Final draft

jeongsoolee09 · jeongsoolee09 · commit b05963e2fd49 · 2025-12-12T15:32:23.000-05:00
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -99,6 +99,8 @@ extensions:
       - ["CustomControllerGetOwnerComponentEventBusSubscriptionHandlerDataParameter", "CustomControllerGetOwnerComponentEventBusSubscribe", "Argument[2].Parameter[2]"]
       - ["CustomComponent", "Component", "Member[extend]"]
       - ["CustomRenderer", "Renderer", "Member[extend]"]
+      - ["ViewReference", "CustomController", "Member[getView].ReturnValue"]
+      - ["ControlReference", "ViewReference", "Member[byId].ReturnValue"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -343,16 +343,20 @@ class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
-    this.getArgument(0).getALocalSource().getStringValue() = controlId and
-    (
-      exists(CustomController controller |
-        this = controller.getAViewReference().getAMemberCall("byId") or
-        this = controller.getAThisNode().getAMemberCall("byId")
-      )
-      or
-      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
-    )
-  }
+    this.getArgument(0).getALocalSource().getStringValue() = controlId
+    /*
+     *  and
+     *  (
+     *    exists(CustomController controller |
+     *      this = controller.getAViewReference().getAMemberCall("byId") or
+     *      this = controller.getAThisNode().getAMemberCall("byId")
+     *    )
+     *    or
+     *    exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
+     *  )
+     */
+
+    }
 
   CustomControl getDefinition() {
     exists(UI5Control controlDeclaration |
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -916,3 +916,30 @@ class UI5Handler extends FunctionNode {
 
   UI5Control getControl() { result = control }
 }
+
+/**
+ * Models controller references in event handlers as types
+ */
+overlay[local?]
+class ControlTypeInHandlerModel extends ModelInput::TypeModel {
+  override DataFlow::CallNode getASource(string type) {
+    // oEvent.getSource() is of the type of the Control calling the handler
+    // exists(UI5Handler h |
+    //   type = h.getControl().getImportPath() and
+    //   result.getCalleeName() = "getSource" and
+    //   result.getReceiver().getALocalSource() = h.getParameter(0)
+    // )
+    // or
+    // this.getView().byId("id") is of the type of the Control with id="id"
+    exists(UI5Control c |
+      type = c.getImportPath() and
+      result = c.getAReference()
+    )
+  }
+
+  /**
+   * Prevents model pruning for `ControlType`types
+   */
+  bindingset[type]
+  override predicate isTypeUsed(string type) { any() }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.expected
@@ -1,25 +1,105 @@
 nodes
-| webapp/controller/app.controller.js:26:11:26:15 | value |
-| webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() |
-| webapp/controller/app.controller.js:27:45:27:62 | { message: value } |
-| webapp/controller/app.controller.js:27:56:27:60 | value |
-| webapp/controller/app.controller.js:30:34:30:38 | model |
-| webapp/controller/app.controller.js:32:30:32:34 | model |
-| webapp/controller/app.controller.js:32:30:32:42 | model.message |
-| webapp/view/app.view.xml:5:3:8:29 | value={/input} |
-| webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App1.controller.js:26:11:26:15 | value |
+| webapp/controller/App1.controller.js:26:19:26:35 | oInput.getValue() |
+| webapp/controller/App1.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/App1.controller.js:27:56:27:60 | value |
+| webapp/controller/App1.controller.js:30:34:30:38 | model |
+| webapp/controller/App1.controller.js:32:30:32:34 | model |
+| webapp/controller/App1.controller.js:32:30:32:42 | model.message |
+| webapp/controller/App2.controller.js:26:11:26:15 | value |
+| webapp/controller/App2.controller.js:26:19:26:35 | oInput.getValue() |
+| webapp/controller/App2.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/App2.controller.js:27:56:27:60 | value |
+| webapp/controller/App2.controller.js:30:34:30:38 | model |
+| webapp/controller/App2.controller.js:32:30:32:34 | model |
+| webapp/controller/App2.controller.js:32:30:32:42 | model.message |
+| webapp/controller/App3.controller.js:25:11:25:15 | value |
+| webapp/controller/App3.controller.js:25:19:25:35 | oInput.getValue() |
+| webapp/controller/App3.controller.js:26:45:26:62 | { message: value } |
+| webapp/controller/App3.controller.js:26:56:26:60 | value |
+| webapp/controller/App4.controller.js:24:34:24:38 | model |
+| webapp/controller/App4.controller.js:26:30:26:34 | model |
+| webapp/controller/App4.controller.js:26:30:26:42 | model.message |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} |
+| webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} |
+| webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} |
+| webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
 edges
-| webapp/controller/app.controller.js:15:9:15:19 | input: null | webapp/view/app.view.xml:5:3:8:29 | value={/input} |
-| webapp/controller/app.controller.js:16:9:16:21 | output1: null | webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
-| webapp/controller/app.controller.js:18:20:18:39 | new JSONModel(oData) | webapp/view/app.view.xml:11:3:12:37 | content={/output1} |
-| webapp/controller/app.controller.js:26:11:26:15 | value | webapp/controller/app.controller.js:27:56:27:60 | value |
-| webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/app.controller.js:26:11:26:15 | value |
-| webapp/controller/app.controller.js:27:45:27:62 | { message: value } | webapp/controller/app.controller.js:30:34:30:38 | model |
-| webapp/controller/app.controller.js:27:56:27:60 | value | webapp/controller/app.controller.js:27:45:27:62 | { message: value } |
-| webapp/controller/app.controller.js:30:34:30:38 | model | webapp/controller/app.controller.js:32:30:32:34 | model |
-| webapp/controller/app.controller.js:32:30:32:34 | model | webapp/controller/app.controller.js:32:30:32:42 | model.message |
-| webapp/view/app.view.xml:5:3:8:29 | value={/input} | webapp/controller/app.controller.js:15:9:15:19 | input: null |
-| webapp/view/app.view.xml:5:3:8:29 | value={/input} | webapp/controller/app.controller.js:18:20:18:39 | new JSONModel(oData) |
-| webapp/view/app.view.xml:11:3:12:37 | content={/output1} | webapp/controller/app.controller.js:16:9:16:21 | output1: null |
+| webapp/controller/App1.controller.js:15:9:15:19 | input: null | webapp/view/App1.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App1.controller.js:15:9:15:19 | input: null | webapp/view/App2.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App1.controller.js:15:9:15:19 | input: null | webapp/view/App3.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App1.controller.js:16:9:16:21 | output1: null | webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App1.controller.js:16:9:16:21 | output1: null | webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App1.controller.js:16:9:16:21 | output1: null | webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
+| webapp/controller/App1.controller.js:18:20:18:39 | new JSONModel(oData) | webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App1.controller.js:26:11:26:15 | value | webapp/controller/App1.controller.js:27:56:27:60 | value |
+| webapp/controller/App1.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/App1.controller.js:26:11:26:15 | value |
+| webapp/controller/App1.controller.js:27:45:27:62 | { message: value } | webapp/controller/App1.controller.js:30:34:30:38 | model |
+| webapp/controller/App1.controller.js:27:56:27:60 | value | webapp/controller/App1.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/App1.controller.js:30:34:30:38 | model | webapp/controller/App1.controller.js:32:30:32:34 | model |
+| webapp/controller/App1.controller.js:32:30:32:34 | model | webapp/controller/App1.controller.js:32:30:32:42 | model.message |
+| webapp/controller/App2.controller.js:15:9:15:19 | input: null | webapp/view/App1.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App2.controller.js:15:9:15:19 | input: null | webapp/view/App2.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App2.controller.js:15:9:15:19 | input: null | webapp/view/App3.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App2.controller.js:16:9:16:21 | output1: null | webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App2.controller.js:16:9:16:21 | output1: null | webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App2.controller.js:16:9:16:21 | output1: null | webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
+| webapp/controller/App2.controller.js:18:20:18:39 | new JSONModel(oData) | webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App2.controller.js:26:11:26:15 | value | webapp/controller/App2.controller.js:27:56:27:60 | value |
+| webapp/controller/App2.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/App2.controller.js:26:11:26:15 | value |
+| webapp/controller/App2.controller.js:27:45:27:62 | { message: value } | webapp/controller/App2.controller.js:30:34:30:38 | model |
+| webapp/controller/App2.controller.js:27:56:27:60 | value | webapp/controller/App2.controller.js:27:45:27:62 | { message: value } |
+| webapp/controller/App2.controller.js:30:34:30:38 | model | webapp/controller/App2.controller.js:32:30:32:34 | model |
+| webapp/controller/App2.controller.js:32:30:32:34 | model | webapp/controller/App2.controller.js:32:30:32:42 | model.message |
+| webapp/controller/App3.controller.js:15:9:15:19 | input: null | webapp/view/App1.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App3.controller.js:15:9:15:19 | input: null | webapp/view/App2.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App3.controller.js:15:9:15:19 | input: null | webapp/view/App3.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App3.controller.js:16:9:16:21 | output1: null | webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App3.controller.js:16:9:16:21 | output1: null | webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App3.controller.js:16:9:16:21 | output1: null | webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
+| webapp/controller/App3.controller.js:25:11:25:15 | value | webapp/controller/App3.controller.js:26:56:26:60 | value |
+| webapp/controller/App3.controller.js:25:19:25:35 | oInput.getValue() | webapp/controller/App3.controller.js:25:11:25:15 | value |
+| webapp/controller/App3.controller.js:26:45:26:62 | { message: value } | webapp/controller/App4.controller.js:24:34:24:38 | model |
+| webapp/controller/App3.controller.js:26:56:26:60 | value | webapp/controller/App3.controller.js:26:45:26:62 | { message: value } |
+| webapp/controller/App4.controller.js:15:9:15:19 | input: null | webapp/view/App1.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App4.controller.js:15:9:15:19 | input: null | webapp/view/App2.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App4.controller.js:15:9:15:19 | input: null | webapp/view/App3.view.xml:5:3:8:29 | value={/input} |
+| webapp/controller/App4.controller.js:16:9:16:21 | output1: null | webapp/view/App1.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App4.controller.js:16:9:16:21 | output1: null | webapp/view/App2.view.xml:11:3:12:37 | content={/output1} |
+| webapp/controller/App4.controller.js:16:9:16:21 | output1: null | webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
+| webapp/controller/App4.controller.js:18:20:18:39 | new JSONModel(oData) | webapp/view/App4.view.xml:5:3:6:37 | content={/output1} |
+| webapp/controller/App4.controller.js:24:34:24:38 | model | webapp/controller/App4.controller.js:26:30:26:34 | model |
+| webapp/controller/App4.controller.js:26:30:26:34 | model | webapp/controller/App4.controller.js:26:30:26:42 | model.message |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} | webapp/controller/App1.controller.js:15:9:15:19 | input: null |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} | webapp/controller/App1.controller.js:18:20:18:39 | new JSONModel(oData) |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} | webapp/controller/App2.controller.js:15:9:15:19 | input: null |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} | webapp/controller/App3.controller.js:15:9:15:19 | input: null |
+| webapp/view/App1.view.xml:5:3:8:29 | value={/input} | webapp/controller/App4.controller.js:15:9:15:19 | input: null |
+| webapp/view/App1.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App1.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App1.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App2.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App1.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App3.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App1.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App4.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} | webapp/controller/App1.controller.js:15:9:15:19 | input: null |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} | webapp/controller/App2.controller.js:15:9:15:19 | input: null |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} | webapp/controller/App2.controller.js:18:20:18:39 | new JSONModel(oData) |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} | webapp/controller/App3.controller.js:15:9:15:19 | input: null |
+| webapp/view/App2.view.xml:5:3:8:29 | value={/input} | webapp/controller/App4.controller.js:15:9:15:19 | input: null |
+| webapp/view/App2.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App1.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App2.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App2.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App2.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App3.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App2.view.xml:11:3:12:37 | content={/output1} | webapp/controller/App4.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} | webapp/controller/App1.controller.js:15:9:15:19 | input: null |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} | webapp/controller/App2.controller.js:15:9:15:19 | input: null |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} | webapp/controller/App3.controller.js:15:9:15:19 | input: null |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} | webapp/controller/App3.controller.js:18:20:18:39 | new JSONModel(oData) |
+| webapp/view/App3.view.xml:5:3:8:29 | value={/input} | webapp/controller/App4.controller.js:15:9:15:19 | input: null |
+| webapp/view/App4.view.xml:5:3:6:37 | content={/output1} | webapp/controller/App1.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App4.view.xml:5:3:6:37 | content={/output1} | webapp/controller/App2.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App4.view.xml:5:3:6:37 | content={/output1} | webapp/controller/App3.controller.js:16:9:16:21 | output1: null |
+| webapp/view/App4.view.xml:5:3:6:37 | content={/output1} | webapp/controller/App4.controller.js:16:9:16:21 | output1: null |
 #select
-| webapp/controller/app.controller.js:32:30:32:42 | model.message | webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/app.controller.js:32:30:32:42 | model.message | XSS vulnerability due to $@. | webapp/controller/app.controller.js:26:19:26:35 | oInput.getValue() | user-provided value |
+| webapp/controller/App1.controller.js:32:30:32:42 | model.message | webapp/controller/App1.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/App1.controller.js:32:30:32:42 | model.message | XSS vulnerability due to $@. | webapp/controller/App1.controller.js:26:19:26:35 | oInput.getValue() | user-provided value |
+| webapp/controller/App2.controller.js:32:30:32:42 | model.message | webapp/controller/App2.controller.js:26:19:26:35 | oInput.getValue() | webapp/controller/App2.controller.js:32:30:32:42 | model.message | XSS vulnerability due to $@. | webapp/controller/App2.controller.js:26:19:26:35 | oInput.getValue() | user-provided value |
+| webapp/controller/App4.controller.js:26:30:26:42 | model.message | webapp/controller/App3.controller.js:25:19:25:35 | oInput.getValue() | webapp/controller/App4.controller.js:26:30:26:42 | model.message | XSS vulnerability due to $@. | webapp/controller/App3.controller.js:25:19:25:35 | oInput.getValue() | user-provided value |
