/** - * `sap.ui.define` call - */ -class SapUiDefine extends SapAmdModuleDefinition { - SapUiDefine() { - this.getReceiver().(PropAccess).getQualifiedName() = "sap.ui" and - this.getCalleeName() = "define" - } -} - -/** - * `sap.ui.require` call - */ -class SapUiRequire extends SapAmdModuleDefinition { - SapUiRequire() { - this.getReceiver().(PropAccess).getQualifiedName() = "sap.ui" and - this.getCalleeName() = "require" - } -} - -/** An UI5 dependency, considered as a path expression. */ -private class SapAmdDependencyPath extends PathExprCandidate { - SapAmdDependencyPath() { - exists(SapAmdModuleDefinition amd | - this = amd.getDependencies().getAnElement() or - this = amd.getARequireCall().getAnArgument() - ) - } -} - -/** A constant path element appearing in an AMD dependency expression. */ -private class ConstantAmdDependencyPathElement extends PathExpr, ConstantString { - ConstantAmdDependencyPathElement() { this = any(SapAmdDependencyPath amd).getAPart() } - - override string getValue() { result = this.getStringValue() } -} - -/** - * Holds if `nd` is nested inside an AMD module definition. - */ -private predicate inAmdModuleDefinition(AstNode nd) { - nd.getParent() instanceof SapAmdModuleDefinition - or - inAmdModuleDefinition(nd.getParent()) -} - -/** - * Holds if `def` is an AMD module definition in `tl` which is not - * nested inside another module definition. - */ -private predicate amdModuleTopLevel(SapAmdModuleDefinition def, TopLevel tl) { - def.getTopLevel() = tl and - not inAmdModuleDefinition(def) -} - -/** - * An AMD dependency, viewed as an import. - */ -private class SapAmdDependencyImport extends Import { - SapAmdDependencyImport() { this = any(SapAmdModuleDefinition def).getADependency() } - - override Module getEnclosingModule() { this = result.(SapAmdModule).getDefine().getADependency() } - - override PathExpr getImportedPath() { result = this } - - /** - * Gets a file that looks like it might be the target of this import. - * - * Specifically, we look for files whose absolute path ends with the imported path, possibly - * adding well-known JavaScript file extensions like `.js`. - */ - private File guessTarget() { - exists(PathString imported, string abspath, string dirname, string basename | - this.targetCandidate(result, abspath, imported, dirname, basename) - | - abspath.regexpMatch(".*/\\Q" + imported + "\\E") - or - exists(Folder dir | - // `dir` ends with the dirname of the imported path - dir.getAbsolutePath().regexpMatch(".*/\\Q" + dirname + "\\E") or - dirname = "" - | - result = dir.getJavaScriptFile(basename) - ) - ) - } - - /** - * Holds if `f` is a file whose stem (that is, basename without extension) matches the imported path. - * - * Additionally, `abspath` is bound to the absolute path of `f`, `imported` to the imported path, and - * `dirname` and `basename` to the dirname and basename (respectively) of `imported`. - */ - private predicate targetCandidate( - File f, string abspath, PathString imported, string dirname, string basename - ) { - imported = this.getImportedPath().getValue() and - f.getStem() = imported.getStem() and - f.getAbsolutePath() = abspath and - dirname = imported.getDirName() and - basename = imported.getBaseName() - } - - /** - * Gets the module whose absolute path matches this import, if there is only a single such module. - */ - private Module resolveByAbsolutePath() { - result.getFile() = unique(File file | file = this.guessTarget()) - } - - override Module getImportedModule() { - result = super.getImportedModule() - or - not exists(super.getImportedModule()) and - result = this.resolveByAbsolutePath() - } - - override DataFlow::Node getImportedModuleNode() { - exists(Parameter param | - any(SapAmdModuleDefinition def).dependencyParameter(this, param) and - result = DataFlow::parameterNode(param) - ) - } -} - -/** - * An AMD-style module. - * - * Example: - * - * ``` - * define(['fs', 'express'], function(fs, express) { - * ... - * }); - * ``` - */ -class SapAmdModule extends Module { - cached - SapAmdModule() { - Stages::DataFlowStage::ref() and - exists(unique(SapAmdModuleDefinition def | amdModuleTopLevel(def, this))) - } - - /** Gets the definition of this module. */ - SapAmdModuleDefinition getDefine() { amdModuleTopLevel(result, this) } - - override DataFlow::Node getAnExportedValue(string name) { - exists(DataFlow::PropWrite pwn | result = pwn.getRhs() | - pwn.getBase().analyze().getAValue() = this.getDefine().getAModuleExportsValue() and - name = pwn.getPropertyName() - ) - } - - override DataFlow::Node getABulkExportedNode() { - // Assigned to `module.exports` via the factory's `module` parameter - exists(AbstractModuleObject m, DataFlow::PropWrite write | - m.getModule() = this and - write.getPropertyName() = "exports" and - write.getBase().analyze().getAValue() = m and - result = write.getRhs() - ) - or - // Returned from factory function - result = this.getDefine().getModuleExpr().flow() - } -} diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll index 8e049b42d..bbfd1acde 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll @@ -10,7 +10,7 @@ private class StoragePutCall extends CallNode { /* 1. This is a call to `sap.ui.util.Storage.put` */ // 1-1. Required from `sap/ui/util/Storage` exists(RequiredObject storageClass | - this.getReceiver().getALocalSource() = storageClass and + this.getReceiver().getALocalSource() = storageClass.asSourceNode() and this.getCalleeName() = "put" ) or @@ -46,7 +46,7 @@ private class FileSaveCall extends CallNode { FileSaveCall() { /* 1. Required from `sap/ui/core/util/File` */ exists(RequiredObject fileClass | - this.getReceiver().getALocalSource() = fileClass and + this.getReceiver().getALocalSource() = fileClass.asSourceNode() and this.getCalleeName() = "save" ) or diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index 1d9f2f04c..5fcd8023f 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -32,19 +32,20 @@ class Configuration extends DomBasedXss::Configuration { ) } - override predicate isSanitizer(DataFlow::Node node) { + override predicate isBarrier(DataFlow::Node node) { /* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */ super.isSanitizer(node) or /* 2. Value read from a non-string control property */ - node = any(PropertyMetadata m | not m.isUnrestrictedStringType()) + exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m) or /* 3-1. Sanitizers provided by `sap.base.security` */ - exists(SapAmdModuleDefinition d, DataFlow::ParameterNode par | + exists(SapDefineModule d, DataFlow::ParameterNode par | node = par.getACall() and - par.getParameter() = - d.getDependencyParameter("sap/base/security/" + + par = + d.getRequiredObject("sap/base/security/" + ["encodeCSS", "encodeJS", "encodeURL", "encodeURLParameters", "encodeXML"]) + .asSourceNode() ) or /* 3-2. Sanitizers provided by `jQuery.sap` */ diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll index 17552cc87..ffba729d3 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll @@ -2,7 +2,6 @@ import javascript import semmle.javascript.dataflow.DataFlow as StdLibDataFlow import advanced_security.javascript.frameworks.ui5.UI5 import advanced_security.javascript.frameworks.ui5.UI5View -import advanced_security.javascript.frameworks.ui5.UI5AMDModule import advanced_security.javascript.frameworks.ui5.RemoteFlowSources import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll index 58ff9f365..3fde64d21 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll @@ -1,6 +1,5 @@ import javascript import advanced_security.javascript.frameworks.ui5.UI5 -private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions as ApiGraphModelsExtensions /** * Step from a part of internal model to a relevant control property. diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/lib/qlpack.yml b/javascript/frameworks/ui5/lib/qlpack.yml index 3f0108f2b..51e9a6f91 100644 --- a/javascript/frameworks/ui5/lib/qlpack.yml +++ b/javascript/frameworks/ui5/lib/qlpack.yml @@ -1,9 +1,9 @@ --- library: true name: advanced-security/javascript-sap-ui5-all -version: 0.6.0 +version: 0.7.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml index f3177ee29..ffc3f7ad8 100644 --- a/javascript/frameworks/ui5/src/qlpack.yml +++ b/javascript/frameworks/ui5/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-ui5-queries -version: 0.6.0 +version: 0.7.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" - advanced-security/javascript-sap-ui5-all: "^0.6.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" + advanced-security/javascript-sap-ui5-all: "^0.7.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index 2c0c0a331..9dd6c6365 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -2,29 +2,31 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/javascript-queries: - version: 1.2.0 + version: 1.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 codeql/suite-helpers: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/typos: - version: 1.0.8 + version: 1.0.16 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql b/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql index 5a4271019..c1e4f8beb 100644 --- a/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql +++ b/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql @@ -6,12 +6,12 @@ */ import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPathQuery +import semmle.javascript.security.dataflow.TaintedPathQuery import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow -class UI5ExtPathISink extends TaintedPathQuery::Sink { +class UI5ExtPathISink extends DataFlow::Node { UI5ExtPathISink() { this = ModelOutput::getASinkNode("ui5-path-injection").asSink() } } -from TaintedPathQuery::Sink sink +from UI5ExtPathISink sink select sink, sink.toString() diff --git a/javascript/frameworks/ui5/test/models/source/sourceTest.expected b/javascript/frameworks/ui5/test/models/source/sourceTest.expected index f2b0bccb9..179664dc2 100644 --- a/javascript/frameworks/ui5/test/models/source/sourceTest.expected +++ b/javascript/frameworks/ui5/test/models/source/sourceTest.expected @@ -1,28 +1,56 @@ | source.js:25:17:25:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:25:17:25:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:27:17:27:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:27:17:27:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:29:17:29:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:29:17:29:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:31:17:31:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:31:17:31:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:33:17:33:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:33:17:33:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:35:17:35:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:35:17:35:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:37:17:37:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:37:17:37:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:39:17:39:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:39:17:39:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:41:17:41:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:41:17:41:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:43:17:43:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:43:17:43:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:45:17:45:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:45:17:45:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:47:17:47:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:47:17:47:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:49:17:49:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:49:17:49:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:51:17:51:37 | obj.get ... Value() | Remote flow source of type: Remote flow | +| source.js:51:17:51:37 | obj.get ... Value() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:53:17:53:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:53:17:53:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:55:17:55:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:55:17:55:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:57:17:57:51 | jQuery. ... ).get() | Remote flow source of type: Remote flow | +| source.js:57:17:57:51 | jQuery. ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:59:17:59:37 | jQuery. ... cHead() | Remote flow source of type: Remote flow | +| source.js:59:17:59:37 | jQuery. ... cHead() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:61:17:61:36 | jQuery.sap.syncGet() | Remote flow source of type: Remote flow | +| source.js:61:17:61:36 | jQuery.sap.syncGet() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:63:17:63:40 | jQuery. ... tText() | Remote flow source of type: Remote flow | +| source.js:63:17:63:40 | jQuery. ... tText() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:65:17:65:37 | jQuery. ... cPost() | Remote flow source of type: Remote flow | +| source.js:65:17:65:37 | jQuery. ... cPost() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:67:17:67:41 | jQuery. ... tText() | Remote flow source of type: Remote flow | +| source.js:67:17:67:41 | jQuery. ... tText() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:69:17:69:52 | UriPara ... ).get() | Remote flow source of type: Remote flow | +| source.js:69:17:69:52 | UriPara ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:70:17:70:55 | UriPara ... etAll() | Remote flow source of type: Remote flow | +| source.js:70:17:70:55 | UriPara ... etAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:73:17:73:25 | obj.get() | Remote flow source of type: Remote flow | +| source.js:73:17:73:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:74:17:74:28 | obj.getAll() | Remote flow source of type: Remote flow | +| source.js:74:17:74:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:76:17:76:28 | obj.getAll() | Remote flow source of type: Remote flow | +| source.js:76:17:76:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:78:17:78:25 | obj.get() | Remote flow source of type: Remote flow | +| source.js:78:17:78:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] | diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index b82fefbd4..c81393a00 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -1,9 +1,9 @@ name: advanced-security/javascript-sap-ui5-queries-tests -version: 0.6.0 +version: 0.7.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" codeql/javascript-queries: "^1.2.0" - advanced-security/javascript-sap-ui5-queries: "^0.6.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" - advanced-security/javascript-sap-ui5-all: "^0.6.0" + advanced-security/javascript-sap-ui5-queries: "^0.7.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" + advanced-security/javascript-sap-ui5-all: "^0.7.0" diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected index 27830ed24..18d351403 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected @@ -1,64 +1,45 @@ -nodes -| LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | -| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:34:7:38 | value | -| LogInjectionTest.js:13:9:13:36 | q | -| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:13:23:13:29 | req.url | -| LogInjectionTest.js:13:23:13:29 | req.url | -| LogInjectionTest.js:14:9:14:32 | value | -| LogInjectionTest.js:14:17:14:17 | q | -| LogInjectionTest.js:14:17:14:23 | q.query | -| LogInjectionTest.js:14:17:14:32 | q.query.username | -| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:34:15:38 | value | -| LogInjectionTest.js:21:9:21:36 | q | -| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:21:23:21:29 | req.url | -| LogInjectionTest.js:21:23:21:29 | req.url | -| LogInjectionTest.js:22:9:22:32 | value | -| LogInjectionTest.js:22:17:22:17 | q | -| LogInjectionTest.js:22:17:22:23 | q.query | -| LogInjectionTest.js:22:17:22:32 | q.query.username | -| LogInjectionTest.js:23:9:23:44 | value1 | -| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | -| LogInjectionTest.js:23:39:23:43 | value | -| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:34:24:39 | value1 | edges -| LogInjectionTest.js:6:9:6:50 | value | LogInjectionTest.js:7:34:7:38 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:13:9:13:36 | q | LogInjectionTest.js:14:17:14:17 | q | -| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | LogInjectionTest.js:13:9:13:36 | q | -| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:14:9:14:32 | value | LogInjectionTest.js:15:34:15:38 | value | -| LogInjectionTest.js:14:17:14:17 | q | LogInjectionTest.js:14:17:14:23 | q.query | -| LogInjectionTest.js:14:17:14:23 | q.query | LogInjectionTest.js:14:17:14:32 | q.query.username | -| LogInjectionTest.js:14:17:14:32 | q.query.username | LogInjectionTest.js:14:9:14:32 | value | -| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:21:9:21:36 | q | LogInjectionTest.js:22:17:22:17 | q | -| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | LogInjectionTest.js:21:9:21:36 | q | -| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:22:9:22:32 | value | LogInjectionTest.js:23:39:23:43 | value | -| LogInjectionTest.js:22:17:22:17 | q | LogInjectionTest.js:22:17:22:23 | q.query | -| LogInjectionTest.js:22:17:22:23 | q.query | LogInjectionTest.js:22:17:22:32 | q.query.username | -| LogInjectionTest.js:22:17:22:32 | q.query.username | LogInjectionTest.js:22:9:22:32 | value | -| LogInjectionTest.js:23:9:23:44 | value1 | LogInjectionTest.js:24:34:24:39 | value1 | -| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | LogInjectionTest.js:23:9:23:44 | value1 | -| LogInjectionTest.js:23:39:23:43 | value | LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | -| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | +| LogInjectionTest.js:6:9:6:50 | value | LogInjectionTest.js:7:34:7:38 | value | provenance | | +| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | provenance | | +| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | provenance | | +| LogInjectionTest.js:13:9:13:36 | q | LogInjectionTest.js:14:17:14:17 | q | provenance | | +| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | LogInjectionTest.js:13:9:13:36 | q | provenance | | +| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | provenance | | +| LogInjectionTest.js:14:9:14:32 | value | LogInjectionTest.js:15:34:15:38 | value | provenance | | +| LogInjectionTest.js:14:17:14:17 | q | LogInjectionTest.js:14:9:14:32 | value | provenance | | +| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | provenance | | +| LogInjectionTest.js:21:9:21:36 | q | LogInjectionTest.js:22:17:22:17 | q | provenance | | +| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | LogInjectionTest.js:21:9:21:36 | q | provenance | | +| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | provenance | | +| LogInjectionTest.js:22:9:22:32 | value | LogInjectionTest.js:23:39:23:43 | value | provenance | | +| LogInjectionTest.js:22:17:22:17 | q | LogInjectionTest.js:22:9:22:32 | value | provenance | | +| LogInjectionTest.js:23:9:23:44 | value1 | LogInjectionTest.js:24:34:24:39 | value1 | provenance | | +| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | LogInjectionTest.js:23:9:23:44 | value1 | provenance | | +| LogInjectionTest.js:23:39:23:43 | value | LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | provenance | | +| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | provenance | | +nodes +| LogInjectionTest.js:6:9:6:50 | value | semmle.label | value | +| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | semmle.label | jQuery. ... param") | +| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | semmle.label | `[INFO] ... value}` | +| LogInjectionTest.js:7:34:7:38 | value | semmle.label | value | +| LogInjectionTest.js:13:9:13:36 | q | semmle.label | q | +| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| LogInjectionTest.js:13:23:13:29 | req.url | semmle.label | req.url | +| LogInjectionTest.js:14:9:14:32 | value | semmle.label | value | +| LogInjectionTest.js:14:17:14:17 | q | semmle.label | q | +| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | semmle.label | `[INFO] ... value}` | +| LogInjectionTest.js:15:34:15:38 | value | semmle.label | value | +| LogInjectionTest.js:21:9:21:36 | q | semmle.label | q | +| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| LogInjectionTest.js:21:23:21:29 | req.url | semmle.label | req.url | +| LogInjectionTest.js:22:9:22:32 | value | semmle.label | value | +| LogInjectionTest.js:22:17:22:17 | q | semmle.label | q | +| LogInjectionTest.js:23:9:23:44 | value1 | semmle.label | value1 | +| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| LogInjectionTest.js:23:39:23:43 | value | semmle.label | value | +| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | semmle.label | `[INFO] ... alue1}` | +| LogInjectionTest.js:24:34:24:39 | value1 | semmle.label | value1 | +subpaths #select | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | Log entry depends on a $@. | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | user-provided value | | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | Log entry depends on a $@. | LogInjectionTest.js:13:23:13:29 | req.url | user-provided value | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected index a9669444b..6b6753ba6 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | LogInjectionTest.js:6:9:6:50 | value | | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected index 50eefd709..a5d036953 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/control/xss.js:7:23:7:37 | { type: "int" } | | webapp/control/xss.js:13:38:13:55 | oControl.getText() | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected index 9d5f62193..0c6d16cdc 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/control/xss.js:8:23:8:40 | { type: "string" } | | webapp/control/xss.js:15:21:15:46 | value | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected index 850eebdc6..d273dffe6 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected index f05e5f1f0..680bdd867 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected index ef8e741c9..5b856ecca 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected index 17ef49fbd..0742d5d86 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogsToHttp.ql:19,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected index a4e1f9187..5e77fa377 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected index 23487ae87..55a3c46de 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected index 6a0a93b2d..89d898adc 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/control/xss.js:8:23:8:37 | { type: "int" } | | webapp/control/xss.js:17:43:17:60 | oControl.getText() | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected index 14fd36fd5..c0a394b18 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/control/xss.js:9:23:9:40 | { type: "string" } | | webapp/control/xss.js:15:21:15:46 | value | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected index 0d871e07d..52662564d 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/controller/app.controller.js:10:17:10:27 | input: null | | webapp/controller/app.controller.js:16:39:16:66 | oModel. ... input') | diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected index cbbf4994d..04f9ed982 100644 --- a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected +++ b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected @@ -1,60 +1,38 @@ nodes -| XssTest.js:3:9:3:50 | value | -| XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:10:9:10:40 | value | -| XssTest.js:10:17:10:40 | documen ... .search | -| XssTest.js:10:17:10:40 | documen ... .search | -| XssTest.js:11:20:11:24 | value | -| XssTest.js:11:20:11:24 | value | -| XssTest.js:17:9:17:40 | value | -| XssTest.js:17:17:17:40 | documen ... .search | -| XssTest.js:17:17:17:40 | documen ... .search | -| XssTest.js:18:9:18:44 | value1 | -| XssTest.js:18:18:18:44 | jQuery. ... (value) | -| XssTest.js:18:39:18:43 | value | -| XssTest.js:19:20:19:25 | value1 | -| XssTest.js:19:20:19:25 | value1 | -| XssTest.js:25:9:25:40 | value | -| XssTest.js:25:17:25:40 | documen ... .search | -| XssTest.js:25:17:25:40 | documen ... .search | -| XssTest.js:26:9:26:44 | value1 | -| XssTest.js:26:18:26:44 | jQuery. ... (value) | -| XssTest.js:26:39:26:43 | value | -| XssTest.js:27:20:27:25 | value1 | -| XssTest.js:27:20:27:25 | value1 | +| XssTest.js:3:9:3:50 | value | semmle.label | value | +| XssTest.js:3:17:3:50 | jQuery. ... param") | semmle.label | jQuery. ... param") | +| XssTest.js:4:20:4:24 | value | semmle.label | value | +| XssTest.js:10:9:10:40 | value | semmle.label | value | +| XssTest.js:10:17:10:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:11:20:11:24 | value | semmle.label | value | +| XssTest.js:17:9:17:40 | value | semmle.label | value | +| XssTest.js:17:17:17:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:18:9:18:44 | value1 | semmle.label | value1 | +| XssTest.js:18:18:18:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| XssTest.js:18:39:18:43 | value | semmle.label | value | +| XssTest.js:19:20:19:25 | value1 | semmle.label | value1 | +| XssTest.js:25:9:25:40 | value | semmle.label | value | +| XssTest.js:25:17:25:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:26:9:26:44 | value1 | semmle.label | value1 | +| XssTest.js:26:18:26:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| XssTest.js:26:39:26:43 | value | semmle.label | value | +| XssTest.js:27:20:27:25 | value1 | semmle.label | value1 | edges -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | -| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | -| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | -| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | -| XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | -| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | -| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | -| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | -| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | -| XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | -| XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | -| XssTest.js:25:9:25:40 | value | XssTest.js:26:39:26:43 | value | -| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | -| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | -| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | -| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | -| XssTest.js:26:18:26:44 | jQuery. ... (value) | XssTest.js:26:9:26:44 | value1 | -| XssTest.js:26:39:26:43 | value | XssTest.js:26:18:26:44 | jQuery. ... (value) | +| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | provenance | | +| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | provenance | | +| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | provenance | | +| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | provenance | | +| XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | provenance | | +| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | provenance | | +| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | provenance | | +| XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | provenance | | +| XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | provenance | | +| XssTest.js:25:9:25:40 | value | XssTest.js:26:39:26:43 | value | provenance | | +| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | provenance | | +| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | provenance | | +| XssTest.js:26:18:26:44 | jQuery. ... (value) | XssTest.js:26:9:26:44 | value1 | provenance | | +| XssTest.js:26:39:26:43 | value | XssTest.js:26:18:26:44 | jQuery. ... (value) | provenance | | +subpaths #select | XssTest.js:4:20:4:24 | value | XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:4:20:4:24 | value | Cross-site scripting vulnerability due to $@. | XssTest.js:3:17:3:50 | jQuery. ... param") | user-provided value | | XssTest.js:11:20:11:24 | value | XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:11:20:11:24 | value | Cross-site scripting vulnerability due to $@. | XssTest.js:10:17:10:40 | documen ... .search | user-provided value | diff --git a/javascript/frameworks/xsjs/ext/qlpack.yml b/javascript/frameworks/xsjs/ext/qlpack.yml index cc9208285..513a0e292 100644 --- a/javascript/frameworks/xsjs/ext/qlpack.yml +++ b/javascript/frameworks/xsjs/ext/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-xsjs-models -version: 0.1.0 +version: 0.2.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll index c72639d20..07a8ef91b 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll @@ -76,7 +76,7 @@ class TaintedPathSanitizerGuard extends TaintTracking::SanitizerGuardNode { TaintedPathSanitizerGuard() { this = this } override predicate sanitizes(boolean outcome, Expr receiver) { - exists(TaintedPath::BarrierGuardNode node | node.blocks(outcome, receiver)) + exists(TaintedPath::BarrierGuard node | node.blocksExpr(outcome, receiver)) } } diff --git a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/lib/qlpack.yml b/javascript/frameworks/xsjs/lib/qlpack.yml index 405f80410..69b5f773d 100644 --- a/javascript/frameworks/xsjs/lib/qlpack.yml +++ b/javascript/frameworks/xsjs/lib/qlpack.yml @@ -1,8 +1,8 @@ --- library: true name: advanced-security/javascript-sap-xsjs-lib -version: 0.1.0 +version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" diff --git a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml index 97b9da71a..b49730dc8 100644 --- a/javascript/frameworks/xsjs/src/qlpack.yml +++ b/javascript/frameworks/xsjs/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-xsjs-queries -version: 0.1.0 +version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-xsjs-models: "^0.1.0" - advanced-security/javascript-sap-xsjs-lib: "^0.1.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-xsjs-models: "^0.2.0" + advanced-security/javascript-sap-xsjs-lib: "^0.2.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/test/models/source/source.expected b/javascript/frameworks/xsjs/test/models/source/source.expected index 0d7daea2c..c9e916951 100644 --- a/javascript/frameworks/xsjs/test/models/source/source.expected +++ b/javascript/frameworks/xsjs/test/models/source/source.expected @@ -1,12 +1,24 @@ | source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | +| source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Remote flow | +| source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Remote flow | +| source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | +| source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Remote flow | +| source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Remote flow | +| source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Remote flow | +| source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:51 | webRequ ... ("key") | Remote flow source of type: Remote flow | +| source.xsjs:52:25:52:51 | webRequ ... ("key") | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:53:25:53:44 | webRequestParam1.key | Remote flow source of type: Remote flow | +| source.xsjs:53:25:53:44 | webRequestParam1.key | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:55:25:55:44 | webRequestParam2.get | Remote flow source of type: Remote flow | +| source.xsjs:55:25:55:44 | webRequestParam2.get | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:55:25:55:51 | webRequ ... ("key") | Remote flow source of type: Remote flow | +| source.xsjs:55:25:55:51 | webRequ ... ("key") | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:56:25:56:44 | webRequestParam2.key | Remote flow source of type: Remote flow | +| source.xsjs:56:25:56:44 | webRequestParam2.key | Remote flow source of type: Source node (remote) [from data-extension] | diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml index db2dbc277..f0419bbcc 100644 --- a/javascript/frameworks/xsjs/test/qlpack.yml +++ b/javascript/frameworks/xsjs/test/qlpack.yml @@ -1,8 +1,8 @@ --- name: advanced-security/javascript-sap-xsjs-tests -version: 0.1.0 +version: 0.2.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-xsjs-queries: "^0.1.0" - advanced-security/javascript-sap-xsjs-lib: "^0.1.0" + codeql/javascript-all: "^2.4.0" + advanced-security/javascript-sap-xsjs-queries: "^0.2.0" + advanced-security/javascript-sap-xsjs-lib: "^0.2.0" diff --git a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected index 52be51fee..07e5fa02f 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSReflectedXss.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,55-73) nodes | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | @@ -46,4 +49,3 @@ edges | XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | #select | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | Reflected XSS vulnerability due to $@. | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | user-provided value | - diff --git a/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected b/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected index f21f7745c..a5329f010 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSSqlInjection.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,55-73) nodes | XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | | XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected b/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected index 6bb93c75d..66673f61b 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,55-73) nodes | XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | | XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected index d1fde56d6..dea6e705c 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSZipSlip.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,55-73) nodes | XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | diff --git a/qlt.conf.json b/qlt.conf.json index c59aec4fd..552911a55 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.19.4", - "CodeQLStandardLibrary": "codeql-cli/v2.19.4", - "CodeQLCLIBundle": "codeql-bundle-v2.19.4" + "CodeQLCLI": "2.20.4", + "CodeQLStandardLibrary": "codeql-cli/v2.20.4", + "CodeQLCLIBundle": "codeql-bundle-v2.20.4" } \ No newline at end of file