Support instantiated controls via NewNode

A TODO is to model `placeAt` and the DOM hierarchy
between instantiated controls.

Author: jeongsoolee09

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -15,9 +15,9 @@ extensions:
       - ["RenderManager", "Renderer", "Member[render].Parameter[0]"]
       - ["Patcher", "Patcher", "Instance"]
       - ["Patcher", "sap/ui/core/Patcher", ""]
-      - ["HTMLControl", "HTMLControl", "Instance"]
-      - ["HTMLControl", "sap/ui/core/HTML", ""]
-      - ["HTMLControl", "global", "Member[sap].Member[ui].Member[core].Member[HTML]"]
+      - ["UI5HTMLControl", "UI5HTMLControl", "Instance"]
+      - ["UI5HTMLControl", "sap/ui/core/HTML", ""]
+      - ["UI5HTMLControl", "global", "Member[sap].Member[ui].Member[core].Member[HTML]"]
       - ["Assert", "global", "Member[sap].Member[base].Member[assert]"]
       - ["Assert", "global", "Member[jQuery].Member[sap].Member[assert]"]
       - ["SapLogger", "sap/base/Log", ""]
@@ -41,21 +41,21 @@ extensions:
       - ["SapUIDom", "sap/ui/dom", ""]
       - ["SapUIDom", "global", "Member[sap].Member[ui].Member[dom]"]
       # model Controls inheritance
-      - ["UI5Control", "UI5Control", "Instance"]
-      - ["UI5Control", "sap/m/InputBase", ""]
-      - ["UI5Control", "sap/m/Input", ""]
-      - ["UI5Control", "sap/ui/webc/main/Input", ""]
-      - ["UI5Control", "sap/ui/commons/TextField", ""]
-      - ["UI5Control", "sap/m/ComboBoxTextField", ""]
-      - ["UI5Control", "sap/m/MaskEnabler", ""]
-      - ["UI5Control", "sap/m/MaskInput", ""]
-      - ["UI5Control", "sap/m/TextArea", ""]
-      - ["UI5Control", "sap/m/ComboBoxBase", ""]
-      - ["UI5Control", "sap/m/MultiInput", ""]
-      - ["UI5Control", "sap/ui/webc/main/MultiInput", ""]
-      - ["UI5Control", "sap/m/SearchField", ""]
-      - ["UI5Control", "sap/m/FeedInput", ""]
-      - ["UI5Control", "sap/ui/richtexteditor/RichTextEditor", ""]
+      - ["UI5InputControl", "UI5InputControl", "Instance"]
+      - ["UI5InputControl", "sap/m/InputBase", ""]
+      - ["UI5InputControl", "sap/m/Input", ""]
+      - ["UI5InputControl", "sap/ui/webc/main/Input", ""]
+      - ["UI5InputControl", "sap/ui/commons/TextField", ""]
+      - ["UI5InputControl", "sap/m/ComboBoxTextField", ""]
+      - ["UI5InputControl", "sap/m/MaskEnabler", ""]
+      - ["UI5InputControl", "sap/m/MaskInput", ""]
+      - ["UI5InputControl", "sap/m/TextArea", ""]
+      - ["UI5InputControl", "sap/m/ComboBoxBase", ""]
+      - ["UI5InputControl", "sap/m/MultiInput", ""]
+      - ["UI5InputControl", "sap/ui/webc/main/MultiInput", ""]
+      - ["UI5InputControl", "sap/m/SearchField", ""]
+      - ["UI5InputControl", "sap/m/FeedInput", ""]
+      - ["UI5InputControl", "sap/ui/richtexteditor/RichTextEditor", ""]
       - ["UI5CodeEditor", "UI5CodeEditor", "Instance"]
       - ["UI5CodeEditor", "sap/ui/codeeditor/CodeEditor", ""]
       # Classes that provide Path injection APIs
@@ -69,8 +69,8 @@ extensions:
       pack: codeql/javascript-all
       extensible: "sourceModel"
     data:
-      - ["UI5Control", "Member[value]", "remote"]
-      - ["UI5Control", "Member[getValue].ReturnValue", "remote"]
+      - ["UI5InputControl", "Member[value]", "remote"]
+      - ["UI5InputControl", "Member[getValue].ReturnValue", "remote"]
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
@@ -83,9 +83,9 @@ extensions:
     data:
       # html-injection
       - ["global", "Member[jQuery].Member[sap].Member[globalEval].Argument[0]", "ui5-html-injection"]
-      - ["HTMLControl", "Argument[0].Member[content]", "ui5-html-injection"]
-      - ["HTMLControl", "Member[content]", "ui5-html-injection"]
-      - ["HTMLControl", "Member[setContent].Argument[0]", "ui5-html-injection"]
+      - ["UI5HTMLControl", "Argument[0].Member[content]", "ui5-html-injection"]
+      - ["UI5HTMLControl", "Member[content]", "ui5-html-injection"]
+      - ["UI5HTMLControl", "Member[setContent].Argument[0]", "ui5-html-injection"]
       - ["Patcher", "Member[unsafeHtml].Argument[0..]", "ui5-html-injection"]
       - ["RenderManager", "Member[write,unsafeHtml].Argument[0..]", "ui5-html-injection"]
       - ["RenderManager", "Member[writeAttribute,addStyle].Argument[0..1]", "ui5-html-injection"]
@@ -131,3 +131,5 @@ extensions:
       - ["sap/base/security/encodeURL", "", "Argument[0]", "ReturnValue", "taint"]
       - ["sap/base/security/encodeURLParameters", "", "Argument[0]", "ReturnValue", "taint"]
       - ["sap/base/security/encodeXML", "", "Argument[0]", "ReturnValue", "taint"]
+      - ["UI5HTMLControl", "", "Argument[0].Member[content]", "ReturnValue.Member[content]", "taint"]
+      - ["UI5HTMLControl", "Instance.Member[getContent]", "Argument[this].Member[content]", "ReturnValue", "taint"]

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -1,22 +1,52 @@
 import javascript
 import advanced_security.javascript.frameworks.ui5.UI5
 import advanced_security.javascript.frameworks.ui5.UI5View
-private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions as ApiGraphModelsExtensions
+import semmle.javascript.security.dataflow.XssThroughDomCustomizations
+private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions
 
-private class DataFromRemoteControlReference extends RemoteFlowSource, MethodCallNode {
+private class DataFromRemoteControlReference extends RemoteFlowSource {
   DataFromRemoteControlReference() {
     exists(UI5Control sourceControl, string typeAlias, ControlReference controlReference |
-      ApiGraphModelsExtensions::typeModel(typeAlias, sourceControl.getImportPath(), _) and
-      ApiGraphModelsExtensions::sourceModel(typeAlias, _, "remote", _) and
+      typeModel(typeAlias, sourceControl.getImportPath(), _) and
+      sourceModel(typeAlias, _, "remote", _) and
       sourceControl.getAReference() = controlReference and
-      controlReference.flowsTo(this.getReceiver()) and
-      this.getMethodName() = "getValue"
+      (
+        this = controlReference.getAMemberCall("getValue") or
+        this = controlReference.getAPropertyRead("value")
+      )
     )
   }
 
   override string getSourceType() { result = "Data from a remote control" }
 }
 
+private class InputControlInstantiation extends ElementInstantiation {
+  InputControlInstantiation() { typeModel("UI5InputControl", this.getImportPath(), _) }
+}
+
+private class DataFromInstantiatedAndPlacedAtControl extends RemoteFlowSource, XssThroughDom::Source
+{
+  DataFromInstantiatedAndPlacedAtControl() {
+    exists(
+      InputControlInstantiation controlInstantiation, string typeAlias,
+      ControlReference controlReference
+    |
+      /* Double check that the type derives a remote flow source. */
+      typeModel(typeAlias, controlInstantiation.getImportPath(), _) and
+      sourceModel(typeAlias, _, "remote", _) and
+      controlInstantiation.getId() = controlReference.getId() and
+      (
+        this = controlReference.getAMemberCall("getValue") or
+        this = controlReference.getAPropertyRead("value")
+      )
+    )
+  }
+
+  override string getSourceType() {
+    result = "Data from an instantiated control placed in a DOM tree"
+  }
+}
+
 class LocalModelContentBoundBidirectionallyToSourceControl extends RemoteFlowSource {
   UI5BindingPath bindingPath;
   UI5Control controlDeclaration;
@@ -60,24 +90,28 @@ class ODataServiceModel extends UI5ExternalModel {
   ODataServiceModel() {
     exists(MethodCallNode setModelCall, CustomController controller |
       /*
-       * 1. This flows from a DF node corresponding to the parent component's model to the `this.setModel` call
-       * i.e. Aims to capture something like `this.getOwnerComponent().getModel("someModelName")` as in
-       * `this.getView().setModel(this.getOwnerComponent().getModel("someModelName"))`
+       * 1. This flows from a DF node corresponding to the parent component's model
+       * to the `this.setModel` call. e.g.
+       *
+       * `this.getOwnerComponent().getModel("someModelName")` as in
+       * `this.getView().setModel(this.getOwnerComponent().getModel("someModelName"))`.
        */
 
       modelName = this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() and
       this.getCalleeName() = "getModel" and
       controller.getOwnerComponentRef().flowsTo(this.(MethodCallNode).getReceiver()) and
       this.flowsTo(setModelCall.getArgument(0)) and
-      setModelCall.getMethodName() = "setModel" and
-      setModelCall.getReceiver() = controller.getAViewReference() and
-      /* 2. The component's manifest.json declares the DataSource as being of OData type */
+      setModelCall = controller.getAViewReference().getAMemberCall("setModel") and
+      /*
+       * 2. The component's `manifest.json` declares the DataSource as being of OData type.
+       */
+
       controller.getOwnerComponent().getExternalModelDef(modelName).getDataSource() instanceof
         ODataDataSourceManifest
     )
     or
     /*
-     * A constructor call to sap.ui.model.odata.v2.ODataModel.
+     * A constructor call to `sap.ui.model.odata.v2.ODataModel`.
      */
 
     this instanceof NewNode and

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -5,6 +5,7 @@ import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.UI5HTML
 import codeql.util.FileSystem
+private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions as ApiGraphModelsExtensions
 
 private module WebAppResourceRootJsonReader implements JsonParser::MakeJsonReaderSig<WebApp> {
   class JsonReader extends WebApp {
@@ -133,10 +134,11 @@ class WebApp extends HTML::HtmlFile {
 }
 
 /**
- * https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.loader%23methods/sap.ui.loader.config
+ * The global instance of `sap.ui.Core` that represents this UI5 application, as retrieved
+ * by a call to `sap.ui.getCore()`.
  */
-class Loader extends CallNode {
-  Loader() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("loader") }
+class SapUiCore extends MethodCallNode {
+  SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
 /**
@@ -291,24 +293,31 @@ class CustomControl extends SapExtendCall {
       result = renderer.getRenderer()
     )
   }
+
+  ValueNode getAThisNode() {
+    exists(ThisNode thisNode | thisNode.getBinder() = this.getAMethod() |
+      result.getALocalSource() = thisNode
+    )
+  }
 }
 
 abstract class Reference extends MethodCallNode { }
 
 /**
- * A JS reference to a `UI5Control`, commonly obtained via `View.byId(controlId)`.
+ * A JS reference to a `UI5Control`, commonly obtained via its ID.
  */
 class ControlReference extends Reference {
   string controlId;
 
   ControlReference() {
-    exists(CustomController controller |
-      (
-        controller.getAViewReference().flowsTo(this.getReceiver()) or
-        controller.getAThisNode() = this.getReceiver()
-      ) and
-      this.getMethodName() = "byId" and
-      this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = controlId
+    this.getArgument(0).getStringValue() = controlId and
+    (
+      exists(CustomController controller |
+        this = controller.getAViewReference().getAMemberCall("byId") or
+        this.getReceiver() = controller.getAThisNode()
+      )
+      or
+      exists(SapUiCore sapUiCore | this = sapUiCore.getAMemberCall("byId"))
     )
   }
 
@@ -453,13 +462,7 @@ class CustomController extends SapExtendCall {
   UI5View getView() { this = result.getController() }
 
   ControlReference getAControlReference() {
-    exists(MethodCallNode viewRef |
-      viewRef = this.getAViewReference() and
-      /* There is a view */
-      viewRef.flowsTo(result.(MethodCallNode).getReceiver()) and
-      /* The result is a member of this view */
-      result.(MethodCallNode).getMethodName() = "byId"
-    )
+    result = this.getAViewReference().getAMemberCall("byId")
   }
 
   ValueNode getAThisNode() {
@@ -481,19 +484,16 @@ class CustomController extends SapExtendCall {
   }
 
   UI5Model getModel() {
-    exists(MethodCallNode setModelCall |
-      this.getAViewReference().flowsTo(setModelCall.getReceiver()) and
-      setModelCall.getMethodName() = "setModel" and
-      result.flowsTo(setModelCall.getAnArgument())
-    )
+    result = this.getAViewReference().getAMemberCall("setModel").getAnArgument().getALocalSource()
   }
 
   ModelReference getModelReference(string modelName) {
-    this.getAViewReference().flowsTo(result.getReceiver()) and
-    result.getModelName() = modelName
+    result = this.getAViewReference().getAMemberCall(modelName)
   }
 
-  ModelReference getAModelReference() { this.getAViewReference().flowsTo(result.getReceiver()) }
+  ModelReference getAModelReference() {
+    result = this.getAViewReference().getAMemberCall("getModel")
+  }
 
   RouterReference getARouterReference() {
     result.getMethodName() = "getRouter" and
@@ -514,9 +514,10 @@ class RouteReference extends MethodCallNode {
   string name;
 
   RouteReference() {
-    this.getMethodName() = "getRoute" and
-    this.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = name and
-    exists(RouterReference routerReference | routerReference.flowsTo(this.getReceiver()))
+    exists(RouterReference routerReference |
+      this = routerReference.getAMemberCall("getRoute") and
+      this.getArgument(0).getStringValue() = name
+    )
   }
 
   string getName() { result = name }
@@ -1238,21 +1239,18 @@ class RequiredObject extends Expr {
  */
 class SapExtendCall extends InvokeNode, MethodCallNode {
   SapExtendCall() {
-    /* 1. The receiver object is an imported one */
     exists(RequiredObject requiredModule |
-      requiredModule.asSourceNode().flowsTo(this.getReceiver())
-    ) and
-    /* 2. The method name is `extend` */
-    this.(MethodCallNode).getMethodName() = "extend"
+      this = requiredModule.asSourceNode().getAMemberCall("extend")
+    )
   }
 
   FunctionNode getMethod(string methodName) {
-    result = this.getContent().(ObjectLiteralNode).getAPropertySource(methodName).(FunctionNode)
+    result = this.getContent().(ObjectLiteralNode).getAPropertySource(methodName)
   }
 
   FunctionNode getAMethod() { result = this.getMethod(_) }
 
-  string getName() { result = this.getArgument(0).asExpr().(StringLiteral).getValue() }
+  string getName() { result = this.getArgument(0).getStringValue() }
 
   ObjectLiteralNode getContent() { result = this.getArgument(1) }
 
@@ -1269,14 +1267,34 @@ class SapExtendCall extends InvokeNode, MethodCallNode {
   SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1) }
 }
 
+class ElementInstantiation extends NewNode {
+  string importPath;
+
+  ElementInstantiation() {
+    exists(RequiredObject requiredObject |
+      this = requiredObject.asSourceNode().getAnInstantiation() and
+      importPath = requiredObject.getDependency()
+    )
+  }
+
+  string getId() {
+    result = this.getArgument(0).(SourceNode).getAPropertyWrite("id").getRhs().getStringValue()
+  }
+
+  string getImportPath() { result = importPath }
+}
+
 private newtype TSapElement =
-  DefinitionOfElement(SapExtendCall extension) or
-  ReferenceOfElement(Reference reference)
+  TDefinitionOfElement(SapExtendCall extension) or
+  TReferenceOfElement(Reference reference) or
+  TInstantiationOfElement(ElementInstantiation newNode)
 
 class SapElement extends TSapElement {
-  SapExtendCall asDefinition() { this = DefinitionOfElement(result) }
+  SapExtendCall asDefinition() { this = TDefinitionOfElement(result) }
 
-  Reference asReference() { this = ReferenceOfElement(result) }
+  Reference asReference() { this = TReferenceOfElement(result) }
+
+  ElementInstantiation asInstantiation() { this = TInstantiationOfElement(result) }
 
   SapElement getParentElement() {
     result.asReference() = this.asDefinition().(CustomControl).getController().getAViewReference() or
@@ -1286,8 +1304,27 @@ class SapElement extends TSapElement {
     result.asDefinition() = this.asDefinition().(CustomController).getOwnerComponent() or
     result.asDefinition() =
       this.asReference().(ControllerReference).getDefinition().getOwnerComponent()
+    /* TODO: Implement branch for `asInstantiation` */
   }
 
+  string getId() {
+    result = this.asInstantiation().getId()
+    or
+    /* TODO: Needs testing */
+    result =
+      this.asDefinition()
+          .(CustomControl)
+          .getMetadata()
+          .getProperty("id")
+          .getAPropertySource()
+          .getStringValue()
+    /*
+     * Note that because we cannot statically determine the ID of an element from the references alone,
+     * we do not implement the branch of `TReferenceOfElement`.
+     */
+
+    }
+
   string toString() {
     result = this.asDefinition().toString() or
     result = this.asReference().toString()
@@ -1312,11 +1349,8 @@ class Metadata extends ObjectLiteralNode {
 
   Metadata() { this = extension.getContent().getAPropertySource("metadata") }
 
-  SourceNode getProperty(string name) {
-    result =
-      any(PropertyMetadata property |
-        property.getParentMetadata() = this and property.getName() = name
-      )
+  PropertyMetadata getProperty(string name) {
+    result.getParentMetadata() = this and result.getName() = name
   }
 }