advanced-security · jeongsoolee09 · Nov 19, 2025 · Nov 24, 2025 · Nov 24, 2025 · Nov 24, 2025
diff --git a/javascript/frameworks/ui5/ext/ui5.model.yml b/javascript/frameworks/ui5/ext/ui5.model.yml
@@ -70,6 +70,9 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Publishing and Subscribing to Events
+      - ["UI5PublishedEventData", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[publish].Argument[2]"]
+      - ["UI5EventSubscriptionHandlerDataParameter", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[subscribe].Argument[2].Parameter[2]"]
 
   - addsTo:
       pack: codeql/javascript-all

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll
@@ -1,6 +1,7 @@
 import javascript
 import DataFlow
 import advanced_security.javascript.frameworks.ui5.JsonParser
+import advanced_security.javascript.frameworks.ui5.dataflow.TypeTrackers
 import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.UI5HTML
@@ -1427,19 +1428,3 @@ class PropertyMetadata extends ObjectLiteralNode {
     inSameWebApp(this.getFile(), result.getFile())
   }
 }
-
-module TypeTrackers {
-  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
-    t.start() and
-    exists(UserModule d |
-      d.getADependency() = dependencyPath and
-      result = d.getRequiredObject(dependencyPath).asSourceNode()
-    )
-    or
-    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
-  }
-
-  SourceNode hasDependency(string dependencyPath) {
-    result = hasDependency(TypeTracker::end(), dependencyPath)
-  }
-}
diff --git a/...ipt/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll b/...ipt/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll
@@ -366,3 +366,10 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
     logArgumentToListener(start, end)
   }
 }
+
+class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
+  override predicate step(DataFlow::Node start, DataFlow::Node end) {
+    start = ModelOutput::getATypeNode("UI5PublishedEventData").getInducingNode() and
+    end = ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter").getInducingNode()
+  }
+}
diff --git a/.../frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/TypeTrackers.qll b/.../frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/TypeTrackers.qll
@@ -0,0 +1,46 @@
+import javascript
+import DataFlow
+
+module TypeTrackers {
+  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
+    t.start() and
+    exists(UserModule d |
+      d.getADependency() = dependencyPath and
+      result = d.getRequiredObject(dependencyPath).asSourceNode()
+    )
+    or
+    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+  }
+
+  SourceNode hasDependency(string dependencyPath) {
+    result = hasDependency(TypeTracker::end(), dependencyPath)
+  }
+
+  private MethodCallNode getOwnerComponentRef(TypeTracker t, CustomController customController) {
+    customController.getAThisNode() = result.getReceiver() and
+    result.getMethodName() = "getOwnerComponent"
+    or
+    exists(TypeTracker t2 | result = getOwnerComponentRef(t2, customController).track(t2, t))
+  }
+
+  /* owner component ref */
+  MethodCallNode getOwnerComponentRef(CustomController customController) {
+    result = getOwnerComponentRef(TypeTracker::end(), customController)
+  }
+
+  private class ObjFieldStep extends SharedTypeTrackingStep {
+    override predicate step(DataFlow::Node start, DataFlow::Node end) {
+      exists(SapExtendCall sapExtendCall, ObjectLiteralNode wrappedObject, string name |
+        wrappedObject = sapExtendCall.getContent() and
+        start = getAnAlias(wrappedObject).getAPropertyWrite(name).getRhs() and
+        end = getAnAlias(wrappedObject).getAPropertyRead(name)
+      )
+    }
+  }
+
+  private DataFlow::SourceNode getAnAlias(DataFlow::SourceNode object) {
+    result = object
+    or
+    result = getAnAlias(object).getAPropertySource().(DataFlow::FunctionNode).getReceiver()
+  }
+}
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.expected b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.expected
@@ -0,0 +1,46 @@
+nodes
+| webapp/controller/app.controller.js:8:26:8:50 | this.ge ... Model() |
+| webapp/controller/app.controller.js:9:17:9:21 | input |
+| webapp/controller/app.controller.js:9:25:9:52 | oModel. ... input') |
+| webapp/controller/app.controller.js:10:44:10:48 | input |
+| webapp/controller/app.controller.js:18:17:18:27 | sInputValue |
+| webapp/controller/app.controller.js:18:31:18:59 | oEvent. ... Value() |
+| webapp/controller/app.controller.js:19:44:19:54 | sInputValue |
+| webapp/controller/app.controller.js:26:17:26:21 | value |
+| webapp/controller/app.controller.js:26:25:26:41 | oInput.getValue() |
+| webapp/controller/app.controller.js:27:36:27:40 | value |
+| webapp/controller/app.controller.js:31:17:31:27 | input: null |
+| webapp/controller/app.controller.js:32:17:32:29 | output1: null |
+| webapp/controller/app.controller.js:34:17:34:29 | output3: null |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| webapp/view/app.view.xml:9:5:9:39 | content={/output1} |
+| webapp/view/app.view.xml:12:5:12:39 | content={/output2} |
+| webapp/view/app.view.xml:17:5:17:39 | content={/output3} |
+edges
+| webapp/controller/app.controller.js:8:26:8:50 | this.ge ... Model() | webapp/controller/app.controller.js:9:25:9:52 | oModel. ... input') |
+| webapp/controller/app.controller.js:9:17:9:21 | input | webapp/controller/app.controller.js:10:44:10:48 | input |
+| webapp/controller/app.controller.js:9:25:9:52 | oModel. ... input') | webapp/controller/app.controller.js:9:17:9:21 | input |
+| webapp/controller/app.controller.js:10:44:10:48 | input | webapp/controller/app.controller.js:8:26:8:50 | this.ge ... Model() |
+| webapp/controller/app.controller.js:10:44:10:48 | input | webapp/controller/app.controller.js:32:17:32:29 | output1: null |
+| webapp/controller/app.controller.js:18:17:18:27 | sInputValue | webapp/controller/app.controller.js:19:44:19:54 | sInputValue |
+| webapp/controller/app.controller.js:18:31:18:59 | oEvent. ... Value() | webapp/controller/app.controller.js:18:17:18:27 | sInputValue |
+| webapp/controller/app.controller.js:19:44:19:54 | sInputValue | webapp/controller/app.controller.js:34:17:34:29 | output3: null |
+| webapp/controller/app.controller.js:26:17:26:21 | value | webapp/controller/app.controller.js:27:36:27:40 | value |
+| webapp/controller/app.controller.js:26:25:26:41 | oInput.getValue() | webapp/controller/app.controller.js:26:17:26:21 | value |
+| webapp/controller/app.controller.js:31:17:31:27 | input: null | webapp/controller/app.controller.js:9:25:9:52 | oModel. ... input') |
+| webapp/controller/app.controller.js:31:17:31:27 | input: null | webapp/view/app.view.xml:5:5:7:28 | value={/input} |
+| webapp/controller/app.controller.js:32:17:32:29 | output1: null | webapp/view/app.view.xml:9:5:9:39 | content={/output1} |
+| webapp/controller/app.controller.js:33:17:33:29 | output2: null | webapp/view/app.view.xml:12:5:12:39 | content={/output2} |
+| webapp/controller/app.controller.js:34:17:34:29 | output3: null | webapp/view/app.view.xml:17:5:17:39 | content={/output3} |
+| webapp/controller/app.controller.js:36:26:36:45 | new JSONModel(oData) | webapp/view/app.view.xml:9:5:9:39 | content={/output1} |
+| webapp/controller/app.controller.js:36:26:36:45 | new JSONModel(oData) | webapp/view/app.view.xml:12:5:12:39 | content={/output2} |
+| webapp/controller/app.controller.js:36:26:36:45 | new JSONModel(oData) | webapp/view/app.view.xml:17:5:17:39 | content={/output3} |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:31:17:31:27 | input: null |
+| webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/controller/app.controller.js:36:26:36:45 | new JSONModel(oData) |
+| webapp/view/app.view.xml:9:5:9:39 | content={/output1} | webapp/controller/app.controller.js:32:17:32:29 | output1: null |
+| webapp/view/app.view.xml:12:5:12:39 | content={/output2} | webapp/controller/app.controller.js:33:17:33:29 | output2: null |
+| webapp/view/app.view.xml:17:5:17:39 | content={/output3} | webapp/controller/app.controller.js:34:17:34:29 | output3: null |
+#select
+| webapp/controller/app.controller.js:27:36:27:40 | value | webapp/controller/app.controller.js:26:25:26:41 | oInput.getValue() | webapp/controller/app.controller.js:27:36:27:40 | value | XSS vulnerability due to $@. | webapp/controller/app.controller.js:26:25:26:41 | oInput.getValue() | user-provided value |
+| webapp/view/app.view.xml:9:5:9:39 | content={/output1} | webapp/view/app.view.xml:5:5:7:28 | value={/input} | webapp/view/app.view.xml:9:5:9:39 | content={/output1} | XSS vulnerability due to $@. | webapp/view/app.view.xml:5:5:7:28 | value={/input} | user-provided value |
+| webapp/view/app.view.xml:17:5:17:39 | content={/output3} | webapp/controller/app.controller.js:18:31:18:59 | oEvent. ... Value() | webapp/view/app.view.xml:17:5:17:39 | content={/output3} | XSS vulnerability due to $@. | webapp/controller/app.controller.js:18:31:18:59 | oEvent. ... Value() | user-provided value |
diff --git a/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.qlref b/javascript/frameworks/ui5/test/queries/UI5Xss/xss-eventbus-with-data/UI5Xss.qlref
@@ -0,0 +1 @@
+UI5Xss/UI5Xss.ql
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		UI5Xss/UI5Xss.ql
Check warning Code scanning / CodeQL-Community Query test without inline test expectations Query test does not use inline test expectations.