Add the first draft of working query

jeongsoolee09 · jeongsoolee09 · commit d7a8b3084cde · 2025-11-24T11:06:24.000-05:00
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -70,6 +70,9 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Publishing and Subscribing to Events
+      - ["UI5PublishedEventData", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[publish].Argument[2]"]
+      - ["UI5EventSubscriptionHandlerDataParameter", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[subscribe].Argument[2].Parameter[2]"]
 
   - addsTo:
       pack: codeql/javascript-all
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -1,6 +1,7 @@
 import javascript
 import DataFlow
 import advanced_security.javascript.frameworks.ui5.JsonParser
+import advanced_security.javascript.frameworks.ui5.dataflow.TypeTrackers
 import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.UI5HTML
@@ -1427,19 +1428,3 @@ class PropertyMetadata extends ObjectLiteralNode {
     inSameWebApp(this.getFile(), result.getFile())
   }
 }
-
-module TypeTrackers {
-  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
-    t.start() and
-    exists(UserModule d |
-      d.getADependency() = dependencyPath and
-      result = d.getRequiredObject(dependencyPath).asSourceNode()
-    )
-    or
-    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
-  }
-
-  SourceNode hasDependency(string dependencyPath) {
-    result = hasDependency(TypeTracker::end(), dependencyPath)
-  }
-}
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
@@ -366,3 +366,10 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
     logArgumentToListener(start, end)
   }
 }
+
+class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    start = ModelOutput::getATypeNode("UI5PublishedEventData").getInducingNode() and
+    end = ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter").getInducingNode()
+  }
+}
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/TypeTrackers.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/TypeTrackers.qll
@@ -0,0 +1,46 @@
+import javascript
+import DataFlow
+
+module TypeTrackers {
+  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
+    t.start() and
+    exists(UserModule d |
+      d.getADependency() = dependencyPath and
+      result = d.getRequiredObject(dependencyPath).asSourceNode()
+    )
+    or
+    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+  }
+
+  SourceNode hasDependency(string dependencyPath) {
+    result = hasDependency(TypeTracker::end(), dependencyPath)
+  }
+
+  private MethodCallNode getOwnerComponentRef(TypeTracker t, CustomController customController) {
+    customController.getAThisNode() = result.getReceiver() and
+    result.getMethodName() = "getOwnerComponent"
+    or
+    exists(TypeTracker t2 | result = getOwnerComponentRef(t2, customController).track(t2, t))
+  }
+
+  /* owner component ref */
+  MethodCallNode getOwnerComponentRef(CustomController customController) {
+    result = getOwnerComponentRef(TypeTracker::end(), customController)
+  }
+
+  private class ObjFieldStep extends SharedTypeTrackingStep {
+    override predicate step(DataFlow::Node start, DataFlow::Node end) {
+      exists(SapExtendCall sapExtendCall, ObjectLiteralNode wrappedObject, string name |
+        wrappedObject = sapExtendCall.getContent() and
+        start = getAnAlias(wrappedObject).getAPropertyWrite(name).getRhs() and
+        end = getAnAlias(wrappedObject).getAPropertyRead(name)
+      )
+    }
+  }
+
+  private DataFlow::SourceNode getAnAlias(DataFlow::SourceNode object) {
+    result = object
+    or
+    result = getAnAlias(object).getAPropertySource().(DataFlow::FunctionNode).getReceiver()
+  }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/webapp/controller/app.controller.js
@@ -32,5 +32,4 @@ sap.ui.define([
       oHtmlOutput.setContent(model.message);
     }
   });
-}
-);
+});

Original file line number	Diff line number	Diff line change
`@@ -366,3 +366,10 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {`
`366`	`366`	`logArgumentToListener(start, end)`
`367`	`367`	`}`
`368`	`368`	`}`
	`369`	`+`
	`370`	`+class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {`
	`371`	`+ override predicate step(DataFlow::Node start, DataFlow::Node end) {`
	`372`	`+ start = ModelOutput::getATypeNode("UI5PublishedEventData").getInducingNode() and`
	`373`	`+ end = ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter").getInducingNode()`
	`374`	`+ }`
	`375`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -32,5 +32,4 @@ sap.ui.define([`
`32`	`32`	`oHtmlOutput.setContent(model.message);`
`33`	`33`	`}`
`34`	`34`	`});`
`35`		`-}`
`36`		`-);`
	`35`	`+});`