advanced-security
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml‎
Lines changed: 30 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/codeql-pack.lock.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/qlpack.yml‎
Lines changed: 6 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/qlpack.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json‎
Lines changed: 8 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/.eslintrc.json‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/README.md‎
Lines changed: 9 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/README.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.expected‎
Lines changed: 124 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.expected‎
Lines changed: 124 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.ql‎
Lines changed: 31 additions & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.ql‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.qlref‎
Lines changed: 1 addition & 0 deletions b/‎javascript/frameworks/ui5-webcomponents/test/queries/xss-input-dangerouslySetInnerHTML/XssThroughDom.qlref‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,30 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.7
+  codeql/controlflow:
+    version: 2.0.17
+  codeql/dataflow:
+    version: 2.0.17
+  codeql/javascript-all:
+    version: 2.6.13
+  codeql/mad:
+    version: 1.0.33
+  codeql/regex:
+    version: 1.0.33
+  codeql/ssa:
+    version: 2.0.9
+  codeql/threat-models:
+    version: 1.0.33
+  codeql/tutorial:
+    version: 1.0.33
+  codeql/typetracking:
+    version: 2.0.17
+  codeql/util:
+    version: 2.0.20
+  codeql/xml:
+    version: 1.0.33
+  codeql/yaml:
+    version: 1.0.33
+compiled: false
@@ -0,0 +1,6 @@
+name: advanced-security/javascript-sap-ui5-webcomponents-for-react-test
+version: 2.3.0
+extractor: javascript
+dependencies:
+  codeql/javascript-all: "^2.4.0"
+  advanced-security/javascript-sap-ui5-all: "^2.3.0"
@@ -0,0 +1,8 @@
+{
+  "env": {
+    "browser": true,
+    "es6": true,
+    "node": true
+  },
+  "extends": "react-app"
+}
@@ -0,0 +1,9 @@
+# Minimal Demo Example of XSS in UI5-Webcomponents for React
+
+This is a minimal example to demonstrate how XSS might happen in an application written with [UI5-Webcomponents for React](https://ui5.github.io/webcomponents-react/).
+
+## Steps to trigger XSS
+
+1. `npm install` and `npm start`, navigate to `localhost:3000`
+2. Input `<img src="nonexistent.jpg" onerror="alert('xss')"/>` in the [`Input` component](https://ui5.github.io/webcomponents/components/Input/)
+
@@ -0,0 +1,124 @@
+edges
+| src/App.tsx:7:10:7:19 | inputValue | src/App.tsx:7:10:7:19 | inputValue | provenance |  |
+| src/App.tsx:7:10:7:19 | inputValue | src/App.tsx:537:46:537:55 | inputValue | provenance |  |
+| src/App.tsx:11:28:11:50 | inputRe ... ?.value | src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | provenance |  |
+| src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | src/App.tsx:7:10:7:19 | inputValue | provenance |  |
+| src/App.tsx:23:10:23:22 | textAreaValue | src/App.tsx:23:10:23:22 | textAreaValue | provenance |  |
+| src/App.tsx:23:10:23:22 | textAreaValue | src/App.tsx:538:46:538:58 | textAreaValue | provenance |  |
+| src/App.tsx:27:31:27:56 | textAre ... ?.value | src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | provenance |  |
+| src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | src/App.tsx:23:10:23:22 | textAreaValue | provenance |  |
+| src/App.tsx:39:10:39:20 | searchValue | src/App.tsx:39:10:39:20 | searchValue | provenance |  |
+| src/App.tsx:39:10:39:20 | searchValue | src/App.tsx:539:46:539:56 | searchValue | provenance |  |
+| src/App.tsx:43:29:43:52 | searchR ... ?.value | src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | provenance |  |
+| src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | src/App.tsx:39:10:39:20 | searchValue | provenance |  |
+| src/App.tsx:55:10:55:28 | shellBarSearchValue | src/App.tsx:55:10:55:28 | shellBarSearchValue | provenance |  |
+| src/App.tsx:55:10:55:28 | shellBarSearchValue | src/App.tsx:540:46:540:64 | shellBarSearchValue | provenance |  |
+| src/App.tsx:59:37:59:68 | shellBa ... ?.value | src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | provenance |  |
+| src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | src/App.tsx:55:10:55:28 | shellBarSearchValue | provenance |  |
+| src/App.tsx:71:10:71:22 | comboBoxValue | src/App.tsx:71:10:71:22 | comboBoxValue | provenance |  |
+| src/App.tsx:71:10:71:22 | comboBoxValue | src/App.tsx:541:46:541:58 | comboBoxValue | provenance |  |
+| src/App.tsx:75:31:75:56 | comboBo ... ?.value | src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | provenance |  |
+| src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | src/App.tsx:71:10:71:22 | comboBoxValue | provenance |  |
+| src/App.tsx:87:10:87:27 | multiComboBoxValue | src/App.tsx:87:10:87:27 | multiComboBoxValue | provenance |  |
+| src/App.tsx:87:10:87:27 | multiComboBoxValue | src/App.tsx:542:46:542:63 | multiComboBoxValue | provenance |  |
+| src/App.tsx:91:36:91:66 | multiCo ... ?.value | src/App.tsx:91:36:91:72 | multiCo ... e \|\| "" | provenance |  |
+| src/App.tsx:91:36:91:72 | multiCo ... e \|\| "" | src/App.tsx:87:10:87:27 | multiComboBoxValue | provenance |  |
+| src/App.tsx:119:10:119:24 | datePickerValue | src/App.tsx:119:10:119:24 | datePickerValue | provenance |  |
+| src/App.tsx:119:10:119:24 | datePickerValue | src/App.tsx:544:46:544:60 | datePickerValue | provenance |  |
+| src/App.tsx:123:33:123:60 | datePic ... ?.value | src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | provenance |  |
+| src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | src/App.tsx:119:10:119:24 | datePickerValue | provenance |  |
+| src/App.tsx:135:10:135:29 | dateRangePickerValue | src/App.tsx:135:10:135:29 | dateRangePickerValue | provenance |  |
+| src/App.tsx:135:10:135:29 | dateRangePickerValue | src/App.tsx:545:46:545:65 | dateRangePickerValue | provenance |  |
+| src/App.tsx:139:38:139:70 | dateRan ... ?.value | src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | provenance |  |
+| src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | src/App.tsx:135:10:135:29 | dateRangePickerValue | provenance |  |
+| src/App.tsx:151:10:151:28 | dateTimePickerValue | src/App.tsx:151:10:151:28 | dateTimePickerValue | provenance |  |
+| src/App.tsx:151:10:151:28 | dateTimePickerValue | src/App.tsx:546:46:546:64 | dateTimePickerValue | provenance |  |
+| src/App.tsx:155:37:155:68 | dateTim ... ?.value | src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | provenance |  |
+| src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | src/App.tsx:151:10:151:28 | dateTimePickerValue | provenance |  |
+| src/App.tsx:167:10:167:24 | timePickerValue | src/App.tsx:167:10:167:24 | timePickerValue | provenance |  |
+| src/App.tsx:167:10:167:24 | timePickerValue | src/App.tsx:547:46:547:60 | timePickerValue | provenance |  |
+| src/App.tsx:171:33:171:60 | timePic ... ?.value | src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | provenance |  |
+| src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | src/App.tsx:167:10:167:24 | timePickerValue | provenance |  |
+| src/App.tsx:295:10:295:20 | optionValue | src/App.tsx:295:10:295:20 | optionValue | provenance |  |
+| src/App.tsx:295:10:295:20 | optionValue | src/App.tsx:555:46:555:56 | optionValue | provenance |  |
+| src/App.tsx:299:29:299:52 | optionR ... ?.value | src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | provenance |  |
+| src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | src/App.tsx:295:10:295:20 | optionValue | provenance |  |
+| src/App.tsx:311:10:311:26 | optionCustomValue | src/App.tsx:311:10:311:26 | optionCustomValue | provenance |  |
+| src/App.tsx:311:10:311:26 | optionCustomValue | src/App.tsx:556:46:556:62 | optionCustomValue | provenance |  |
+| src/App.tsx:315:35:315:64 | optionC ... ?.value | src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | provenance |  |
+| src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | src/App.tsx:311:10:311:26 | optionCustomValue | provenance |  |
+nodes
+| src/App.tsx:7:10:7:19 | inputValue | semmle.label | inputValue |
+| src/App.tsx:7:10:7:19 | inputValue | semmle.label | inputValue |
+| src/App.tsx:11:28:11:50 | inputRe ... ?.value | semmle.label | inputRe ... ?.value |
+| src/App.tsx:11:28:11:56 | inputRe ... e \|\| "" | semmle.label | inputRe ... e \|\| "" |
+| src/App.tsx:23:10:23:22 | textAreaValue | semmle.label | textAreaValue |
+| src/App.tsx:23:10:23:22 | textAreaValue | semmle.label | textAreaValue |
+| src/App.tsx:27:31:27:56 | textAre ... ?.value | semmle.label | textAre ... ?.value |
+| src/App.tsx:27:31:27:62 | textAre ... e \|\| "" | semmle.label | textAre ... e \|\| "" |
+| src/App.tsx:39:10:39:20 | searchValue | semmle.label | searchValue |
+| src/App.tsx:39:10:39:20 | searchValue | semmle.label | searchValue |
+| src/App.tsx:43:29:43:52 | searchR ... ?.value | semmle.label | searchR ... ?.value |
+| src/App.tsx:43:29:43:58 | searchR ... e \|\| "" | semmle.label | searchR ... e \|\| "" |
+| src/App.tsx:55:10:55:28 | shellBarSearchValue | semmle.label | shellBarSearchValue |
+| src/App.tsx:55:10:55:28 | shellBarSearchValue | semmle.label | shellBarSearchValue |
+| src/App.tsx:59:37:59:68 | shellBa ... ?.value | semmle.label | shellBa ... ?.value |
+| src/App.tsx:59:37:59:74 | shellBa ... e \|\| "" | semmle.label | shellBa ... e \|\| "" |
+| src/App.tsx:71:10:71:22 | comboBoxValue | semmle.label | comboBoxValue |
+| src/App.tsx:71:10:71:22 | comboBoxValue | semmle.label | comboBoxValue |
+| src/App.tsx:75:31:75:56 | comboBo ... ?.value | semmle.label | comboBo ... ?.value |
+| src/App.tsx:75:31:75:62 | comboBo ... e \|\| "" | semmle.label | comboBo ... e \|\| "" |
+| src/App.tsx:87:10:87:27 | multiComboBoxValue | semmle.label | multiComboBoxValue |
+| src/App.tsx:87:10:87:27 | multiComboBoxValue | semmle.label | multiComboBoxValue |
+| src/App.tsx:91:36:91:66 | multiCo ... ?.value | semmle.label | multiCo ... ?.value |
+| src/App.tsx:91:36:91:72 | multiCo ... e \|\| "" | semmle.label | multiCo ... e \|\| "" |
+| src/App.tsx:119:10:119:24 | datePickerValue | semmle.label | datePickerValue |
+| src/App.tsx:119:10:119:24 | datePickerValue | semmle.label | datePickerValue |
+| src/App.tsx:123:33:123:60 | datePic ... ?.value | semmle.label | datePic ... ?.value |
+| src/App.tsx:123:33:123:66 | datePic ... e \|\| "" | semmle.label | datePic ... e \|\| "" |
+| src/App.tsx:135:10:135:29 | dateRangePickerValue | semmle.label | dateRangePickerValue |
+| src/App.tsx:135:10:135:29 | dateRangePickerValue | semmle.label | dateRangePickerValue |
+| src/App.tsx:139:38:139:70 | dateRan ... ?.value | semmle.label | dateRan ... ?.value |
+| src/App.tsx:139:38:139:76 | dateRan ... e \|\| "" | semmle.label | dateRan ... e \|\| "" |
+| src/App.tsx:151:10:151:28 | dateTimePickerValue | semmle.label | dateTimePickerValue |
+| src/App.tsx:151:10:151:28 | dateTimePickerValue | semmle.label | dateTimePickerValue |
+| src/App.tsx:155:37:155:68 | dateTim ... ?.value | semmle.label | dateTim ... ?.value |
+| src/App.tsx:155:37:155:74 | dateTim ... e \|\| "" | semmle.label | dateTim ... e \|\| "" |
+| src/App.tsx:167:10:167:24 | timePickerValue | semmle.label | timePickerValue |
+| src/App.tsx:167:10:167:24 | timePickerValue | semmle.label | timePickerValue |
+| src/App.tsx:171:33:171:60 | timePic ... ?.value | semmle.label | timePic ... ?.value |
+| src/App.tsx:171:33:171:66 | timePic ... e \|\| "" | semmle.label | timePic ... e \|\| "" |
+| src/App.tsx:295:10:295:20 | optionValue | semmle.label | optionValue |
+| src/App.tsx:295:10:295:20 | optionValue | semmle.label | optionValue |
+| src/App.tsx:299:29:299:52 | optionR ... ?.value | semmle.label | optionR ... ?.value |
+| src/App.tsx:299:29:299:58 | optionR ... e \|\| "" | semmle.label | optionR ... e \|\| "" |
+| src/App.tsx:311:10:311:26 | optionCustomValue | semmle.label | optionCustomValue |
+| src/App.tsx:311:10:311:26 | optionCustomValue | semmle.label | optionCustomValue |
+| src/App.tsx:315:35:315:64 | optionC ... ?.value | semmle.label | optionC ... ?.value |
+| src/App.tsx:315:35:315:70 | optionC ... e \|\| "" | semmle.label | optionC ... e \|\| "" |
+| src/App.tsx:537:46:537:55 | inputValue | semmle.label | inputValue |
+| src/App.tsx:538:46:538:58 | textAreaValue | semmle.label | textAreaValue |
+| src/App.tsx:539:46:539:56 | searchValue | semmle.label | searchValue |
+| src/App.tsx:540:46:540:64 | shellBarSearchValue | semmle.label | shellBarSearchValue |
+| src/App.tsx:541:46:541:58 | comboBoxValue | semmle.label | comboBoxValue |
+| src/App.tsx:542:46:542:63 | multiComboBoxValue | semmle.label | multiComboBoxValue |
+| src/App.tsx:544:46:544:60 | datePickerValue | semmle.label | datePickerValue |
+| src/App.tsx:545:46:545:65 | dateRangePickerValue | semmle.label | dateRangePickerValue |
+| src/App.tsx:546:46:546:64 | dateTimePickerValue | semmle.label | dateTimePickerValue |
+| src/App.tsx:547:46:547:60 | timePickerValue | semmle.label | timePickerValue |
+| src/App.tsx:555:46:555:56 | optionValue | semmle.label | optionValue |
+| src/App.tsx:556:46:556:62 | optionCustomValue | semmle.label | optionCustomValue |
+subpaths
+#select
+| src/App.tsx:537:46:537:55 | inputValue | src/App.tsx:11:28:11:50 | inputRe ... ?.value | src/App.tsx:537:46:537:55 | inputValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:11:28:11:50 | inputRe ... ?.value | DOM text |
+| src/App.tsx:538:46:538:58 | textAreaValue | src/App.tsx:27:31:27:56 | textAre ... ?.value | src/App.tsx:538:46:538:58 | textAreaValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:27:31:27:56 | textAre ... ?.value | DOM text |
+| src/App.tsx:539:46:539:56 | searchValue | src/App.tsx:43:29:43:52 | searchR ... ?.value | src/App.tsx:539:46:539:56 | searchValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:43:29:43:52 | searchR ... ?.value | DOM text |
+| src/App.tsx:540:46:540:64 | shellBarSearchValue | src/App.tsx:59:37:59:68 | shellBa ... ?.value | src/App.tsx:540:46:540:64 | shellBarSearchValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:59:37:59:68 | shellBa ... ?.value | DOM text |
+| src/App.tsx:541:46:541:58 | comboBoxValue | src/App.tsx:75:31:75:56 | comboBo ... ?.value | src/App.tsx:541:46:541:58 | comboBoxValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:75:31:75:56 | comboBo ... ?.value | DOM text |
+| src/App.tsx:542:46:542:63 | multiComboBoxValue | src/App.tsx:91:36:91:66 | multiCo ... ?.value | src/App.tsx:542:46:542:63 | multiComboBoxValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:91:36:91:66 | multiCo ... ?.value | DOM text |
+| src/App.tsx:544:46:544:60 | datePickerValue | src/App.tsx:123:33:123:60 | datePic ... ?.value | src/App.tsx:544:46:544:60 | datePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:123:33:123:60 | datePic ... ?.value | DOM text |
+| src/App.tsx:545:46:545:65 | dateRangePickerValue | src/App.tsx:139:38:139:70 | dateRan ... ?.value | src/App.tsx:545:46:545:65 | dateRangePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:139:38:139:70 | dateRan ... ?.value | DOM text |
+| src/App.tsx:546:46:546:64 | dateTimePickerValue | src/App.tsx:155:37:155:68 | dateTim ... ?.value | src/App.tsx:546:46:546:64 | dateTimePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:155:37:155:68 | dateTim ... ?.value | DOM text |
+| src/App.tsx:547:46:547:60 | timePickerValue | src/App.tsx:171:33:171:60 | timePic ... ?.value | src/App.tsx:547:46:547:60 | timePickerValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:171:33:171:60 | timePic ... ?.value | DOM text |
+| src/App.tsx:555:46:555:56 | optionValue | src/App.tsx:299:29:299:52 | optionR ... ?.value | src/App.tsx:555:46:555:56 | optionValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:299:29:299:52 | optionR ... ?.value | DOM text |
+| src/App.tsx:556:46:556:62 | optionCustomValue | src/App.tsx:315:35:315:64 | optionC ... ?.value | src/App.tsx:556:46:556:62 | optionCustomValue | $@ is reinterpreted as HTML without escaping meta-characters. | src/App.tsx:315:35:315:64 | optionC ... ?.value | DOM text |
@@ -0,0 +1,31 @@
+/**
+ * @name DOM text reinterpreted as HTML
+ * @description Reinterpreting text from the DOM as HTML
+ *              can lead to a cross-site scripting vulnerability.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 6.1
+ * @precision high
+ * @id js/xss-through-dom
+ * @tags security
+ *       external/cwe/cwe-079
+ *       external/cwe/cwe-116
+ */
+
+/*
+ * This file is an exact copy of - https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-079/XssThroughDom.ql
+ * replicated at commit sha: 7b6720c , included for testing purposes only.
+ * Its purpose is to test the use of customizations to filter results via the sanitizers.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.XssThroughDomQuery
+import XssThroughDomFlow::PathGraph
+import advanced_security.javascript_sap_ui5_all.Customizations
+
+from XssThroughDomFlow::PathNode source, XssThroughDomFlow::PathNode sink
+where
+  XssThroughDomFlow::flowPath(source, sink) and
+  not isIgnoredSourceSinkPair(source.getNode(), sink.getNode())
+select sink.getNode(), source, sink,
+  "$@ is reinterpreted as HTML without escaping meta-characters.", source.getNode(), "DOM text"
@@ -0,0 +1 @@
+XssThroughDom.ql