From 03392f5a8d699de4af00b7c1e700b493bd8a1d8d Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Tue, 11 Feb 2025 17:05:43 -0800 Subject: [PATCH 01/15] Bump `codeql/javascript-all` and fix breaking changes The old dataflow API was deprecated in 2.3.0. This deprecates the older APIs but immediately makes some APIs such as BarrierGuardNode.blocks invalid as they are renamed without the `deprecated` qualifier. --- javascript/frameworks/xsjs/ext/qlpack.yml | 2 +- .../frameworks/xsjs/XSJSZipSlipQuery.qll | 2 +- .../frameworks/xsjs/lib/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/xsjs/lib/qlpack.yml | 2 +- .../frameworks/xsjs/src/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/xsjs/src/qlpack.yml | 2 +- .../frameworks/xsjs/test/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/xsjs/test/qlpack.yml | 2 +- 8 files changed, 41 insertions(+), 35 deletions(-) diff --git a/javascript/frameworks/xsjs/ext/qlpack.yml b/javascript/frameworks/xsjs/ext/qlpack.yml index cc9208285..92063158a 100644 --- a/javascript/frameworks/xsjs/ext/qlpack.yml +++ b/javascript/frameworks/xsjs/ext/qlpack.yml @@ -3,6 +3,6 @@ library: true name: advanced-security/javascript-sap-xsjs-models version: 0.1.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll index c72639d20..c48445898 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll @@ -76,7 +76,7 @@ class TaintedPathSanitizerGuard extends TaintTracking::SanitizerGuardNode { TaintedPathSanitizerGuard() { this = this } override predicate sanitizes(boolean outcome, Expr receiver) { - exists(TaintedPath::BarrierGuardNode node | node.blocks(outcome, receiver)) + exists(TaintedPath::BarrierGuardNode node | node.blocksExpr(outcome, receiver)) } } diff --git a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/lib/qlpack.yml b/javascript/frameworks/xsjs/lib/qlpack.yml index 405f80410..5413f1023 100644 --- a/javascript/frameworks/xsjs/lib/qlpack.yml +++ b/javascript/frameworks/xsjs/lib/qlpack.yml @@ -5,4 +5,4 @@ version: 0.1.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" diff --git a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/src/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml index 97b9da71a..15cd6caa9 100644 --- a/javascript/frameworks/xsjs/src/qlpack.yml +++ b/javascript/frameworks/xsjs/src/qlpack.yml @@ -5,7 +5,7 @@ version: 0.1.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-xsjs-models: "^0.1.0" advanced-security/javascript-sap-xsjs-lib: "^0.1.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/xsjs/test/codeql-pack.lock.yml +++ b/javascript/frameworks/xsjs/test/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml index db2dbc277..4dd3acac5 100644 --- a/javascript/frameworks/xsjs/test/qlpack.yml +++ b/javascript/frameworks/xsjs/test/qlpack.yml @@ -3,6 +3,6 @@ name: advanced-security/javascript-sap-xsjs-tests version: 0.1.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-xsjs-queries: "^0.1.0" advanced-security/javascript-sap-xsjs-lib: "^0.1.0" From 8c6ce4b816fa0bf38c63d72bcd348cd8eed01fa1 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Wed, 12 Feb 2025 08:50:47 -0800 Subject: [PATCH 02/15] Change `BarrierGuardNode` to `BarrierGuard` --- .../javascript/frameworks/xsjs/XSJSZipSlipQuery.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll index c48445898..07a8ef91b 100644 --- a/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll +++ b/javascript/frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSZipSlipQuery.qll @@ -76,7 +76,7 @@ class TaintedPathSanitizerGuard extends TaintTracking::SanitizerGuardNode { TaintedPathSanitizerGuard() { this = this } override predicate sanitizes(boolean outcome, Expr receiver) { - exists(TaintedPath::BarrierGuardNode node | node.blocksExpr(outcome, receiver)) + exists(TaintedPath::BarrierGuard node | node.blocksExpr(outcome, receiver)) } } From 75fc9b3560d37b85160e9b8bfea473f9f3bd6d0e Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Wed, 12 Feb 2025 09:16:33 -0800 Subject: [PATCH 03/15] Bump versions of CodeQL CLI in qlt.conf.json --- qlt.conf.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/qlt.conf.json b/qlt.conf.json index c59aec4fd..552911a55 100644 --- a/qlt.conf.json +++ b/qlt.conf.json @@ -1,5 +1,5 @@ { - "CodeQLCLI": "2.19.4", - "CodeQLStandardLibrary": "codeql-cli/v2.19.4", - "CodeQLCLIBundle": "codeql-bundle-v2.19.4" + "CodeQLCLI": "2.20.4", + "CodeQLStandardLibrary": "codeql-cli/v2.20.4", + "CodeQLCLIBundle": "codeql-bundle-v2.20.4" } \ No newline at end of file From 7e2c88d91fc28b1474b33b6db0e42e243a1b3980 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Wed, 12 Feb 2025 09:26:47 -0800 Subject: [PATCH 04/15] Remove UI5AMDModule This one caused a new non-monotonic recursion; it is not necessary at the moment since it is not used anywhere apart from a vacuous `import`. The AMD-style module system is already defined in UI5.qll as abstract class `UserModule`; so deleting this won't break the rest of the UI5 queries. --- .../frameworks/ui5/UI5AMDModule.qll | 387 ------------------ .../frameworks/ui5/dataflow/DataFlow.qll | 1 - 2 files changed, 388 deletions(-) delete mode 100644 javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll deleted file mode 100644 index 07a0f9041..000000000 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5AMDModule.qll +++ /dev/null @@ -1,387 +0,0 @@ -/** - * Provides classes for working with - * [Asynchronous Module Definitions](https://github.com/amdjs/amdjs-api/wiki/AMD). - */ - -import javascript -private import semmle.javascript.internal.CachedStages -private import Expressions.ExprHasNoEffect - -/** - * A IU5 `declare`/`require` call using jQuery. - * - * Example: - * - * ``` - * √("codeql-sap-js.control.xss"); - * - * The first argument is a dependency. - * ``` - */ -abstract class SapJQueryModuleDefinition extends CallExpr { - SapJQueryModuleDefinition() { - inVoidContext(this) and - this.getReceiver().(PropAccess).getQualifiedName() = "jQuery.sap" - } -} - -/** - * `jQuery.sap.declare` call - */ -class SapJQueryDefine extends SapJQueryModuleDefinition { - SapJQueryDefine() { this.getCalleeName() = "declare" } -} - -/** - * `jQuery.sap.require` call - */ -class SapJQueryRequire extends SapJQueryModuleDefinition { - SapJQueryRequire() { this.getCalleeName() = "require" } -} - -/** - * An AMD `define`/`require` call. - * - * Example: - * - * ``` - * sap.ui.define(['fs', 'express'], function(fs, express) { - * ... - * }); - * ``` - * - * The first argument is an (optional) array of dependencies, - * the second a factory method or object. - * - * We also recognize the three-argument form `define('m', ['fs', 'express'], ...)` - * where the first argument is the module name, the second argument an - * array of dependencies, and the third argument a factory method or object. - */ -abstract class SapAmdModuleDefinition extends CallExpr { - SapAmdModuleDefinition() { - inVoidContext(this) and - exists(int n | n = this.getNumArgument() | - n = 1 - or - n = 2 and this.getArgument(0) instanceof ArrayExpr - or - n = 3 and - this.getArgument(0) instanceof ConstantString and - this.getArgument(1) instanceof ArrayExpr - ) - } - - /** Gets the array of module dependencies, if any. */ - ArrayExpr getDependencies() { - result = this.getArgument(0) or - result = this.getArgument(1) - } - - /** Gets the `i`th dependency of this module definition. */ - PathExpr getDependency(int i) { result = this.getDependencies().getElement(i) } - - /** Gets a dependency of this module definition. */ - PathExpr getADependency() { - result = this.getDependency(_) or - result = this.getARequireCall().getAnArgument() - } - - /** - * Gets a data flow node containing the factory value of this module definition. - */ - pragma[nomagic] - DataFlow::SourceNode getFactoryNode() { - result = this.getFactoryNodeInternal() and - result instanceof DataFlow::ValueNode - } - - private DataFlow::Node getFactoryNodeInternal() { - // To avoid recursion, this should not depend on `SourceNode`. - result = DataFlow::valueNode(this.getLastArgument()) or - result = this.getFactoryNodeInternal().getAPredecessor() - } - - /** Gets the expression defining this module. */ - Expr getModuleExpr() { - exists(DataFlow::Node f | f = this.getFactoryNode() | - if f instanceof DataFlow::FunctionNode - then - exists(ReturnStmt ret | ret.getContainer() = f.(DataFlow::FunctionNode).getAstNode() | - result = ret.getExpr() - ) - else result = f.asExpr() - ) - } - - /** Gets a source node whose value becomes the definition of this module. */ - DataFlow::SourceNode getAModuleSource() { result.flowsToExpr(this.getModuleExpr()) } - - /** - * Holds if `p` is the parameter corresponding to dependency `dep`. - */ - predicate dependencyParameter(PathExpr dep, Parameter p) { - exists(int i | - dep = this.getDependency(i) and - p = this.getFactoryParameter(i) - ) - } - - /** - * Gets the parameter corresponding to dependency `name`. - * - * For instance, in the module definition - * - * ``` - * define(['dep1', 'dep2'], function(pdep1, pdep2) { ... }) - * ``` - * - * parameters `pdep1` and `pdep2` correspond to dependencies - * `dep1` and `dep2`. - */ - Parameter getDependencyParameter(string name) { - exists(PathExpr dep | - this.dependencyParameter(dep, result) and - dep.getValue() = name - ) - } - - /** - * Gets the `i`th parameter of the factory function of this module. - */ - private Parameter getFactoryParameter(int i) { - this.getFactoryNodeInternal().asExpr().(Function).getParameter(i) = result - } - - /** - * Gets the parameter corresponding to the pseudo-dependency `require`. - */ - Parameter getRequireParameter() { - result = this.getDependencyParameter("require") - or - // if no dependencies are listed, the first parameter is assumed to be `require` - not exists(this.getDependencies()) and result = this.getFactoryParameter(0) - } - - pragma[noinline] - private Variable getRequireVariable() { result = this.getRequireParameter().getVariable() } - - /** - * Gets the parameter corresponding to the pseudo-dependency `exports`. - */ - Parameter getExportsParameter() { - result = this.getDependencyParameter("exports") - or - // if no dependencies are listed, the second parameter is assumed to be `exports` - not exists(this.getDependencies()) and result = this.getFactoryParameter(1) - } - - /** - * Gets the parameter corresponding to the pseudo-dependency `module`. - */ - Parameter getModuleParameter() { - result = this.getDependencyParameter("module") - or - // if no dependencies are listed, the third parameter is assumed to be `module` - not exists(this.getDependencies()) and result = this.getFactoryParameter(2) - } - - /** - * Gets an abstract value representing one or more values that may flow - * into this module's `module.exports` property. - */ - DefiniteAbstractValue getAModuleExportsValue() { - result = [this.getAnImplicitExportsValue(), this.getAnExplicitExportsValue()] - } - - pragma[noinline, nomagic] - private AbstractValue getAnImplicitExportsValue() { - // implicit exports: anything that is returned from the factory function - result = this.getModuleExpr().analyze().getAValue() - } - - pragma[noinline] - private AbstractValue getAnExplicitExportsValue() { - // explicit exports: anything assigned to `module.exports` - exists(AbstractProperty moduleExports, SapAmdModule m | - this = m.getDefine() and - moduleExports.getBase().(AbstractModuleObject).getModule() = m and - moduleExports.getPropertyName() = "exports" - | - result = moduleExports.getAValue() - ) - } - - /** - * Gets a call to `require` inside this module. - */ - CallExpr getARequireCall() { - result.getCallee().getUnderlyingValue() = this.getRequireVariable().getAnAccess() - } -} - -/** - * `sap.ui.define` call - */ -class SapUiDefine extends SapAmdModuleDefinition { - SapUiDefine() { - this.getReceiver().(PropAccess).getQualifiedName() = "sap.ui" and - this.getCalleeName() = "define" - } -} - -/** - * `sap.ui.require` call - */ -class SapUiRequire extends SapAmdModuleDefinition { - SapUiRequire() { - this.getReceiver().(PropAccess).getQualifiedName() = "sap.ui" and - this.getCalleeName() = "require" - } -} - -/** An UI5 dependency, considered as a path expression. */ -private class SapAmdDependencyPath extends PathExprCandidate { - SapAmdDependencyPath() { - exists(SapAmdModuleDefinition amd | - this = amd.getDependencies().getAnElement() or - this = amd.getARequireCall().getAnArgument() - ) - } -} - -/** A constant path element appearing in an AMD dependency expression. */ -private class ConstantAmdDependencyPathElement extends PathExpr, ConstantString { - ConstantAmdDependencyPathElement() { this = any(SapAmdDependencyPath amd).getAPart() } - - override string getValue() { result = this.getStringValue() } -} - -/** - * Holds if `nd` is nested inside an AMD module definition. - */ -private predicate inAmdModuleDefinition(AstNode nd) { - nd.getParent() instanceof SapAmdModuleDefinition - or - inAmdModuleDefinition(nd.getParent()) -} - -/** - * Holds if `def` is an AMD module definition in `tl` which is not - * nested inside another module definition. - */ -private predicate amdModuleTopLevel(SapAmdModuleDefinition def, TopLevel tl) { - def.getTopLevel() = tl and - not inAmdModuleDefinition(def) -} - -/** - * An AMD dependency, viewed as an import. - */ -private class SapAmdDependencyImport extends Import { - SapAmdDependencyImport() { this = any(SapAmdModuleDefinition def).getADependency() } - - override Module getEnclosingModule() { this = result.(SapAmdModule).getDefine().getADependency() } - - override PathExpr getImportedPath() { result = this } - - /** - * Gets a file that looks like it might be the target of this import. - * - * Specifically, we look for files whose absolute path ends with the imported path, possibly - * adding well-known JavaScript file extensions like `.js`. - */ - private File guessTarget() { - exists(PathString imported, string abspath, string dirname, string basename | - this.targetCandidate(result, abspath, imported, dirname, basename) - | - abspath.regexpMatch(".*/\\Q" + imported + "\\E") - or - exists(Folder dir | - // `dir` ends with the dirname of the imported path - dir.getAbsolutePath().regexpMatch(".*/\\Q" + dirname + "\\E") or - dirname = "" - | - result = dir.getJavaScriptFile(basename) - ) - ) - } - - /** - * Holds if `f` is a file whose stem (that is, basename without extension) matches the imported path. - * - * Additionally, `abspath` is bound to the absolute path of `f`, `imported` to the imported path, and - * `dirname` and `basename` to the dirname and basename (respectively) of `imported`. - */ - private predicate targetCandidate( - File f, string abspath, PathString imported, string dirname, string basename - ) { - imported = this.getImportedPath().getValue() and - f.getStem() = imported.getStem() and - f.getAbsolutePath() = abspath and - dirname = imported.getDirName() and - basename = imported.getBaseName() - } - - /** - * Gets the module whose absolute path matches this import, if there is only a single such module. - */ - private Module resolveByAbsolutePath() { - result.getFile() = unique(File file | file = this.guessTarget()) - } - - override Module getImportedModule() { - result = super.getImportedModule() - or - not exists(super.getImportedModule()) and - result = this.resolveByAbsolutePath() - } - - override DataFlow::Node getImportedModuleNode() { - exists(Parameter param | - any(SapAmdModuleDefinition def).dependencyParameter(this, param) and - result = DataFlow::parameterNode(param) - ) - } -} - -/** - * An AMD-style module. - * - * Example: - * - * ``` - * define(['fs', 'express'], function(fs, express) { - * ... - * }); - * ``` - */ -class SapAmdModule extends Module { - cached - SapAmdModule() { - Stages::DataFlowStage::ref() and - exists(unique(SapAmdModuleDefinition def | amdModuleTopLevel(def, this))) - } - - /** Gets the definition of this module. */ - SapAmdModuleDefinition getDefine() { amdModuleTopLevel(result, this) } - - override DataFlow::Node getAnExportedValue(string name) { - exists(DataFlow::PropWrite pwn | result = pwn.getRhs() | - pwn.getBase().analyze().getAValue() = this.getDefine().getAModuleExportsValue() and - name = pwn.getPropertyName() - ) - } - - override DataFlow::Node getABulkExportedNode() { - // Assigned to `module.exports` via the factory's `module` parameter - exists(AbstractModuleObject m, DataFlow::PropWrite write | - m.getModule() = this and - write.getPropertyName() = "exports" and - write.getBase().analyze().getAValue() = m and - result = write.getRhs() - ) - or - // Returned from factory function - result = this.getDefine().getModuleExpr().flow() - } -} diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll index 17552cc87..ffba729d3 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/DataFlow.qll @@ -2,7 +2,6 @@ import javascript import semmle.javascript.dataflow.DataFlow as StdLibDataFlow import advanced_security.javascript.frameworks.ui5.UI5 import advanced_security.javascript.frameworks.ui5.UI5View -import advanced_security.javascript.frameworks.ui5.UI5AMDModule import advanced_security.javascript.frameworks.ui5.RemoteFlowSources import advanced_security.javascript.frameworks.ui5.dataflow.FlowSteps private import StdLibDataFlow::DataFlow::PathGraph as DataFlowPathGraph From bac7b718dc59359f7ebc51c87438eb4ed3eb9968 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Thu, 13 Feb 2025 17:07:46 -0800 Subject: [PATCH 05/15] Change `SapAmdModuleDefinition` to `SapDefineModule` --- .../javascript/frameworks/ui5/UI5XssQuery.qll | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index 1d9f2f04c..4f0079905 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -40,10 +40,10 @@ class Configuration extends DomBasedXss::Configuration { node = any(PropertyMetadata m | not m.isUnrestrictedStringType()) or /* 3-1. Sanitizers provided by `sap.base.security` */ - exists(SapAmdModuleDefinition d, DataFlow::ParameterNode par | + exists(SapDefineModule d, DataFlow::ParameterNode par | node = par.getACall() and - par.getParameter() = - d.getDependencyParameter("sap/base/security/" + + par = + d.getRequiredObject("sap/base/security/" + ["encodeCSS", "encodeJS", "encodeURL", "encodeURLParameters", "encodeXML"]) ) or From 1770d2397715fa3f178a5539fa203da93b92e286 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Thu, 13 Feb 2025 19:02:46 -0800 Subject: [PATCH 06/15] Upgrade dataflow library of UI5 to 2.4.0 --- javascript/frameworks/ui5/ext/qlpack.yml | 2 +- .../frameworks/ui5/lib/codeql-pack.lock.yml | 22 ++++++++------- javascript/frameworks/ui5/lib/qlpack.yml | 2 +- .../frameworks/ui5/src/codeql-pack.lock.yml | 22 ++++++++------- javascript/frameworks/ui5/src/qlpack.yml | 2 +- .../frameworks/ui5/test/codeql-pack.lock.yml | 28 ++++++++++--------- javascript/frameworks/ui5/test/qlpack.yml | 2 +- 7 files changed, 43 insertions(+), 37 deletions(-) diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml index 0d67eb13c..bb6ece987 100644 --- a/javascript/frameworks/ui5/ext/qlpack.yml +++ b/javascript/frameworks/ui5/ext/qlpack.yml @@ -3,6 +3,6 @@ library: true name: advanced-security/javascript-sap-ui5-models version: 0.6.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" dataExtensions: - "*.model.yml" diff --git a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/ui5/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/lib/qlpack.yml b/javascript/frameworks/ui5/lib/qlpack.yml index 3f0108f2b..ccfafb757 100644 --- a/javascript/frameworks/ui5/lib/qlpack.yml +++ b/javascript/frameworks/ui5/lib/qlpack.yml @@ -5,5 +5,5 @@ version: 0.6.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-ui5-models: "^0.6.0" diff --git a/javascript/frameworks/ui5/src/codeql-pack.lock.yml b/javascript/frameworks/ui5/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/ui5/src/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml index f3177ee29..397ef56a1 100644 --- a/javascript/frameworks/ui5/src/qlpack.yml +++ b/javascript/frameworks/ui5/src/qlpack.yml @@ -5,7 +5,7 @@ version: 0.6.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-ui5-models: "^0.6.0" advanced-security/javascript-sap-ui5-all: "^0.6.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/ui5/test/codeql-pack.lock.yml b/javascript/frameworks/ui5/test/codeql-pack.lock.yml index 2c0c0a331..9dd6c6365 100644 --- a/javascript/frameworks/ui5/test/codeql-pack.lock.yml +++ b/javascript/frameworks/ui5/test/codeql-pack.lock.yml @@ -2,29 +2,31 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/javascript-queries: - version: 1.2.0 + version: 1.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 codeql/suite-helpers: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/typos: - version: 1.0.8 + version: 1.0.16 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index b82fefbd4..c88e2fc75 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -2,7 +2,7 @@ name: advanced-security/javascript-sap-ui5-queries-tests version: 0.6.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" codeql/javascript-queries: "^1.2.0" advanced-security/javascript-sap-ui5-queries: "^0.6.0" advanced-security/javascript-sap-ui5-models: "^0.6.0" From 29a44fb1df1ccb3a3d3d60b45b6fc815d3febd92 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 14 Feb 2025 13:14:03 -0800 Subject: [PATCH 07/15] Bump javascript-all in CAP's qlpacks --- javascript/frameworks/cap/ext/qlpack.yml | 2 +- .../frameworks/cap/lib/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/cap/lib/qlpack.yml | 2 +- .../frameworks/cap/src/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/cap/src/qlpack.yml | 2 +- .../frameworks/cap/test/codeql-pack.lock.yml | 22 ++++++++++--------- javascript/frameworks/cap/test/qlpack.yml | 2 +- 7 files changed, 40 insertions(+), 34 deletions(-) diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml index 6626ed7c3..f00c4b455 100644 --- a/javascript/frameworks/cap/ext/qlpack.yml +++ b/javascript/frameworks/cap/ext/qlpack.yml @@ -3,4 +3,4 @@ library: true name: advanced-security/javascript-sap-cap-models version: 0.3.0 extensionTargets: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" diff --git a/javascript/frameworks/cap/lib/codeql-pack.lock.yml b/javascript/frameworks/cap/lib/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/lib/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/lib/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml index 2c46de1df..9ab1d2636 100644 --- a/javascript/frameworks/cap/lib/qlpack.yml +++ b/javascript/frameworks/cap/lib/qlpack.yml @@ -5,5 +5,5 @@ version: 0.3.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-cap-models: "^0.3.0" diff --git a/javascript/frameworks/cap/src/codeql-pack.lock.yml b/javascript/frameworks/cap/src/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/src/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/src/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml index 5244626b4..b022fc717 100644 --- a/javascript/frameworks/cap/src/qlpack.yml +++ b/javascript/frameworks/cap/src/qlpack.yml @@ -5,7 +5,7 @@ version: 0.3.0 suites: codeql-suites extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-cap-models: "^0.3.0" advanced-security/javascript-sap-cap-all: "^0.3.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/cap/test/codeql-pack.lock.yml b/javascript/frameworks/cap/test/codeql-pack.lock.yml index 68a286eb2..c39c17fe3 100644 --- a/javascript/frameworks/cap/test/codeql-pack.lock.yml +++ b/javascript/frameworks/cap/test/codeql-pack.lock.yml @@ -2,23 +2,25 @@ lockVersion: 1.0.0 dependencies: codeql/dataflow: - version: 1.1.2 - codeql/javascript-all: version: 2.0.0 + codeql/javascript-all: + version: 2.4.0 codeql/mad: - version: 1.0.8 + version: 1.0.16 codeql/regex: - version: 1.0.8 + version: 1.0.16 codeql/ssa: - version: 1.0.8 + version: 1.0.16 + codeql/threat-models: + version: 1.0.16 codeql/tutorial: - version: 1.0.8 + version: 1.0.16 codeql/typetracking: - version: 1.0.8 + version: 2.0.0 codeql/util: - version: 1.0.8 + version: 2.0.3 codeql/xml: - version: 1.0.8 + version: 1.0.16 codeql/yaml: - version: 1.0.8 + version: 1.0.16 compiled: false diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml index 453876558..6d7db3378 100644 --- a/javascript/frameworks/cap/test/qlpack.yml +++ b/javascript/frameworks/cap/test/qlpack.yml @@ -3,7 +3,7 @@ name: advanced-security/javascript-sap-cap-queries-tests version: 0.3.0 extractor: javascript dependencies: - codeql/javascript-all: "^2.0.0" + codeql/javascript-all: "^2.4.0" advanced-security/javascript-sap-cap-queries: "^0.3.0" advanced-security/javascript-sap-cap-models: "^0.3.0" advanced-security/javascript-sap-cap-all: "^0.3.0" From 5aaadd6a9bbb16e1f6b424061df9ca655bef3503 Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 14 Feb 2025 17:00:54 -0800 Subject: [PATCH 08/15] Make `SapDefineModule` extend `AmdModuleDefinition::Range` and update the expected results `SapDefineModule` in its previous form did not extend `AmdModuleDefinition::Range` which in turn extends standard library's `Module` that enables its subclasses to be identified with MaD definitions. The reason the queries have been working was thanks to `UI5AMDModule.qll` that provided a `SapAmdModule` class extending the `Module` class directly. The problem with `SapAmdModule` copy-pasted and only slightly modified the `AMD.qll` in the standard library, so it was out of sync with the standard library couterpart when the DataFlow library behind it was overhauled to have a new API. It was causing the majority of the problems when the `qlpack.yml`s were updated with the latest DataFlow API and the `SapAmdModule` failed to play nicely with the updated library modules, emitting new non-monotonic recursion errors. Therefore, this commit makes the `SapDefineModule` in `UI5.qll` extend `AmdModuleDefinition::Range` and removes the outdated `SapAmdModule`. `SapDefineModule`s are AMD-style modules defined with `sap.ui.define` or `sap.ui.require` function calls that augments the global AMD `define` functions with the capability of extending another such module. --- .../frameworks/ui5/RemoteFlowSources.qll | 4 +- .../javascript/frameworks/ui5/UI5.qll | 155 ++++++++++-------- .../ui5/UI5FormulaInjectionQuery.qll | 4 +- .../javascript/frameworks/ui5/UI5XssQuery.qll | 5 +- .../frameworks/ui5/dataflow/FlowSteps.qll | 1 - .../ui5/test/models/sink/pathSinkTest.ql | 6 +- .../test/models/source/sourceTest.expected | 28 ++++ .../LogInjection.expected | 101 +++++------- .../UI5LogInjection.expected | 1 + .../UI5LogInjection.expected | 1 + .../UI5LogInjection.expected | 1 + .../UI5LogInjection.expected | 1 + .../UI5UnsafeLogAccess.expected | 1 + .../UI5LogInjection.expected | 1 + .../UI5LogsToHttp.expected | 1 + .../UI5UnsafeLogAccess.expected | 1 + .../UI5LogInjection.expected | 1 + .../UI5PathInjection.expected | 1 + .../UI5PathInjection.expected | 1 + .../UI5PathInjection.expected | 1 + .../avoid-duplicate-alerts/Xss.expected | 88 ++++------ 21 files changed, 208 insertions(+), 196 deletions(-) diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll index f427bc9b3..858697bfa 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll @@ -83,8 +83,8 @@ class ODataServiceModel extends UI5ExternalModel { this instanceof NewNode and ( exists(RequiredObject oDataModel | - oDataModel.flowsTo(this.getCalleeNode()) and - oDataModel.getDependencyType() = "sap/ui/model/odata/v2/ODataModel" + oDataModel.asSourceNode().flowsTo(this.getCalleeNode()) and + oDataModel.getDependency() = "sap/ui/model/odata/v2/ODataModel" ) or this.getCalleeName() = "ODataModel" diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll index aeda179ed..8c1e9482e 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll @@ -138,8 +138,8 @@ class Loader extends CallNode { /** * A user-defined module through `sap.ui.define` or `jQuery.sap.declare`. */ -abstract class UserModule extends InvokeNode { - abstract string getADependencyType(); +abstract class UserModule extends CallExpr { + abstract string getADependency(); abstract string getModuleFileRelativePath(); @@ -150,34 +150,44 @@ abstract class UserModule extends InvokeNode { * A user-defined module through `sap.ui.define`. * https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui%23methods/sap.ui.define */ -class SapDefineModule extends CallNode, UserModule { - SapDefineModule() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("define") } +class SapDefineModule extends AmdModuleDefinition::Range, MethodCallExpr, UserModule { + SapDefineModule() { + /* + * NOTE: This only matches a call to the dot expression `sap.ui.define`, and does not consider a flow among `sap`, `ui`, and `define`. + */ - override string getADependencyType() { result = this.getDependencyType(_) } + exists(GlobalVarAccess sap, DotExpr sapUi, DotExpr sapUiDefine | + sap.getName() = "sap" and + sapUi.getBase() = sap and + sapUi.getPropertyName() = "ui" and + this.getReceiver() = sapUiDefine + // and this.getMethodName() = "define" + ) + } - override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } + string getDependency(int i) { result = this.(AmdModuleDefinition).getDependency(i).getValue() } - string getDependencyType(int i) { - result = this.getArgument(0).getALocalSource().(ArrayLiteralNode).getElement(i).getStringValue() - } + override string getADependency() { result = this.getDependency(_) } - override RequiredObject getRequiredObject(string dependencyType) { - exists(int i | - this.getDependencyType(i) = dependencyType and - result = this.getArgument(1).getALocalSource().(FunctionNode).getParameter(i) - ) + override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } + + override RequiredObject getRequiredObject(string name) { + result = this.(AmdModuleDefinition).getDependencyParameter(name) } WebApp getWebApp() { this.getFile() = result.getAResource() } - SapDefineModule getExtendingDefine() { - exists(Extension baseExtension, Extension subclassExtension, SapDefineModule subclassDefine | - baseExtension.getDefine() = this and - subclassDefine = subclassExtension.getDefine() and - any(RequiredObject module_ | - module_ = subclassDefine.getRequiredObject(baseExtension.getName().replaceAll(".", "/")) - ).flowsTo(subclassExtension.getReceiver()) and - result = subclassDefine + /** + * Gets the module defined with sap.ui.define that imports and extends this module. + */ + SapDefineModule getExtendingModule() { + exists(SapExtendCall baseExtendCall, SapExtendCall subclassExtendCall | + baseExtendCall.getDefine() = this and + result = subclassExtendCall.getDefine() and + result + .getRequiredObject(baseExtendCall.getName().replaceAll(".", "/")) + .asSourceNode() + .flowsTo(subclassExtendCall.getReceiver()) ) } } @@ -194,29 +204,27 @@ class JQuerySap extends DataFlow::SourceNode { /** * A user-defined module through `jQuery.sap.declare`. */ -class JQueryDefineModule extends UserModule, DataFlow::MethodCallNode { - JQueryDefineModule() { exists(JQuerySap jquerySap | jquerySap.flowsTo(this.getReceiver())) } +class JQueryDefineModule extends UserModule, MethodCallExpr { + JQueryDefineModule() { exists(JQuerySap jquerySap | jquerySap.asExpr() = this.getReceiver()) } - override string getADependencyType() { - result = this.getArgument(0).asExpr().(StringLiteral).getValue() - } + override string getADependency() { result = this.getArgument(0).getStringValue() } override string getModuleFileRelativePath() { result = this.getFile().getRelativePath() } - /** WARNING: toString() Hack! */ + /* WARNING: toString() Hack! */ override RequiredObject getRequiredObject(string dependencyType) { result.toString() = dependencyType and - this.getADependencyType() = dependencyType + this.getADependency() = dependencyType } } -private RequiredObject sapControl(TypeTracker t) { +private SourceNode sapControl(TypeTracker t) { t.start() and exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/Control", "sap.ui.core.Control"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapControl(t2).track(t2, t)) @@ -229,8 +237,8 @@ private SourceNode sapController(TypeTracker t) { exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapController(t2).track(t2, t)) @@ -243,8 +251,8 @@ private SourceNode sapRenderer(TypeTracker t) { exists(UserModule d, string dependencyType | dependencyType = ["sap/ui/core/Renderer", "sap.ui.core.Renderer"] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapController(t2).track(t2, t)) @@ -252,7 +260,7 @@ private SourceNode sapRenderer(TypeTracker t) { private SourceNode sapRenderer() { result = sapRenderer(TypeTracker::end()) } -private class Renderer extends Extension { +private class Renderer extends SapExtendCall { Renderer() { this.getReceiver().getALocalSource() = sapRenderer() } FunctionNode getRenderer() { @@ -264,10 +272,10 @@ private class Renderer extends Extension { } } -class CustomControl extends Extension { +class CustomControl extends SapExtendCall { CustomControl() { this.getReceiver().getALocalSource() = sapControl() or - exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingDefine()) + exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingModule()) } CustomController getController() { this = result.getAControlReference().getDefinition() } @@ -436,7 +444,7 @@ class ControllerReference extends Reference { CustomController getDefinition() { result = viewReference.getDefinition().getController() } } -class CustomController extends Extension { +class CustomController extends SapExtendCall { string name; CustomController() { @@ -775,8 +783,8 @@ private SourceNode sapComponent(TypeTracker t) { "sap.ui.core.UIComponent" ] | - d.getADependencyType() = dependencyType and - result = d.getRequiredObject(dependencyType) + d.getADependency() = dependencyType and + result = d.getRequiredObject(dependencyType).asSourceNode() ) or exists(TypeTracker t2 | result = sapComponent(t2).track(t2, t)) @@ -789,7 +797,7 @@ import ManifestJson /** * A UI5 Component that may contain other controllers or controls. */ -class Component extends Extension { +class Component extends SapExtendCall { Component() { this.getReceiver().getALocalSource() = sapComponent() } string getId() { result = this.getName().regexpCapture("([a-zA-Z0-9.]+).Component", 1) } @@ -1086,8 +1094,8 @@ class JsonModel extends UI5InternalModel { this instanceof NewNode and ( exists(RequiredObject jsonModel | - jsonModel.flowsTo(this.getCalleeNode()) and - jsonModel.getDependencyType() = "sap/ui/model/json/JSONModel" + jsonModel.asSourceNode().flowsTo(this.getCalleeNode()) and + jsonModel.getDependency() = "sap/ui/model/json/JSONModel" ) or /* Fallback */ @@ -1197,8 +1205,8 @@ class XmlModel extends UI5InternalModel { XmlModel() { this instanceof NewNode and exists(RequiredObject xmlModel | - xmlModel.flowsTo(this.getCalleeNode()) and - xmlModel.getDependencyType() = "sap/ui/model/xml/XMLModel" + xmlModel.asSourceNode().flowsTo(this.getCalleeNode()) and + xmlModel.getDependency() = "sap/ui/model/xml/XMLModel" ) } @@ -1234,31 +1242,34 @@ class ResourceModel extends UI5Model, ModelReference { } class BindingMode extends RequiredObject { - BindingMode() { this.getDependencyType() = "sap/ui/model/BindingMode" } + BindingMode() { this.getDependency() = "sap/ui/model/BindingMode" } - PropRead getOneWay() { result = this.getAPropertyRead("OneWay") } + PropRead getOneWay() { result = this.asSourceNode().getAPropertyRead("OneWay") } - PropRead getTwoWay() { result = this.getAPropertyRead("TwoWay") } + PropRead getTwoWay() { result = this.asSourceNode().getAPropertyRead("TwoWay") } - PropRead getDefault() { result = this.getAPropertyRead("Default") } + PropRead getDefault_() { result = this.asSourceNode().getAPropertyRead("Default") } - PropRead getOneTime() { result = this.getAPropertyRead("OneTime") } + PropRead getOneTime() { result = this.asSourceNode().getAPropertyRead("OneTime") } } -class RequiredObject extends SourceNode { +class RequiredObject extends Expr { RequiredObject() { exists(SapDefineModule sapDefineModule | - this = sapDefineModule.getArgument(1).getALocalSource().(FunctionNode).getParameter(_) + this = sapDefineModule.getArgument(1).(Function).getParameter(_) ) or exists(JQueryDefineModule jQueryDefineModule | - this.toString() = - jQueryDefineModule.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() + /* WARNING: toString() Hack! */ + this.toString() = jQueryDefineModule.getArgument(0).(StringLiteral).getValue() ) } - UserModule getDefiningModule() { result.getArgument(1).(FunctionNode).getParameter(_) = this } + pragma[inline] + SourceNode asSourceNode() { result = this.flow() } + + UserModule getDefiningModule() { result.getArgument(1).(Function).getParameter(_) = this } - string getDependencyType() { + string getDependency() { exists(SapDefineModule module_ | this = module_.getRequiredObject(result)) } } @@ -1266,16 +1277,18 @@ class RequiredObject extends SourceNode { /** * `SomeModule.extend(...)` where `SomeModule` stands for a module imported with `sap.ui.define`. */ -class Extension extends InvokeNode, MethodCallNode { - Extension() { +class SapExtendCall extends InvokeNode, MethodCallNode { + SapExtendCall() { /* 1. The receiver object is an imported one */ - any(RequiredObject module_).flowsTo(this.getReceiver()) and + exists(RequiredObject requiredModule | + requiredModule.asSourceNode().flowsTo(this.getReceiver()) + ) and /* 2. The method name is `extend` */ this.(MethodCallNode).getMethodName() = "extend" } FunctionNode getMethod(string methodName) { - result = this.getArgument(1).(ObjectLiteralNode).getAPropertySource(methodName).(FunctionNode) + result = this.getContent().(ObjectLiteralNode).getAPropertySource(methodName).(FunctionNode) } FunctionNode getAMethod() { result = this.getMethod(_) } @@ -1287,22 +1300,22 @@ class Extension extends InvokeNode, MethodCallNode { Metadata getMetadata() { result = this.getContent().getAPropertySource("metadata") or - exists(Extension baseExtension | - baseExtension.getDefine().getExtendingDefine() = this.getDefine() and - result = baseExtension.getMetadata() + exists(SapExtendCall baseExtendCall | + baseExtendCall.getDefine().getExtendingModule() = this.getDefine() and + result = baseExtendCall.getMetadata() ) } /** Gets the `sap.ui.define` call that wraps this extension. */ - SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1).asExpr() } + SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1) } } private newtype TSapElement = - DefinitionOfElement(Extension extension) or + DefinitionOfElement(SapExtendCall extension) or ReferenceOfElement(Reference reference) class SapElement extends TSapElement { - Extension asDefinition() { this = DefinitionOfElement(result) } + SapExtendCall asDefinition() { this = DefinitionOfElement(result) } Reference asReference() { this = ReferenceOfElement(result) } @@ -1331,12 +1344,12 @@ class SapElement extends TSapElement { } /** - * The property metadata found in an Extension. + * The property metadata found in an SapExtendCall. */ class Metadata extends ObjectLiteralNode { - Extension extension; + SapExtendCall extension; - Extension getExtension() { result = extension } + SapExtendCall getExtension() { result = extension } Metadata() { this = extension.getContent().getAPropertySource("metadata") } diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll index 8e049b42d..bbfd1acde 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5FormulaInjectionQuery.qll @@ -10,7 +10,7 @@ private class StoragePutCall extends CallNode { /* 1. This is a call to `sap.ui.util.Storage.put` */ // 1-1. Required from `sap/ui/util/Storage` exists(RequiredObject storageClass | - this.getReceiver().getALocalSource() = storageClass and + this.getReceiver().getALocalSource() = storageClass.asSourceNode() and this.getCalleeName() = "put" ) or @@ -46,7 +46,7 @@ private class FileSaveCall extends CallNode { FileSaveCall() { /* 1. Required from `sap/ui/core/util/File` */ exists(RequiredObject fileClass | - this.getReceiver().getALocalSource() = fileClass and + this.getReceiver().getALocalSource() = fileClass.asSourceNode() and this.getCalleeName() = "save" ) or diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll index 4f0079905..5fcd8023f 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll @@ -32,12 +32,12 @@ class Configuration extends DomBasedXss::Configuration { ) } - override predicate isSanitizer(DataFlow::Node node) { + override predicate isBarrier(DataFlow::Node node) { /* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */ super.isSanitizer(node) or /* 2. Value read from a non-string control property */ - node = any(PropertyMetadata m | not m.isUnrestrictedStringType()) + exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m) or /* 3-1. Sanitizers provided by `sap.base.security` */ exists(SapDefineModule d, DataFlow::ParameterNode par | @@ -45,6 +45,7 @@ class Configuration extends DomBasedXss::Configuration { par = d.getRequiredObject("sap/base/security/" + ["encodeCSS", "encodeJS", "encodeURL", "encodeURLParameters", "encodeXML"]) + .asSourceNode() ) or /* 3-2. Sanitizers provided by `jQuery.sap` */ diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll index 58ff9f365..3fde64d21 100644 --- a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll +++ b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll @@ -1,6 +1,5 @@ import javascript import advanced_security.javascript.frameworks.ui5.UI5 -private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions as ApiGraphModelsExtensions /** * Step from a part of internal model to a relevant control property. diff --git a/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql b/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql index 5a4271019..c1e4f8beb 100644 --- a/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql +++ b/javascript/frameworks/ui5/test/models/sink/pathSinkTest.ql @@ -6,12 +6,12 @@ */ import javascript -import semmle.javascript.security.dataflow.TaintedPathQuery as TaintedPathQuery +import semmle.javascript.security.dataflow.TaintedPathQuery import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow -class UI5ExtPathISink extends TaintedPathQuery::Sink { +class UI5ExtPathISink extends DataFlow::Node { UI5ExtPathISink() { this = ModelOutput::getASinkNode("ui5-path-injection").asSink() } } -from TaintedPathQuery::Sink sink +from UI5ExtPathISink sink select sink, sink.toString() diff --git a/javascript/frameworks/ui5/test/models/source/sourceTest.expected b/javascript/frameworks/ui5/test/models/source/sourceTest.expected index f2b0bccb9..179664dc2 100644 --- a/javascript/frameworks/ui5/test/models/source/sourceTest.expected +++ b/javascript/frameworks/ui5/test/models/source/sourceTest.expected @@ -1,28 +1,56 @@ | source.js:25:17:25:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:25:17:25:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:27:17:27:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:27:17:27:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:29:17:29:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:29:17:29:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:31:17:31:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:31:17:31:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:33:17:33:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:33:17:33:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:35:17:35:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:35:17:35:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:37:17:37:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:37:17:37:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:39:17:39:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:39:17:39:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:41:17:41:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:41:17:41:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:43:17:43:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:43:17:43:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:45:17:45:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:45:17:45:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:47:17:47:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:47:17:47:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:49:17:49:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:49:17:49:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:51:17:51:37 | obj.get ... Value() | Remote flow source of type: Remote flow | +| source.js:51:17:51:37 | obj.get ... Value() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:53:17:53:25 | obj.value | Remote flow source of type: Remote flow | +| source.js:53:17:53:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:55:17:55:30 | obj.getValue() | Remote flow source of type: Remote flow | +| source.js:55:17:55:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:57:17:57:51 | jQuery. ... ).get() | Remote flow source of type: Remote flow | +| source.js:57:17:57:51 | jQuery. ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:59:17:59:37 | jQuery. ... cHead() | Remote flow source of type: Remote flow | +| source.js:59:17:59:37 | jQuery. ... cHead() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:61:17:61:36 | jQuery.sap.syncGet() | Remote flow source of type: Remote flow | +| source.js:61:17:61:36 | jQuery.sap.syncGet() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:63:17:63:40 | jQuery. ... tText() | Remote flow source of type: Remote flow | +| source.js:63:17:63:40 | jQuery. ... tText() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:65:17:65:37 | jQuery. ... cPost() | Remote flow source of type: Remote flow | +| source.js:65:17:65:37 | jQuery. ... cPost() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:67:17:67:41 | jQuery. ... tText() | Remote flow source of type: Remote flow | +| source.js:67:17:67:41 | jQuery. ... tText() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:69:17:69:52 | UriPara ... ).get() | Remote flow source of type: Remote flow | +| source.js:69:17:69:52 | UriPara ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:70:17:70:55 | UriPara ... etAll() | Remote flow source of type: Remote flow | +| source.js:70:17:70:55 | UriPara ... etAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:73:17:73:25 | obj.get() | Remote flow source of type: Remote flow | +| source.js:73:17:73:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:74:17:74:28 | obj.getAll() | Remote flow source of type: Remote flow | +| source.js:74:17:74:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:76:17:76:28 | obj.getAll() | Remote flow source of type: Remote flow | +| source.js:76:17:76:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] | | source.js:78:17:78:25 | obj.get() | Remote flow source of type: Remote flow | +| source.js:78:17:78:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected index 27830ed24..18d351403 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjection.expected @@ -1,64 +1,45 @@ -nodes -| LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | -| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:34:7:38 | value | -| LogInjectionTest.js:13:9:13:36 | q | -| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:13:23:13:29 | req.url | -| LogInjectionTest.js:13:23:13:29 | req.url | -| LogInjectionTest.js:14:9:14:32 | value | -| LogInjectionTest.js:14:17:14:17 | q | -| LogInjectionTest.js:14:17:14:23 | q.query | -| LogInjectionTest.js:14:17:14:32 | q.query.username | -| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:34:15:38 | value | -| LogInjectionTest.js:21:9:21:36 | q | -| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:21:23:21:29 | req.url | -| LogInjectionTest.js:21:23:21:29 | req.url | -| LogInjectionTest.js:22:9:22:32 | value | -| LogInjectionTest.js:22:17:22:17 | q | -| LogInjectionTest.js:22:17:22:23 | q.query | -| LogInjectionTest.js:22:17:22:32 | q.query.username | -| LogInjectionTest.js:23:9:23:44 | value1 | -| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | -| LogInjectionTest.js:23:39:23:43 | value | -| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:34:24:39 | value1 | edges -| LogInjectionTest.js:6:9:6:50 | value | LogInjectionTest.js:7:34:7:38 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | -| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | -| LogInjectionTest.js:13:9:13:36 | q | LogInjectionTest.js:14:17:14:17 | q | -| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | LogInjectionTest.js:13:9:13:36 | q | -| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | -| LogInjectionTest.js:14:9:14:32 | value | LogInjectionTest.js:15:34:15:38 | value | -| LogInjectionTest.js:14:17:14:17 | q | LogInjectionTest.js:14:17:14:23 | q.query | -| LogInjectionTest.js:14:17:14:23 | q.query | LogInjectionTest.js:14:17:14:32 | q.query.username | -| LogInjectionTest.js:14:17:14:32 | q.query.username | LogInjectionTest.js:14:9:14:32 | value | -| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | -| LogInjectionTest.js:21:9:21:36 | q | LogInjectionTest.js:22:17:22:17 | q | -| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | LogInjectionTest.js:21:9:21:36 | q | -| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | -| LogInjectionTest.js:22:9:22:32 | value | LogInjectionTest.js:23:39:23:43 | value | -| LogInjectionTest.js:22:17:22:17 | q | LogInjectionTest.js:22:17:22:23 | q.query | -| LogInjectionTest.js:22:17:22:23 | q.query | LogInjectionTest.js:22:17:22:32 | q.query.username | -| LogInjectionTest.js:22:17:22:32 | q.query.username | LogInjectionTest.js:22:9:22:32 | value | -| LogInjectionTest.js:23:9:23:44 | value1 | LogInjectionTest.js:24:34:24:39 | value1 | -| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | LogInjectionTest.js:23:9:23:44 | value1 | -| LogInjectionTest.js:23:39:23:43 | value | LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | -| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | -| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | +| LogInjectionTest.js:6:9:6:50 | value | LogInjectionTest.js:7:34:7:38 | value | provenance | | +| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:6:9:6:50 | value | provenance | | +| LogInjectionTest.js:7:34:7:38 | value | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | provenance | | +| LogInjectionTest.js:13:9:13:36 | q | LogInjectionTest.js:14:17:14:17 | q | provenance | | +| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | LogInjectionTest.js:13:9:13:36 | q | provenance | | +| LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:13:13:13:36 | url.par ... , true) | provenance | | +| LogInjectionTest.js:14:9:14:32 | value | LogInjectionTest.js:15:34:15:38 | value | provenance | | +| LogInjectionTest.js:14:17:14:17 | q | LogInjectionTest.js:14:9:14:32 | value | provenance | | +| LogInjectionTest.js:15:34:15:38 | value | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | provenance | | +| LogInjectionTest.js:21:9:21:36 | q | LogInjectionTest.js:22:17:22:17 | q | provenance | | +| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | LogInjectionTest.js:21:9:21:36 | q | provenance | | +| LogInjectionTest.js:21:23:21:29 | req.url | LogInjectionTest.js:21:13:21:36 | url.par ... , true) | provenance | | +| LogInjectionTest.js:22:9:22:32 | value | LogInjectionTest.js:23:39:23:43 | value | provenance | | +| LogInjectionTest.js:22:17:22:17 | q | LogInjectionTest.js:22:9:22:32 | value | provenance | | +| LogInjectionTest.js:23:9:23:44 | value1 | LogInjectionTest.js:24:34:24:39 | value1 | provenance | | +| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | LogInjectionTest.js:23:9:23:44 | value1 | provenance | | +| LogInjectionTest.js:23:39:23:43 | value | LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | provenance | | +| LogInjectionTest.js:24:34:24:39 | value1 | LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | provenance | | +nodes +| LogInjectionTest.js:6:9:6:50 | value | semmle.label | value | +| LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | semmle.label | jQuery. ... param") | +| LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | semmle.label | `[INFO] ... value}` | +| LogInjectionTest.js:7:34:7:38 | value | semmle.label | value | +| LogInjectionTest.js:13:9:13:36 | q | semmle.label | q | +| LogInjectionTest.js:13:13:13:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| LogInjectionTest.js:13:23:13:29 | req.url | semmle.label | req.url | +| LogInjectionTest.js:14:9:14:32 | value | semmle.label | value | +| LogInjectionTest.js:14:17:14:17 | q | semmle.label | q | +| LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | semmle.label | `[INFO] ... value}` | +| LogInjectionTest.js:15:34:15:38 | value | semmle.label | value | +| LogInjectionTest.js:21:9:21:36 | q | semmle.label | q | +| LogInjectionTest.js:21:13:21:36 | url.par ... , true) | semmle.label | url.par ... , true) | +| LogInjectionTest.js:21:23:21:29 | req.url | semmle.label | req.url | +| LogInjectionTest.js:22:9:22:32 | value | semmle.label | value | +| LogInjectionTest.js:22:17:22:17 | q | semmle.label | q | +| LogInjectionTest.js:23:9:23:44 | value1 | semmle.label | value1 | +| LogInjectionTest.js:23:18:23:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| LogInjectionTest.js:23:39:23:43 | value | semmle.label | value | +| LogInjectionTest.js:24:18:24:41 | `[INFO] ... alue1}` | semmle.label | `[INFO] ... alue1}` | +| LogInjectionTest.js:24:34:24:39 | value1 | semmle.label | value1 | +subpaths #select | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | LogInjectionTest.js:7:18:7:40 | `[INFO] ... value}` | Log entry depends on a $@. | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | user-provided value | | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | LogInjectionTest.js:13:23:13:29 | req.url | LogInjectionTest.js:15:18:15:40 | `[INFO] ... value}` | Log entry depends on a $@. | LogInjectionTest.js:13:23:13:29 | req.url | user-provided value | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected index a9669444b..6b6753ba6 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | LogInjectionTest.js:6:9:6:50 | value | | LogInjectionTest.js:6:17:6:50 | jQuery. ... param") | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected index 50eefd709..a5d036953 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/control/xss.js:7:23:7:37 | { type: "int" } | | webapp/control/xss.js:13:38:13:55 | oControl.getText() | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected index 9d5f62193..0c6d16cdc 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/control/xss.js:8:23:8:40 | { type: "string" } | | webapp/control/xss.js:15:21:15:46 | value | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected index 850eebdc6..d273dffe6 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected index f05e5f1f0..680bdd867 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/UI5UnsafeLogAccess.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected index ef8e741c9..5b856ecca 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected index 17ef49fbd..0742d5d86 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5LogsToHttp.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogsToHttp.ql:19,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected index a4e1f9187..5e77fa377 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83) nodes | webapp/controller/app.controller.js:8:11:8:21 | input: null | | webapp/controller/app.controller.js:14:13:14:48 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected index 23487ae87..55a3c46de 100644 --- a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/UI5LogInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5LogInjection.ql:19,44-83) nodes | webapp/controller/app.controller.js:9:17:9:27 | input: null | | webapp/controller/app.controller.js:15:17:15:52 | input | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected index 6a0a93b2d..89d898adc 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/control/xss.js:8:23:8:37 | { type: "int" } | | webapp/control/xss.js:17:43:17:60 | oControl.getText() | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected index 14fd36fd5..c0a394b18 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/control/xss.js:9:23:9:40 | { type: "string" } | | webapp/control/xss.js:15:21:15:46 | value | diff --git a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected index 0d871e07d..52662564d 100644 --- a/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected +++ b/javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/UI5PathInjection.expected @@ -1,3 +1,4 @@ +WARNING: type 'Configuration' has been deprecated and may be removed in future (UI5PathInjection.ql:20,45-73) nodes | webapp/controller/app.controller.js:10:17:10:27 | input: null | | webapp/controller/app.controller.js:16:39:16:66 | oModel. ... input') | diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected index cbbf4994d..04f9ed982 100644 --- a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected +++ b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/Xss.expected @@ -1,60 +1,38 @@ nodes -| XssTest.js:3:9:3:50 | value | -| XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:3:17:3:50 | jQuery. ... param") | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:4:20:4:24 | value | -| XssTest.js:10:9:10:40 | value | -| XssTest.js:10:17:10:40 | documen ... .search | -| XssTest.js:10:17:10:40 | documen ... .search | -| XssTest.js:11:20:11:24 | value | -| XssTest.js:11:20:11:24 | value | -| XssTest.js:17:9:17:40 | value | -| XssTest.js:17:17:17:40 | documen ... .search | -| XssTest.js:17:17:17:40 | documen ... .search | -| XssTest.js:18:9:18:44 | value1 | -| XssTest.js:18:18:18:44 | jQuery. ... (value) | -| XssTest.js:18:39:18:43 | value | -| XssTest.js:19:20:19:25 | value1 | -| XssTest.js:19:20:19:25 | value1 | -| XssTest.js:25:9:25:40 | value | -| XssTest.js:25:17:25:40 | documen ... .search | -| XssTest.js:25:17:25:40 | documen ... .search | -| XssTest.js:26:9:26:44 | value1 | -| XssTest.js:26:18:26:44 | jQuery. ... (value) | -| XssTest.js:26:39:26:43 | value | -| XssTest.js:27:20:27:25 | value1 | -| XssTest.js:27:20:27:25 | value1 | +| XssTest.js:3:9:3:50 | value | semmle.label | value | +| XssTest.js:3:17:3:50 | jQuery. ... param") | semmle.label | jQuery. ... param") | +| XssTest.js:4:20:4:24 | value | semmle.label | value | +| XssTest.js:10:9:10:40 | value | semmle.label | value | +| XssTest.js:10:17:10:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:11:20:11:24 | value | semmle.label | value | +| XssTest.js:17:9:17:40 | value | semmle.label | value | +| XssTest.js:17:17:17:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:18:9:18:44 | value1 | semmle.label | value1 | +| XssTest.js:18:18:18:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| XssTest.js:18:39:18:43 | value | semmle.label | value | +| XssTest.js:19:20:19:25 | value1 | semmle.label | value1 | +| XssTest.js:25:9:25:40 | value | semmle.label | value | +| XssTest.js:25:17:25:40 | documen ... .search | semmle.label | documen ... .search | +| XssTest.js:26:9:26:44 | value1 | semmle.label | value1 | +| XssTest.js:26:18:26:44 | jQuery. ... (value) | semmle.label | jQuery. ... (value) | +| XssTest.js:26:39:26:43 | value | semmle.label | value | +| XssTest.js:27:20:27:25 | value1 | semmle.label | value1 | edges -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | -| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | -| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | -| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | -| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | -| XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | -| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | -| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | -| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | -| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | -| XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | -| XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | -| XssTest.js:25:9:25:40 | value | XssTest.js:26:39:26:43 | value | -| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | -| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | -| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | -| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | -| XssTest.js:26:18:26:44 | jQuery. ... (value) | XssTest.js:26:9:26:44 | value1 | -| XssTest.js:26:39:26:43 | value | XssTest.js:26:18:26:44 | jQuery. ... (value) | +| XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value | provenance | | +| XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:3:9:3:50 | value | provenance | | +| XssTest.js:10:9:10:40 | value | XssTest.js:11:20:11:24 | value | provenance | | +| XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value | provenance | | +| XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value | provenance | | +| XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value | provenance | | +| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 | provenance | | +| XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 | provenance | | +| XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) | provenance | | +| XssTest.js:25:9:25:40 | value | XssTest.js:26:39:26:43 | value | provenance | | +| XssTest.js:25:17:25:40 | documen ... .search | XssTest.js:25:9:25:40 | value | provenance | | +| XssTest.js:26:9:26:44 | value1 | XssTest.js:27:20:27:25 | value1 | provenance | | +| XssTest.js:26:18:26:44 | jQuery. ... (value) | XssTest.js:26:9:26:44 | value1 | provenance | | +| XssTest.js:26:39:26:43 | value | XssTest.js:26:18:26:44 | jQuery. ... (value) | provenance | | +subpaths #select | XssTest.js:4:20:4:24 | value | XssTest.js:3:17:3:50 | jQuery. ... param") | XssTest.js:4:20:4:24 | value | Cross-site scripting vulnerability due to $@. | XssTest.js:3:17:3:50 | jQuery. ... param") | user-provided value | | XssTest.js:11:20:11:24 | value | XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:11:20:11:24 | value | Cross-site scripting vulnerability due to $@. | XssTest.js:10:17:10:40 | documen ... .search | user-provided value | From 36c7eb78d1ae2027059789f0476234cd539c273c Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 14 Feb 2025 17:57:07 -0800 Subject: [PATCH 09/15] Update rest of the expected files These expected files are prepended with a deprecation warning on the old DataFlow APIs; no changes were occured in the rest of the contents. --- .../test/queries/cqlinjection/cqlinjection.expected | 4 ++++ .../log-injection-not-depending-on-request.expected | 3 +++ .../log-injection-type-sanitized.expected | 3 +++ ...og-injection-with-complete-protocol-none.expected | 3 +++ ...og-injection-with-service1-protocol-none.expected | 3 +++ ...og-injection-with-service2-protocol-none.expected | 3 +++ .../log-injection-without-protocol-none.expected | 3 +++ .../sensitive-exposure/sensitive-exposure.expected | 6 +++++- .../xsjs/test/models/source/source.expected | 12 ++++++++++++ .../XSJSReflectedXss/XSJSReflectedXss.expected | 4 +++- .../XSJSSqlInjection/XSJSSqlInjection.expected | 3 +++ .../queries/XSJSUrlRedirect/XSJSUrlRedirect.expected | 3 +++ .../test/queries/XSJSZipSlip/XSJSZipSlip.expected | 3 +++ 13 files changed, 51 insertions(+), 2 deletions(-) diff --git a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected index 76317f305..5b6e7e207 100644 --- a/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected +++ b/javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.expected @@ -1,3 +1,7 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (CqlInjection.ql:14,8-27) +WARNING: type 'Configuration' has been deprecated and may be removed in future (CqlInjection.ql:19,33-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,29-47) +WARNING: type 'PathNode' has been deprecated and may be removed in future (CqlInjection.ql:46,56-74) nodes | cqlinjection.js:7:34:7:36 | req | | cqlinjection.js:7:34:7:36 | req | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/log-injection-not-depending-on-request.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-type-sanitized/log-injection-type-sanitized.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected index ac992895b..72a7d7b51 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/log-injection-with-complete-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes edges #select diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected index 708cb0500..1be03ae22 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/log-injection-with-service1-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service2.js:6:29:6:31 | msg | | srv/service2.js:6:29:6:31 | msg | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected index 8666c3389..aafdc3254 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/log-injection-with-service2-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service1.js:6:33:6:35 | req | | srv/service1.js:6:33:6:35 | req | diff --git a/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected b/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected index 06af9807a..2ae4613b9 100644 --- a/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected +++ b/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/log-injection-without-protocol-none.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (LogInjection.ql:14,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,43-61) +WARNING: type 'PathNode' has been deprecated and may be removed in future (LogInjection.ql:18,70-88) nodes | srv/service1.js:6:33:6:35 | req | | srv/service1.js:6:33:6:35 | req | diff --git a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected index 85d27ac4f..fe9732794 100644 --- a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected +++ b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected @@ -1,3 +1,7 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (SensitiveExposure.ql:17,8-27) +WARNING: type 'Configuration' has been deprecated and may be removed in future (SensitiveExposure.ql:50,42-70) +WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,41-59) +WARNING: type 'PathNode' has been deprecated and may be removed in future (SensitiveExposure.ql:60,68-86) nodes | sensitive-exposure.js:9:32:9:42 | Sample.name | | sensitive-exposure.js:9:32:9:42 | Sample.name | @@ -5,4 +9,4 @@ nodes edges | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | #select -| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n ... } | name | \ No newline at end of file +| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds.json:9:17:13:9 | {\\n ... } | name | diff --git a/javascript/frameworks/xsjs/test/models/source/source.expected b/javascript/frameworks/xsjs/test/models/source/source.expected index 0d7daea2c..c9e916951 100644 --- a/javascript/frameworks/xsjs/test/models/source/source.expected +++ b/javascript/frameworks/xsjs/test/models/source/source.expected @@ -1,12 +1,24 @@ | source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | +| source.xsjs:42:24:42:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Remote flow | +| source.xsjs:43:24:43:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Remote flow | +| source.xsjs:44:24:44:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Remote flow | +| source.xsjs:46:24:46:54 | webRequ ... uffer() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Remote flow | +| source.xsjs:47:24:47:49 | webRequ ... tring() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Remote flow | +| source.xsjs:48:24:48:53 | webRequ ... quest() | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Remote flow | +| source.xsjs:52:25:52:44 | webRequestParam1.get | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:52:25:52:51 | webRequ ... ("key") | Remote flow source of type: Remote flow | +| source.xsjs:52:25:52:51 | webRequ ... ("key") | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:53:25:53:44 | webRequestParam1.key | Remote flow source of type: Remote flow | +| source.xsjs:53:25:53:44 | webRequestParam1.key | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:55:25:55:44 | webRequestParam2.get | Remote flow source of type: Remote flow | +| source.xsjs:55:25:55:44 | webRequestParam2.get | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:55:25:55:51 | webRequ ... ("key") | Remote flow source of type: Remote flow | +| source.xsjs:55:25:55:51 | webRequ ... ("key") | Remote flow source of type: Source node (remote) [from data-extension] | | source.xsjs:56:25:56:44 | webRequestParam2.key | Remote flow source of type: Remote flow | +| source.xsjs:56:25:56:44 | webRequestParam2.key | Remote flow source of type: Source node (remote) [from data-extension] | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected index 52be51fee..07e5fa02f 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSReflectedXss.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,55-73) nodes | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | @@ -46,4 +49,3 @@ edges | XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) | #select | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | Reflected XSS vulnerability due to $@. | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | user-provided value | - diff --git a/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected b/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected index f21f7745c..a5329f010 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSSqlInjection.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSSqlInjection.ql:17,55-73) nodes | XSJSSqlInjection.xsjs:8:7:8:79 | someParameterValue1 | | XSJSSqlInjection.xsjs:8:29:8:79 | JSON.pa ... ter1")) | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected b/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected index 6bb93c75d..66673f61b 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSUrlRedirect.ql:17,55-73) nodes | XSJSUrlRedirect.xsjs:7:7:7:65 | someParameterValue | | XSJSUrlRedirect.xsjs:7:28:7:65 | request ... meter") | diff --git a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected index d1fde56d6..dea6e705c 100644 --- a/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected +++ b/javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.expected @@ -1,3 +1,6 @@ +WARNING: module 'PathGraph' has been deprecated and may be removed in future (XSJSZipSlip.ql:15,8-27) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,28-46) +WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSZipSlip.ql:17,55-73) nodes | XSJSZipSlip.xsjs:7:7:7:62 | zipArchive | | XSJSZipSlip.xsjs:7:20:7:62 | new $.u ... ffer()) | From ba371e1101ea9230acd787fcaf00989927525b1a Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Fri, 14 Feb 2025 18:01:18 -0800 Subject: [PATCH 10/15] Bump `qlpack.yml` versions across UI5, CAP, and XSJS This is to publish these QL packs with a new version. --- javascript/frameworks/cap/ext/qlpack.yml | 2 +- javascript/frameworks/cap/lib/qlpack.yml | 4 ++-- javascript/frameworks/cap/src/qlpack.yml | 6 +++--- javascript/frameworks/cap/test/qlpack.yml | 8 ++++---- javascript/frameworks/ui5/ext/qlpack.yml | 2 +- javascript/frameworks/ui5/lib/qlpack.yml | 4 ++-- javascript/frameworks/ui5/src/qlpack.yml | 6 +++--- javascript/frameworks/ui5/test/qlpack.yml | 8 ++++---- javascript/frameworks/xsjs/ext/qlpack.yml | 2 +- javascript/frameworks/xsjs/lib/qlpack.yml | 2 +- javascript/frameworks/xsjs/src/qlpack.yml | 6 +++--- javascript/frameworks/xsjs/test/qlpack.yml | 6 +++--- 12 files changed, 28 insertions(+), 28 deletions(-) diff --git a/javascript/frameworks/cap/ext/qlpack.yml b/javascript/frameworks/cap/ext/qlpack.yml index f00c4b455..eb78102bb 100644 --- a/javascript/frameworks/cap/ext/qlpack.yml +++ b/javascript/frameworks/cap/ext/qlpack.yml @@ -1,6 +1,6 @@ --- library: true name: advanced-security/javascript-sap-cap-models -version: 0.3.0 +version: 0.4.0 extensionTargets: codeql/javascript-all: "^2.4.0" diff --git a/javascript/frameworks/cap/lib/qlpack.yml b/javascript/frameworks/cap/lib/qlpack.yml index 9ab1d2636..f17f2704e 100644 --- a/javascript/frameworks/cap/lib/qlpack.yml +++ b/javascript/frameworks/cap/lib/qlpack.yml @@ -1,9 +1,9 @@ --- library: true name: advanced-security/javascript-sap-cap-all -version: 0.3.0 +version: 0.4.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" diff --git a/javascript/frameworks/cap/src/qlpack.yml b/javascript/frameworks/cap/src/qlpack.yml index b022fc717..9297aeeea 100644 --- a/javascript/frameworks/cap/src/qlpack.yml +++ b/javascript/frameworks/cap/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-cap-queries -version: 0.3.0 +version: 0.4.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" - advanced-security/javascript-sap-cap-all: "^0.3.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" + advanced-security/javascript-sap-cap-all: "^0.4.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/cap/test/qlpack.yml b/javascript/frameworks/cap/test/qlpack.yml index 6d7db3378..31a0ab711 100644 --- a/javascript/frameworks/cap/test/qlpack.yml +++ b/javascript/frameworks/cap/test/qlpack.yml @@ -1,9 +1,9 @@ --- name: advanced-security/javascript-sap-cap-queries-tests -version: 0.3.0 +version: 0.4.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-cap-queries: "^0.3.0" - advanced-security/javascript-sap-cap-models: "^0.3.0" - advanced-security/javascript-sap-cap-all: "^0.3.0" + advanced-security/javascript-sap-cap-queries: "^0.4.0" + advanced-security/javascript-sap-cap-models: "^0.4.0" + advanced-security/javascript-sap-cap-all: "^0.4.0" diff --git a/javascript/frameworks/ui5/ext/qlpack.yml b/javascript/frameworks/ui5/ext/qlpack.yml index bb6ece987..6c146a252 100644 --- a/javascript/frameworks/ui5/ext/qlpack.yml +++ b/javascript/frameworks/ui5/ext/qlpack.yml @@ -1,7 +1,7 @@ --- library: true name: advanced-security/javascript-sap-ui5-models -version: 0.6.0 +version: 0.7.0 extensionTargets: codeql/javascript-all: "^2.4.0" dataExtensions: diff --git a/javascript/frameworks/ui5/lib/qlpack.yml b/javascript/frameworks/ui5/lib/qlpack.yml index ccfafb757..51e9a6f91 100644 --- a/javascript/frameworks/ui5/lib/qlpack.yml +++ b/javascript/frameworks/ui5/lib/qlpack.yml @@ -1,9 +1,9 @@ --- library: true name: advanced-security/javascript-sap-ui5-all -version: 0.6.0 +version: 0.7.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" diff --git a/javascript/frameworks/ui5/src/qlpack.yml b/javascript/frameworks/ui5/src/qlpack.yml index 397ef56a1..ffc3f7ad8 100644 --- a/javascript/frameworks/ui5/src/qlpack.yml +++ b/javascript/frameworks/ui5/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-ui5-queries -version: 0.6.0 +version: 0.7.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" - advanced-security/javascript-sap-ui5-all: "^0.6.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" + advanced-security/javascript-sap-ui5-all: "^0.7.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/ui5/test/qlpack.yml b/javascript/frameworks/ui5/test/qlpack.yml index c88e2fc75..c81393a00 100644 --- a/javascript/frameworks/ui5/test/qlpack.yml +++ b/javascript/frameworks/ui5/test/qlpack.yml @@ -1,9 +1,9 @@ name: advanced-security/javascript-sap-ui5-queries-tests -version: 0.6.0 +version: 0.7.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" codeql/javascript-queries: "^1.2.0" - advanced-security/javascript-sap-ui5-queries: "^0.6.0" - advanced-security/javascript-sap-ui5-models: "^0.6.0" - advanced-security/javascript-sap-ui5-all: "^0.6.0" + advanced-security/javascript-sap-ui5-queries: "^0.7.0" + advanced-security/javascript-sap-ui5-models: "^0.7.0" + advanced-security/javascript-sap-ui5-all: "^0.7.0" diff --git a/javascript/frameworks/xsjs/ext/qlpack.yml b/javascript/frameworks/xsjs/ext/qlpack.yml index 92063158a..513a0e292 100644 --- a/javascript/frameworks/xsjs/ext/qlpack.yml +++ b/javascript/frameworks/xsjs/ext/qlpack.yml @@ -1,7 +1,7 @@ --- library: true name: advanced-security/javascript-sap-xsjs-models -version: 0.1.0 +version: 0.2.0 extensionTargets: codeql/javascript-all: "^2.4.0" dataExtensions: diff --git a/javascript/frameworks/xsjs/lib/qlpack.yml b/javascript/frameworks/xsjs/lib/qlpack.yml index 5413f1023..69b5f773d 100644 --- a/javascript/frameworks/xsjs/lib/qlpack.yml +++ b/javascript/frameworks/xsjs/lib/qlpack.yml @@ -1,7 +1,7 @@ --- library: true name: advanced-security/javascript-sap-xsjs-lib -version: 0.1.0 +version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml index 15cd6caa9..b49730dc8 100644 --- a/javascript/frameworks/xsjs/src/qlpack.yml +++ b/javascript/frameworks/xsjs/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false name: advanced-security/javascript-sap-xsjs-queries -version: 0.1.0 +version: 0.2.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-xsjs-models: "^0.1.0" - advanced-security/javascript-sap-xsjs-lib: "^0.1.0" + advanced-security/javascript-sap-xsjs-models: "^0.2.0" + advanced-security/javascript-sap-xsjs-lib: "^0.2.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml index 4dd3acac5..f0419bbcc 100644 --- a/javascript/frameworks/xsjs/test/qlpack.yml +++ b/javascript/frameworks/xsjs/test/qlpack.yml @@ -1,8 +1,8 @@ --- name: advanced-security/javascript-sap-xsjs-tests -version: 0.1.0 +version: 0.2.0 extractor: javascript dependencies: codeql/javascript-all: "^2.4.0" - advanced-security/javascript-sap-xsjs-queries: "^0.1.0" - advanced-security/javascript-sap-xsjs-lib: "^0.1.0" + advanced-security/javascript-sap-xsjs-queries: "^0.2.0" + advanced-security/javascript-sap-xsjs-lib: "^0.2.0" From 2f809594db8f83c58cc70a15b5fb342485032086 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Mon, 17 Feb 2025 21:22:06 -0700 Subject: [PATCH 11/15] CDS extractor index-files.sh compile to stdout Attempt to resolve unit test failures for PR #170 of the `advanced-security/codeql-sap-js` repo. Updates the (soon to be replaced) shell-based version of the CDS extractor as an attempted workaround for a change in cds compiler behavior when the `-o` or `--dest` options are set for the `cds compile` CLI command. Forces the cds compmiler to output to the desired .cds.json file path via stdout. --- extractors/cds/tools/index-files.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh index 092d126a9..bbdcee6dd 100755 --- a/extractors/cds/tools/index-files.sh +++ b/extractors/cds/tools/index-files.sh @@ -51,8 +51,11 @@ echo "Processing CDS files to JSON" # Run the cds compile command on each file in the response file, outputting the compiled JSON to a file with # the same name while IFS= read -r cds_file; do - echo "Processing CDS file $cds_file to:" - if ! $cds_command compile "$cds_file" -2 json -o "$cds_file.json" --locations 2> "$cds_file.err"; then + echo "Processing CDS file $cds_file to: $cds_file.json" + # Avoid using the `-o` (or `--dest`) option as it sends output to a new directory, where we want to + # output to a file in the same directory as the input file but with a .json extension. + if ! $cds_command compile "$cds_file" -2 json --locations > "$cds_file.json" 2> "$cds_file.err" + then stderr_truncated=`grep "^\[ERROR\]" "$cds_file.err" | tail -n 4` error_message=$'Could not compile the file '"$cds_file"$'.\nReported error(s):\n```\n'"$stderr_truncated"$'\n```' echo "$error_message" From 15b08a72071675ae884e89672cc7d870c4862273 Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Tue, 18 Feb 2025 09:19:23 -0700 Subject: [PATCH 12/15] Test use of `--service all` in cds compile --- extractors/cds/tools/index-files.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh index bbdcee6dd..df029d459 100755 --- a/extractors/cds/tools/index-files.sh +++ b/extractors/cds/tools/index-files.sh @@ -54,7 +54,7 @@ while IFS= read -r cds_file; do echo "Processing CDS file $cds_file to: $cds_file.json" # Avoid using the `-o` (or `--dest`) option as it sends output to a new directory, where we want to # output to a file in the same directory as the input file but with a .json extension. - if ! $cds_command compile "$cds_file" -2 json --locations > "$cds_file.json" 2> "$cds_file.err" + if ! $cds_command compile "$cds_file" -2 json --locations --service all > "$cds_file.json" 2> "$cds_file.err" then stderr_truncated=`grep "^\[ERROR\]" "$cds_file.err" | tail -n 4` error_message=$'Could not compile the file '"$cds_file"$'.\nReported error(s):\n```\n'"$stderr_truncated"$'\n```' From b97797dbd588fb6e63c24b476b8d66cb017e035d Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Tue, 18 Feb 2025 17:35:44 -0700 Subject: [PATCH 13/15] Force use of @sap/cds-dk version 8.6.1 to avoid bug Attempted workaround for a knownbug in some versions of the CDS compiler (i.e. `@sap/cds-dk`). Ref -> https://github.tools.sap/cap/issues/issues/17840 --- extractors/cds/tools/index-files.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh index df029d459..b7c1dc24a 100755 --- a/extractors/cds/tools/index-files.sh +++ b/extractors/cds/tools/index-files.sh @@ -36,12 +36,12 @@ then # directory. # # We also ensure we skip node_modules, as we can end up in a recursive loop - find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk \; -execdir npm install --silent \; + find . -type d -name node_modules -prune -false -o -type f \( -iname 'package.json' \) -exec grep -ql '@sap/cds' {} \; -execdir bash -c "grep -q \"^\$(pwd)\(/\|$\)\" \"$response_file\"" \; -execdir bash -c "echo \"Installing @sap/cds-dk into \$(pwd) to enable CDS compilation.\"" \; -execdir npm install --silent @sap/cds-dk@8.6.1 \; -execdir npm install --silent \; # Use the npx command to dynamically install the cds development kit (@sap/cds-dk) package if necessary, # which then provides the cds command line tool in directories which are not covered by the package.json # install command approach above - cds_command="npx -y --package @sap/cds-dk cds" + cds_command="npx -y --package @sap/cds-dk@8.6.1 cds" else cds_command="cds" fi @@ -104,4 +104,4 @@ unset LGTM_INDEX_INCLUDE echo "Extracting the cds.json files" # Invoke the JavaScript autobuilder to index the .cds.json files only -"$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT"/tools/autobuild.sh \ No newline at end of file +"$CODEQL_EXTRACTOR_JAVASCRIPT_ROOT"/tools/autobuild.sh From e2f24723c0abb751e95b6d8d213a3101fbc7e14e Mon Sep 17 00:00:00 2001 From: Nathan Randall Date: Tue, 18 Feb 2025 18:22:47 -0700 Subject: [PATCH 14/15] Test fix for run-codeql-unit-tests-javascript.yml --- .github/workflows/run-codeql-unit-tests-javascript.yml | 7 ++++--- extractors/cds/tools/index-files.sh | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-codeql-unit-tests-javascript.yml b/.github/workflows/run-codeql-unit-tests-javascript.yml index 8a10d70b6..3a3ec23f5 100644 --- a/.github/workflows/run-codeql-unit-tests-javascript.yml +++ b/.github/workflows/run-codeql-unit-tests-javascript.yml @@ -81,7 +81,8 @@ jobs: run: | if ! command -v cds &> /dev/null then - npm install -g @sap/cds-dk + ## Workaround for https://github.tools.sap/cap/issues/issues/17840 + npm install -g @sap/cds-dk@8.6.1 fi # Compile .cds files to .cds.json files. @@ -97,8 +98,8 @@ jobs: echo "I am compiling $cds_file" cds compile $cds_file \ -2 json \ - -o "$cds_file.json" \ - --locations + --locations \ + > "$cds_file.json" 2> "$cds_file.err" done popd done diff --git a/extractors/cds/tools/index-files.sh b/extractors/cds/tools/index-files.sh index b7c1dc24a..7e8dde8e5 100755 --- a/extractors/cds/tools/index-files.sh +++ b/extractors/cds/tools/index-files.sh @@ -54,7 +54,7 @@ while IFS= read -r cds_file; do echo "Processing CDS file $cds_file to: $cds_file.json" # Avoid using the `-o` (or `--dest`) option as it sends output to a new directory, where we want to # output to a file in the same directory as the input file but with a .json extension. - if ! $cds_command compile "$cds_file" -2 json --locations --service all > "$cds_file.json" 2> "$cds_file.err" + if ! $cds_command compile "$cds_file" -2 json --locations > "$cds_file.json" 2> "$cds_file.err" then stderr_truncated=`grep "^\[ERROR\]" "$cds_file.err" | tail -n 4` error_message=$'Could not compile the file '"$cds_file"$'.\nReported error(s):\n```\n'"$stderr_truncated"$'\n```' From 30dcc10306881b9a238e3aa85b26373db4480b3d Mon Sep 17 00:00:00 2001 From: Jeongsoo Lee Date: Tue, 18 Feb 2025 17:41:07 -0800 Subject: [PATCH 15/15] Change .cds to .cds.json in sensitive-exposure.expected --- .../test/queries/sensitive-exposure/sensitive-exposure.expected | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected index fe9732794..0aeb08ed7 100644 --- a/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected +++ b/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.expected @@ -9,4 +9,4 @@ nodes edges | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | #select -| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds.json:9:17:13:9 | {\\n ... } | name | +| sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | sensitive-exposure.js:9:32:9:42 | Sample.name | Log entry depends on the $@ field which is annotated as potentially sensitive. | sensitive-exposure.cds:4:5:4:8 | {\\n ... } | name |