UI5 Framework Modeling Gaps

[data-douser]

Summary

Analysis of current UI5 CodeQL modeling identified gaps in framework component coverage and query patterns. This issue tracks enhancements to improve detection of insecure UI5 patterns.

Identified Gaps

Navigation & Routing

• Navigation patterns - Missing remote flow sources from programmatic navigation APIs (NavContainer.to, NavContainer.back)
• Hash-based routing - No modeling for sap.ui.core.routing.HashChanger parameter extraction
• Route pattern matching - Incomplete coverage for route parameter sources beyond attachRouteMatched

Messaging & Events

• MessageBox user input - Actions in MessageBox.show callbacks not modeled as event handlers
• MessageToast - Toast notification text rendering not modeled as display sink
• Custom event parameters - Generic fireEvent/attachEvent patterns incomplete

Data Models & Binding

• Client-side filtering - Filter expressions from sap.ui.model.Filter not tracked as potential injection vectors
• Computed bindings - Expression binding syntax ({= ... }) parsing incomplete
• List binding paths - Aggregation binding contexts not fully tracked through data flow
• XMLModel - Remote XML data sources not modeled

Controls & Components

• Fragment instantiation - Fragment.load dynamic content not tracked
• Component container - Cross-component data flow through ComponentContainer incomplete
• Smart controls - sap.ui.comp library controls (SmartTable, SmartForm, etc.) not modeled
• Flexible column layout - Navigation between columns not tracked

Security-Specific

• Content Security Policy - No query for inline event handlers violating CSP
• Trusted types - No modeling for Trusted Types API usage in UI5 apps

Storage & Persistence

• Session storage - jQuery.sap.storage.Type.session not distinguished from local storage
• Storage key validation - Missing sanitizer recognition for storage key restrictions

Exclusions

Work already completed or in progress:

• EventBus messaging (Model sap/ui/core/EventBus #258 - open)
• OData v4 support (Add v4 support for ODataModel #250 - merged)
• Additional input controls: PasswordField, SearchField, TextField, ValueHelpField, ComboBox, TextArea (Add UI5 missing models #249 - merged)
• Dynamic UI5 control instantiation (Support dynamically instantiated UI5 controls placed at a DOM tree #240 - merged)
• sanitizeContent attribute (Ensure sanitizeContent attribute is respected #257 - open)
• DatePicker input (Add to ui5 model #253 - draft)
• BindingPath.getNode, OData v4 remote models, AMD module inheritance (Support OData v4 remote models, add a fallback case on UI5BindingPath.getNode/0, fix UI5 AMD module inheritance #248 - draft)
• webcomponents-react test cases (ui5/webcomponents-react FP improvements for OOTB queries #244 - draft)

Implementation Notes

Following PR #258 pattern:

• Add types to ext/ui5.model.yml for new framework APIs
• Extend lib/.../FlowSteps.qll and lib/.../TypeTrackers.qll as needed
• Create test cases in test/models/ and test/queries/ with both positive and negative examples
• Document in change notes following src/change-notes/*.md format

References

• Agent: .github/agents/javascript-ui5-modeling-agent.md
• Instructions: .github/instructions/javascript_ui5_ql.instructions.md
• Prompts: .github/prompts/ui5_framework_development.prompt.md

[jeongsoolee09]

Not sure what "ResourceModel i18n parameters - getText placeholder injection incomplete" means, much less how EventBus modeling fixes that

[data-douser]

Not sure what "ResourceModel i18n parameters - getText placeholder injection incomplete" means, much less how EventBus modeling fixes that

Thanks for the feedback. The Identified Gaps definitely need some human review before proceeding with any attempt at implementation. I removed the checklist item for ResourceModel i18n parameters.

[mbaluda]

We do model encodeHTML, encodeURL, encodeCSS, encodeJS as sanitizers
Does it come from a FP report?

[data-douser]

We do model encodeHTML, encodeURL, encodeCSS, encodeJS as sanitizers Does it come from a FP report?

Not from a FP report.

This issue was generated by Copilot as a test use of the changes proposed in PR #260 .
The Identified Gaps should be treated with extreme skepticism / validated before proceeding work on a given checklist item.

I updated issue description to remove the checklist item for modeling encodeHTML, encodeURL, encodeCSS, and encodeJS.