Port over UI5UnsafeLogAccess

jeongsoolee09 · jeongsoolee09 · commit dbcdcbf4dc0e · 2025-08-15T18:27:43.000-04:00
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5UnsafeLogAccessQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5UnsafeLogAccessQuery.qll
@@ -0,0 +1,45 @@
+import javascript
+import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
+import semmle.javascript.security.dataflow.LogInjectionQuery
+
+module UI5UnsafeLogAccess implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+
+  predicate isBarrier(DataFlow::Node node) { LogInjectionConfig::isBarrier(node) }
+
+  predicate isSink(DataFlow::Node node) {
+    node = ModelOutput::getASinkNode("ui5-log-injection").asSink()
+  }
+}
+
+private newtype TLogEntriesNode =
+  TDataFlowNode(DataFlow::Node node) {
+    node = ModelOutput::getATypeNode("SapLogEntries").getInducingNode()
+  } or
+  TUI5ControlNode(UI5Control control) { control.getImportPath() = "sap/ui/vk/Notifications" }
+
+class LogEntriesNode extends TLogEntriesNode {
+  DataFlow::Node asDataFlowNode() { this = TDataFlowNode(result) }
+
+  UI5Control asUI5ControlNode() { this = TUI5ControlNode(result) }
+
+  File getFile() {
+    result = this.asDataFlowNode().getFile()
+    or
+    result = this.asUI5ControlNode().getView()
+  }
+
+  string toString() {
+    result = this.asDataFlowNode().toString()
+    or
+    result = this.asUI5ControlNode().toString()
+  }
+
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.asDataFlowNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+    or
+    this.asUI5ControlNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
diff --git a/javascript/frameworks/ui5/src/UI5LogInjection/UI5UnsafeLogAccess.ql b/javascript/frameworks/ui5/src/UI5LogInjection/UI5UnsafeLogAccess.ql
@@ -12,54 +12,21 @@
 
 import javascript
 import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
-import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow::UI5PathGraph
-import semmle.javascript.security.dataflow.LogInjectionQuery as LogInjection
+import advanced_security.javascript.frameworks.ui5.UI5UnsafeLogAccessQuery
 
-class UI5LogInjectionConfiguration extends LogInjection::LogInjectionConfiguration {
-  override predicate isSource(DataFlow::Node node) { node instanceof RemoteFlowSource }
+module UI5UnsafeLogAccessFlow = TaintTracking::Global<UI5UnsafeLogAccess>;
 
-  override predicate isSink(DataFlow::Node node) {
-    node = ModelOutput::getASinkNode("ui5-log-injection").asSink()
-  }
-}
+module UI5UnsafeLogAccessFlowUI5PathGraph =
+  UI5PathGraph<UI5UnsafeLogAccessFlow::PathNode, UI5UnsafeLogAccessFlow::PathGraph>;
 
-private newtype TLogEntriesNode =
-  TDataFlowNode(DataFlow::Node node) {
-    node = ModelOutput::getATypeNode("SapLogEntries").getInducingNode()
-  } or
-  TUI5ControlNode(UI5Control control) { control.getImportPath() = "sap/ui/vk/Notifications" }
-
-class LogEntriesNode extends TLogEntriesNode {
-  DataFlow::Node asDataFlowNode() { this = TDataFlowNode(result) }
-
-  UI5Control asUI5ControlNode() { this = TUI5ControlNode(result) }
-
-  File getFile() {
-    result = this.asDataFlowNode().getFile()
-    or
-    result = this.asUI5ControlNode().getView()
-  }
-
-  string toString() {
-    result = this.asDataFlowNode().toString()
-    or
-    result = this.asUI5ControlNode().toString()
-  }
-
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
-  ) {
-    this.asDataFlowNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-    or
-    this.asUI5ControlNode().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
-  }
-}
+import UI5UnsafeLogAccessFlowUI5PathGraph
 
 from
-  UI5LogInjectionConfiguration cfg, UI5PathNode source, UI5PathNode sink, UI5PathNode primarySource,
-  LogEntriesNode logEntries
+  UI5UnsafeLogAccessFlowUI5PathGraph::UI5PathNode source,
+  UI5UnsafeLogAccessFlowUI5PathGraph::UI5PathNode sink,
+  UI5UnsafeLogAccessFlowUI5PathGraph::UI5PathNode primarySource, LogEntriesNode logEntries
 where
-  cfg.hasFlowPath(source.getPathNode(), sink.getPathNode()) and
+  UI5UnsafeLogAccessFlow::flowPath(source.getPathNode(), sink.getPathNode()) and
   primarySource = source.getAPrimarySource() and
   inSameWebApp(source.getFile(), logEntries.getFile())
 select logEntries, primarySource, sink, "Accessed log entries depend on $@.", primarySource,
diff --git a/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected b/javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5UnsafeLogAccess.expected
@@ -1,4 +1,3 @@
-WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83)
 nodes
 | webapp/controller/app.controller.js:11:11:11:21 | input: null |
 | webapp/controller/app.controller.js:17:13:17:48 | input |

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`		`-WARNING: type 'LogInjectionConfiguration' has been deprecated and may be removed in future (UI5UnsafeLogAccess.ql:18,44-83)`
`2`	`1`	`nodes`
`3`	`2`	`\| webapp/controller/app.controller.js:11:11:11:21 \| input: null \|`
`4`	`3`	`\| webapp/controller/app.controller.js:17:13:17:48 \| input \|`