Merge pull request #116 from advanced-security/jeongsoolee09/log-injection-fortified

Add two log injection applications with custom listeners

Author: jeongsoolee09

.github/workflows/code_scanning.yml

@@ -56,11 +56,18 @@ jobs:
         done
 
     # Initializes the CodeQL tools for scanning.
+    - name: Extract version from qlt.conf.json
+      uses: sergeysova/jq-action@v2
+      id: version
+      with:
+        cmd: 'jq .CodeQLCLIBundle qlt.conf.json -r'
+            
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
         languages: javascript
         config-file: ./.github/codeql/codeql-config.yaml
+        tools: https://github.com/github/codeql-action/releases/download/${{steps.version.outputs.value}}/codeql-bundle-linux64.tar.gz
         debug: true
 
     - name: Perform CodeQL Analysis

.github/workflows/javascript.sarif.expected

@@ -3,7 +3,7 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 0.2.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.7"
-  codeql/javascript-queries: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-queries: "^0.8.16"
 dataExtensions:
-  - "*.model.yml"
+  - "*.model.yml"

javascript/frameworks/cap/ext/qlpack.yml

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/lib/codeql-pack.lock.yml

@@ -5,5 +5,5 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-cap-models: "^0.2.0"

javascript/frameworks/cap/lib/qlpack.yml

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/src/codeql-pack.lock.yml

@@ -5,7 +5,7 @@ version: 0.2.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-cap-models: "^0.2.0"
   advanced-security/javascript-sap-cap-all: "^0.2.0"
-default-suite-file: codeql-suites/javascript-code-scanning.qls
+default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/src/qlpack.yml

@@ -2,27 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/javascript-queries:
-    version: 0.8.7
+    version: 0.8.16
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/suite-helpers:
-    version: 0.7.7
+    version: 0.7.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typos:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/cap/test/codeql-pack.lock.yml

@@ -1,10 +1,10 @@
 ---
 name: advanced-security/javascript-sap-cap-queries-tests
-version: 0.1.0
+version: 0.2.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
-  codeql/javascript-queries: "^0.8.7"
-  advanced-security/javascript-sap-cap-queries: "^0.1.0"
-  advanced-security/javascript-sap-cap-models: "^0.1.0"
-  advanced-security/javascript-sap-cap-all: "^0.1.0"
+  codeql/javascript-all: "^0.9.1"
+  codeql/javascript-queries: "^0.8.16"
+  advanced-security/javascript-sap-cap-queries: "^0.2.0"
+  advanced-security/javascript-sap-cap-models: "^0.2.0"
+  advanced-security/javascript-sap-cap-all: "^0.2.0"

javascript/frameworks/cap/test/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-ui5-models
 version: 0.6.0
 extensionTargets:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/ui5/ext/qlpack.yml

@@ -2,7 +2,8 @@ import javascript as stdlib
 
 signature class BindingStringReaderSig {
   string getBindingString();
-  stdlib::Location getLocation();
+
+  stdlib::DbLocation getLocation();
 
   // Get a dataflow node associated with the binding string, if any.
   // Note that not all location from which we can obtain a binding string
@@ -51,7 +52,8 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
       value = ":"
     } or
     MkNumberToken(int begin, int end, string value, BindingStringReader reader) {
-      value = reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and
+      value =
+        reader.getBindingString().regexpFind("-?[1-9]\\d*(\\.\\d+)?((e|E)?(\\+|-)?\\d+)?", _, begin) and
       begin + value.length() - 1 = end
     } or
     MkStringToken(int begin, int end, string value, BindingStringReader reader) {
@@ -95,9 +97,9 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
             .getBindingString()
             .regexpFind("(?:#|#@)?(?:[a-zA-Z][a-zA-Z0-9_]*|[a-zA-Z0-9][a-zA-Z0-9_]:[a-zA-Z0-9_]+)(?:\\([^\\)]*\\))?",
               _, begin) and
-      begin + value.length() - 1 = end
+      begin + value.length() - 1 = end and
       // exclude keyword
-      and not value in ["true", "false", "null"]
+      not value in ["true", "false", "null"]
     } or
     MkGreaterThanToken(int begin, int end, string value, BindingStringReader reader) {
       begin = reader.getBindingString().indexOf(">") and

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll

@@ -60,7 +60,7 @@ private class BindingStringReader extends TBindingString {
     )
   }
 
-  Location getLocation() {
+  DbLocation getLocation() {
     exists(StringLiteral stringLiteral |
       this = TBindingStringFromLiteral(stringLiteral) and
       result = stringLiteral.getLocation()
@@ -221,10 +221,10 @@ private predicate earlyPropertyBinding(
   or
   // Composite binding https://ui5.sap.com/#/topic/a2fe8e763014477e87990ff50657a0d0
   exists(
-    DataFlow::ObjectLiteralNode objectLiteral,
-    DataFlow::ObjectLiteralNode valueLiteral, DataFlow::PropWrite partWrite,
-    DataFlow::ArrayLiteralNode partsArray, DataFlow::ObjectLiteralNode partsElement,
-    DataFlow::PropWrite pathWrite, DataFlow::ValueNode pathValue
+    DataFlow::ObjectLiteralNode objectLiteral, DataFlow::ObjectLiteralNode valueLiteral,
+    DataFlow::PropWrite partWrite, DataFlow::ArrayLiteralNode partsArray,
+    DataFlow::ObjectLiteralNode partsElement, DataFlow::PropWrite pathWrite,
+    DataFlow::ValueNode pathValue
   |
     objectLiteral.getAPropertyWrite() = bindingTarget and
     bindingTarget.writes(_, "value", binding) and

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll

@@ -7,7 +7,7 @@ private class DataFromRemoteControlReference extends RemoteFlowSource, MethodCal
   DataFromRemoteControlReference() {
     exists(UI5Control sourceControl, string typeAlias, ControlReference controlReference |
       ApiGraphModelsExtensions::typeModel(typeAlias, sourceControl.getImportPath(), _) and
-      ApiGraphModelsExtensions::sourceModel(typeAlias, _, "remote") and
+      ApiGraphModelsExtensions::sourceModel(typeAlias, _, "remote", _) and
       sourceControl.getAReference() = controlReference and
       controlReference.flowsTo(this.getReceiver()) and
       this.getMethodName() = "getValue"

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -182,10 +182,6 @@ abstract class UI5BindingPath extends BindingPath {
 
 class XmlControlProperty extends XmlAttribute {
   XmlControlProperty() { exists(UI5Control control | this.getElement() = control.asXmlControl()) }
-
-  override string getName() { result = XmlAttribute.super.getName() }
-
-  override string getValue() { result = XmlAttribute.super.getValue() }
 }
 
 bindingset[qualifiedTypeUri]
@@ -333,7 +329,7 @@ class JsView extends UI5View {
     exists(DataFlow::ObjectLiteralNode control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and
+      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBinding().getBindingTarget().asDataFlowNode() = control.getAPropertyWrite(property)
     )
@@ -343,7 +339,7 @@ class JsView extends UI5View {
     exists(DataFlow::ObjectLiteralNode control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and
+      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBinding().getBindingTarget().asDataFlowNode() = control.getAPropertyWrite(property)
     )
@@ -386,7 +382,7 @@ class JsonView extends UI5View {
     exists(JsonObject control, string type, string path, string property |
       root = control.getParent+() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and
+      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control
     )
@@ -396,7 +392,7 @@ class JsonView extends UI5View {
     exists(JsonObject control, string type, string path, string property |
       root = control.getParent+() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and
+      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control
     )
@@ -537,7 +533,7 @@ class HtmlView extends UI5View, HTML::HtmlFile {
     exists(HTML::Element control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and
+      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control.getAttributeByName("data-" + property)
     )
@@ -547,7 +543,7 @@ class HtmlView extends UI5View, HTML::HtmlFile {
     exists(HTML::Element control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and
+      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control.getAttributeByName("data-" + property)
     )
@@ -638,7 +634,7 @@ class XmlRootElement extends XmlElement {
   }
 }
 
-class XmlView extends UI5View, XmlFile {
+class XmlView extends UI5View instanceof XmlFile {
   XmlRootElement root;
 
   XmlView() {
@@ -663,7 +659,7 @@ class XmlView extends UI5View, XmlFile {
     exists(XmlElement control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote") and
+      ApiGraphModelsExtensions::sourceModel(getASuperType(type), path, "remote", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control.getAttribute(property)
     )
@@ -673,7 +669,7 @@ class XmlView extends UI5View, XmlFile {
     exists(XmlElement control, string type, string path, string property |
       this = control.getFile() and
       type = result.getControlTypeName() and
-      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection") and
+      ApiGraphModelsExtensions::sinkModel(getASuperType(type), path, "ui5-html-injection", _) and
       property = path.replaceAll(" ", "").regexpCapture("Member\\[([^\\]]+)\\]", 1) and
       result.getBindingTarget() = control.getAttribute(property) and
       /* If the control is an `sap.ui.core.HTML` then the control should be missing the `sanitizeContent` attribute */

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -2,21 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.1.7
+    version: 0.2.7
   codeql/javascript-all:
-    version: 0.8.7
+    version: 0.9.1
   codeql/mad:
-    version: 0.2.7
+    version: 0.2.16
   codeql/regex:
-    version: 0.2.7
+    version: 0.2.16
   codeql/ssa:
-    version: 0.2.7
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.2.7
+    version: 0.2.16
   codeql/typetracking:
-    version: 0.2.7
+    version: 0.2.16
   codeql/util:
-    version: 0.2.7
+    version: 0.2.16
+  codeql/xml:
+    version: 0.0.3
   codeql/yaml:
-    version: 0.2.7
+    version: 0.2.16
 compiled: false

javascript/frameworks/ui5/lib/codeql-pack.lock.yml

@@ -5,5 +5,5 @@ version: 0.6.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^0.8.7"
+  codeql/javascript-all: "^0.9.1"
   advanced-security/javascript-sap-ui5-models: "^0.6.0"