Debug log-entry-flows-to-sinks/UI5Xss.qlref

Author: jeongsoolee09

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -342,3 +342,19 @@ class ResourceBundleGetTextCallArgToReturnValueStep extends DataFlow::SharedFlow
     )
   }
 }
+
+/**
+ * A step from any argument of a SAP logging function to the `onLogEntry`
+ * method of a custom log listener in the same application.
+ */
+class LogArgumentToListener extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    inSameWebApp(start.getFile(), end.getFile()) and
+    start =
+      ModelOutput::getATypeNode("SapLogger")
+          .getMember(["debug", "error", "fatal", "info", "trace", "warning"])
+          .getACall()
+          .getAnArgument() and
+    end = ModelOutput::getATypeNode("SapLogEntries").asSource()
+  }
+}

javascript/frameworks/ui5/src/UI5LogInjection/UI5LogsToHttp.ql

@@ -49,6 +49,14 @@ class UI5LogEntryToHttp extends TaintTracking::Configuration {
       preState = postState
     )
     or
+    /*
+     * NOTE: This disjunct is a labeled version of LogArgumentToListener in
+     * FlowSteps.qll, a DataFlow::SharedFlowStep. As the class is considered
+     * legacy on version 2.4.0, we leave the two here (labeled) and there
+     * (unlabeled). This is something we should also tidy up when we migrate
+     * to the newer APIs.
+     */
+
     inSameWebApp(start.getFile(), end.getFile()) and
     start =
       ModelOutput::getATypeNode("SapLogger")

javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/UI5Xss.expected

@@ -1,8 +1,8 @@
 nodes
-| webapp/controller/app.controller.js:8:11:8:21 | input: null |
-| webapp/controller/app.controller.js:14:13:14:48 | input |
-| webapp/controller/app.controller.js:14:21:14:48 | oModel. ... input") |
-| webapp/controller/app.controller.js:15:30:15:34 | input |
+| webapp/controller/app.controller.js:11:11:11:21 | input: null |
+| webapp/controller/app.controller.js:17:13:17:48 | input |
+| webapp/controller/app.controller.js:17:21:17:48 | oModel. ... input") |
+| webapp/controller/app.controller.js:18:30:18:34 | input |
 | webapp/utils/CustomLogListener.js:9:29:9:34 | oEvent |
 | webapp/utils/CustomLogListener.js:15:24:15:29 | oEvent |
 | webapp/utils/CustomLogListener.js:15:24:15:37 | oEvent.message |
@@ -11,19 +11,19 @@ nodes
 | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
 | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
 edges
-| webapp/controller/app.controller.js:8:11:8:21 | input: null | webapp/controller/app.controller.js:14:21:14:48 | oModel. ... input") |
-| webapp/controller/app.controller.js:8:11:8:21 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
-| webapp/controller/app.controller.js:9:11:9:22 | output: null | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
-| webapp/controller/app.controller.js:11:22:11:41 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
-| webapp/controller/app.controller.js:14:13:14:48 | input | webapp/controller/app.controller.js:15:30:15:34 | input |
-| webapp/controller/app.controller.js:14:21:14:48 | oModel. ... input") | webapp/controller/app.controller.js:14:13:14:48 | input |
-| webapp/controller/app.controller.js:15:30:15:34 | input | webapp/utils/CustomLogListener.js:9:29:9:34 | oEvent |
+| webapp/controller/app.controller.js:11:11:11:21 | input: null | webapp/controller/app.controller.js:17:21:17:48 | oModel. ... input") |
+| webapp/controller/app.controller.js:11:11:11:21 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| webapp/controller/app.controller.js:12:11:12:22 | output: null | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
+| webapp/controller/app.controller.js:14:22:14:41 | new JSONModel(oData) | webapp/view/app.view.xml:8:5:8:37 | content={/output} |
+| webapp/controller/app.controller.js:17:13:17:48 | input | webapp/controller/app.controller.js:18:30:18:34 | input |
+| webapp/controller/app.controller.js:17:21:17:48 | oModel. ... input") | webapp/controller/app.controller.js:17:13:17:48 | input |
+| webapp/controller/app.controller.js:18:30:18:34 | input | webapp/utils/CustomLogListener.js:9:29:9:34 | oEvent |
 | webapp/utils/CustomLogListener.js:9:29:9:34 | oEvent | webapp/utils/CustomLogListener.js:15:24:15:29 | oEvent |
 | webapp/utils/CustomLogListener.js:9:29:9:34 | oEvent | webapp/utils/CustomLogListener.js:16:31:16:36 | oEvent |
 | webapp/utils/CustomLogListener.js:15:24:15:29 | oEvent | webapp/utils/CustomLogListener.js:15:24:15:37 | oEvent.message |
 | webapp/utils/CustomLogListener.js:16:31:16:36 | oEvent | webapp/utils/CustomLogListener.js:16:31:16:44 | oEvent.message |
-| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:8:11:8:21 | input: null |
-| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:22:11:41 | new JSONModel(oData) |
-| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/controller/app.controller.js:9:11:9:22 | output: null |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:11:11:11:21 | input: null |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:14:22:14:41 | new JSONModel(oData) |
+| webapp/view/app.view.xml:8:5:8:37 | content={/output} | webapp/controller/app.controller.js:12:11:12:22 | output: null |
 #select
 | webapp/utils/CustomLogListener.js:16:31:16:44 | oEvent.message | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/utils/CustomLogListener.js:16:31:16:44 | oEvent.message | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |