Port over UI5LogsToHttp

jeongsoolee09 · jeongsoolee09 · commit 32aba1ceae18 · 2025-08-15T18:21:23.000-04:00
NOTE: The end-to-end results of the queries are okay (the `#select` portion is unchanged),
but there are difference in `nodes` and `edges` that probably needs attention.
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5LogsToHttpQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5LogsToHttpQuery.qll
@@ -0,0 +1,55 @@
+import javascript
+import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
+import advanced_security.javascript.frameworks.ui5.UI5LogInjectionQuery
+
+class ClientRequestInjectionVector extends DataFlow::Node {
+  ClientRequestInjectionVector() {
+    exists(ClientRequest req |
+      this = req.getUrl() or
+      this = req.getADataNode()
+    )
+  }
+}
+
+class UI5LogEntryFlowState extends string {
+  UI5LogEntryFlowState() { this = ["not-logged-not-accessed", "logged-and-accessed"] }
+}
+
+module UI5LogEntryToHttp implements DataFlow::StateConfigSig {
+  class FlowState = UI5LogEntryFlowState;
+
+  predicate isSource(DataFlow::Node node, FlowState state) {
+    node instanceof RemoteFlowSource and
+    state = "not-logged-not-accessed"
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node start, FlowState preState, DataFlow::Node end, FlowState postState
+  ) {
+    UI5LogInjection::isAdditionalFlowStep(start, end) and
+    preState = postState
+    or
+    /*
+     * NOTE: This disjunct is a labeled version of LogArgumentToListener in
+     * FlowSteps.qll, a DataFlow::SharedFlowStep. As the class is considered
+     * legacy on version 2.4.0, we leave the two here (labeled) and there
+     * (unlabeled). This is something we should also tidy up when we migrate
+     * to the newer APIs.
+     */
+
+    inSameWebApp(start.getFile(), end.getFile()) and
+    start =
+      ModelOutput::getATypeNode("SapLogger")
+          .getMember(["debug", "error", "fatal", "info", "trace", "warning"])
+          .getACall()
+          .getAnArgument() and
+    end = ModelOutput::getATypeNode("SapLogEntries").asSource() and
+    preState = "not-logged-not-accessed" and
+    postState = "logged-and-accessed"
+  }
+
+  predicate isSink(DataFlow::Node node, FlowState state) {
+    node instanceof ClientRequestInjectionVector and
+    state = "logged-and-accessed"
+  }
+}
diff --git a/javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql b/javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql
@@ -12,69 +12,21 @@
  */
 
 import javascript
+import advanced_security.javascript.frameworks.ui5.UI5LogsToHttpQuery
 import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow
-import semmle.javascript.frameworks.data.internal.ApiGraphModels
-import advanced_security.javascript.frameworks.ui5.UI5LogInjectionQuery
-import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow::UI5PathGraph
 
-class ClientRequestInjectionVector extends DataFlow::Node {
-  ClientRequestInjectionVector() {
-    exists(ClientRequest req |
-      this = req.getUrl() or
-      this = req.getADataNode()
-    )
-  }
-}
+module UI5LogsToHttpFlow = TaintTracking::GlobalWithState<UI5LogEntryToHttp>;
 
-class UI5LogEntryFlowState extends DataFlow::FlowLabel {
-  UI5LogEntryFlowState() { this = ["not-logged-not-accessed", "logged-and-accessed"] }
-}
+module UI5LogsToHttpUI5PathGraph =
+  UI5PathGraph<UI5LogsToHttpFlow::PathNode, UI5LogsToHttpFlow::PathGraph>;
 
-class UI5LogEntryToHttp extends TaintTracking::Configuration {
-  UI5LogEntryToHttp() { this = "UI5 Log Entry included in an outbound HTTP request" }
+import UI5LogsToHttpUI5PathGraph
 
-  override predicate isSource(DataFlow::Node node, DataFlow::FlowLabel state) {
-    node instanceof RemoteFlowSource and
-    state = "not-logged-not-accessed"
-  }
-
-  override predicate isAdditionalFlowStep(
-    DataFlow::Node start, DataFlow::Node end, DataFlow::FlowLabel preState,
-    DataFlow::FlowLabel postState
-  ) {
-    exists(UI5LogInjectionConfiguration cfg |
-      cfg.isAdditionalFlowStep(start, end) and
-      preState = postState
-    )
-    or
-    /*
-     * NOTE: This disjunct is a labeled version of LogArgumentToListener in
-     * FlowSteps.qll, a DataFlow::SharedFlowStep. As the class is considered
-     * legacy on version 2.4.0, we leave the two here (labeled) and there
-     * (unlabeled). This is something we should also tidy up when we migrate
-     * to the newer APIs.
-     */
-
-    inSameWebApp(start.getFile(), end.getFile()) and
-    start =
-      ModelOutput::getATypeNode("SapLogger")
-          .getMember(["debug", "error", "fatal", "info", "trace", "warning"])
-          .getACall()
-          .getAnArgument() and
-    end = ModelOutput::getATypeNode("SapLogEntries").asSource() and
-    preState = "not-logged-not-accessed" and
-    postState = "logged-and-accessed"
-  }
-
-  override predicate isSink(DataFlow::Node node, DataFlow::FlowLabel state) {
-    node instanceof ClientRequestInjectionVector and
-    state = "logged-and-accessed"
-  }
-}
-
-from UI5LogEntryToHttp cfg, UI5PathNode source, UI5PathNode sink, UI5PathNode primarySource
+from
+  UI5LogsToHttpUI5PathGraph::UI5PathNode source, UI5LogsToHttpUI5PathGraph::UI5PathNode sink,
+  UI5LogsToHttpUI5PathGraph::UI5PathNode primarySource
 where
-  cfg.hasFlowPath(source.getPathNode(), sink.getPathNode()) and
+  UI5LogsToHttpFlow::flowPath(source.getPathNode(), sink.getPathNode()) and
   primarySource = source.getAPrimarySource()
 select sink, primarySource, sink, "Outbound network request depends on $@ log data.", primarySource,
   "user-provided"
