advanced-security · jeongsoolee09 · Apr 3, 2025 · Mar 28, 2025 · Mar 28, 2025 · Apr 3, 2025
diff --git a/...t/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/...t/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll
@@ -43,9 +43,14 @@ class CdsLogSink extends DataFlow::Node {
   }
 }
 
-class CAPLogInjectionConfiguration extends LogInjectionConfiguration {
+class CAPLogInjectionConfiguration extends TaintTracking::Configuration {
+  CAPLogInjectionConfiguration() { this = "CAP Log Injection" }
+
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    exists(LogInjectionConfiguration logInjectionConfiguration |
+      logInjectionConfiguration.isSource(start)
+    )
+    or
     start instanceof RemoteFlowSource
   }
 

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll
@@ -2,11 +2,14 @@ import javascript
 import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow
 import advanced_security.javascript.frameworks.ui5.UI5View
 import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
-import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect as UrlRedirect
 
-class Configuration extends DomBasedXss::Configuration {
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "UI5 HTML Injection" }
+
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start)
+    exists(DomBasedXss::Configuration domBasedXssConfiguration |
+      domBasedXssConfiguration.isSource(start)
+    )
     or
     start instanceof RemoteFlowSource
   }
@@ -16,7 +19,9 @@ class Configuration extends DomBasedXss::Configuration {
     DataFlow::FlowLabel outLabel
   ) {
     /* Already an additional flow step defined in `DomBasedXssQuery::Configuration` */
-    super.isAdditionalFlowStep(start, end, inLabel, outLabel)
+    exists(DomBasedXss::Configuration domBasedXssConfiguration |
+      domBasedXssConfiguration.isAdditionalFlowStep(start, end, inLabel, outLabel)
+    )
     or
     /* TODO: Legacy code */
     /* Handler argument node to handler parameter */
@@ -34,7 +39,9 @@ class Configuration extends DomBasedXss::Configuration {
 
   override predicate isBarrier(DataFlow::Node node) {
     /* 1. Already a sanitizer defined in `DomBasedXssQuery::Configuration` */
-    super.isSanitizer(node)
+    exists(DomBasedXss::Configuration domBasedXssConfiguration |
+      domBasedXssConfiguration.isSanitizer(node)
+    )
     or
     /* 2. Value read from a non-string control property */
     exists(PropertyMetadata m | not m.isUnrestrictedStringType() | node = m)
@@ -56,21 +63,20 @@ class Configuration extends DomBasedXss::Configuration {
 
   override predicate isSink(DataFlow::Node node) {
     node instanceof UI5ExtHtmlISink or
-    node instanceof UrlRedirect::LocationSink or
     node instanceof UI5ModelHtmlISink
   }
 }
 
 /**
  * An HTML injection sink associated with a `UI5BoundNode`, typically for library controls acting as sinks.
  */
-class UI5ModelHtmlISink extends DomBasedXss::Sink {
+class UI5ModelHtmlISink extends DataFlow::Node {
   UI5ModelHtmlISink() { exists(UI5View view | view.getAnHtmlISink().getNode() = this) }
 }
 
 /**
  * An HTML injection sink typically for custom controls whose RenderManager calls acting as sinks.
  */
-private class UI5ExtHtmlISink extends DomBasedXss::Sink {
+private class UI5ExtHtmlISink extends DataFlow::Node {
   UI5ExtHtmlISink() { this = ModelOutput::getASinkNode("ui5-html-injection").asSink() }
 }
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/UI5Xss.expected
@@ -12,7 +12,6 @@ nodes
 | XssTest.js:18:9:18:44 | value1 |
 | XssTest.js:18:18:18:44 | jQuery. ... (value) |
 | XssTest.js:18:39:18:43 | value |
-| XssTest.js:19:20:19:25 | value1 |
 | XssTest.js:20:27:20:32 | value1 |
 edges
 | XssTest.js:3:9:3:50 | value | XssTest.js:4:20:4:24 | value |
@@ -23,7 +22,6 @@ edges
 | XssTest.js:10:17:10:40 | documen ... .search | XssTest.js:10:9:10:40 | value |
 | XssTest.js:17:9:17:40 | value | XssTest.js:18:39:18:43 | value |
 | XssTest.js:17:17:17:40 | documen ... .search | XssTest.js:17:9:17:40 | value |
-| XssTest.js:18:9:18:44 | value1 | XssTest.js:19:20:19:25 | value1 |
 | XssTest.js:18:9:18:44 | value1 | XssTest.js:20:27:20:32 | value1 |
 | XssTest.js:18:18:18:44 | jQuery. ... (value) | XssTest.js:18:9:18:44 | value1 |
 | XssTest.js:18:39:18:43 | value | XssTest.js:18:18:18:44 | jQuery. ... (value) |

diff --git a/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll b/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll
@@ -17,13 +17,13 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "XSJS Reflected XSS Query" }
 
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    exists(DomBasedXss::Configuration domBasedXssConfiguration |
+      domBasedXssConfiguration.isSource(start)
+    ) or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end)
-    or
     exists(XSJSResponseSetBodyCall setBody, XSJSResponse thisOrAnotherXSJSResponse |
       thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse() or
       thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse().getAPredOrSuccResponse()

diff --git a/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll b/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll
@@ -16,12 +16,13 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "XSJS SQL Injection Query" }
 
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    exists(SqlInjection::Configuration sqlInjectionConfiguration |
+      sqlInjectionConfiguration.isSource(start)
+    ) or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end) or
     end.(XSJSDBConnectionPrepareStatementArgument).isConcatenated()
   }
 }
diff --git a/...frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/...frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll
@@ -6,13 +6,13 @@ class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "XSJS URL Redirect Query" }
 
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    exists(UrlRedirect::Configuration urlRedirectConfiguration |
+      urlRedirectConfiguration.isSource(start)
+    ) or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end)
-    or
     exists(XSJSRequestOrResponseHeaders headers |
       end = headers.getHeaderSetCall("location").getArgument(1)
     )