From 1d35a02d4b9bb0e355a6b67d980730f124c0f3da Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Mon, 26 Jun 2023 20:26:12 +0200 Subject: [PATCH 01/11] Working unit tests --- .../{codeql-pack.yml => qlpack.yml} | 4 +- ...-extension.yml => ui5-data-extensions.yml} | 12 ++-- .github/workflows/codeql.yml | 2 +- codeql-workspace.yml | 1 - integration-tests/README.md | 27 --------- integration-tests/codeql-workspace.yml | 3 - {ui5-models => src}/codeql-pack.lock.yml | 0 {ui5-models => src/models}/UI5.qll | 0 {ui5-models => src/models}/UI5AMDModule.qll | 0 {ui5-models => src}/qlpack.yml | 3 +- .../queries}/XssWithCustomControl.ql | 2 +- test/{ => models}/control/control.js | 0 test/{ => models}/sink/sink.js | 0 test/models/sink/sinkTest.expected | 11 ++++ test/models/sink/sinkTest.ql | 7 +++ test/models/source/source.js | 45 ++++++++++++++ test/models/source/sourceTest.expected | 14 +++++ test/{ => models}/source/sourceTest.ql | 2 +- test/{ => models}/summary/summary.js | 0 test/{ => models}/validate/validate.js | 0 test/qlpack.yml | 10 ++-- test/queries/README.md | 30 ++++++++++ test/queries/XssWithCustomControl.qlref | 1 + .../xss-custom-control-api1/package-lock.json | 0 .../xss-custom-control-api1/package.json | 0 .../queries}/xss-custom-control-api1/ui5.yaml | 0 .../webapp/control/xss.js | 0 .../webapp/controller/app.controller.js | 0 .../xss-custom-control-api1/webapp/index.html | 0 .../xss-custom-control-api1/webapp/index.js | 0 .../webapp/manifest.json | 0 .../webapp/view/app.view.xml | 0 .../xss-custom-control-api2/package-lock.json | 0 .../xss-custom-control-api2/package.json | 0 .../queries}/xss-custom-control-api2/ui5.yaml | 0 .../webapp/control/xss.js | 0 .../webapp/controller/app.controller.js | 0 .../xss-custom-control-api2/webapp/index.html | 0 .../xss-custom-control-api2/webapp/index.js | 0 .../webapp/manifest.json | 0 .../webapp/view/app.view.xml | 0 .../package-lock.json | 0 .../xss-custom-control-jquery/package.json | 0 .../xss-custom-control-jquery/ui5.yaml | 0 .../webapp/control/xss.js | 0 .../webapp/controller/app.controller.js | 0 .../webapp/index.html | 0 .../xss-custom-control-jquery/webapp/index.js | 0 .../webapp/manifest.json | 0 .../webapp/view/app.view.xml | 0 .../xss-html-control/package-lock.json | 0 .../queries}/xss-html-control/package.json | 0 .../queries}/xss-html-control/ui5.yaml | 0 .../webapp/controller/app.controller.js | 0 .../xss-html-control/webapp/index.html | 0 .../queries}/xss-html-control/webapp/index.js | 0 .../xss-html-control/webapp/manifest.json | 0 .../xss-html-control/webapp/view/app.view.xml | 2 +- .../queries}/xss-json-view/package-lock.json | 0 .../queries}/xss-json-view/package.json | 0 .../queries}/xss-json-view/ui5.yaml | 0 .../xss-json-view/webapp/control/xss.js | 0 .../webapp/controller/app.controller.js | 0 .../queries}/xss-json-view/webapp/index.html | 0 .../queries}/xss-json-view/webapp/index.js | 0 .../xss-json-view/webapp/manifest.json | 0 .../xss-json-view/webapp/view/app.view.json | 0 .../package-lock.json | 0 .../xss-separate-renderer-byname/package.json | 0 .../xss-separate-renderer-byname/ui5.yaml | 0 .../webapp/control/xss.js | 0 .../webapp/control/xssRenderer.js | 0 .../webapp/controller/app.controller.js | 0 .../webapp/index.html | 0 .../webapp/index.js | 0 .../webapp/manifest.json | 0 .../webapp/view/app.view.xml | 0 .../xss-separate-renderer/package-lock.json | 0 .../xss-separate-renderer/package.json | 0 .../queries}/xss-separate-renderer/ui5.yaml | 0 .../webapp/control/renderer.js | 0 .../webapp/control/xss.js | 0 .../webapp/controller/app.controller.js | 0 .../xss-separate-renderer/webapp/index.html | 0 .../xss-separate-renderer/webapp/index.js | 0 .../webapp/manifest.json | 0 .../webapp/view/app.view.xml | 0 test/sink/sinkTest.expected | 0 test/sink/sinkTest.ql | 11 ---- test/source/source.js | 59 ------------------- test/source/sourceTest.expected | 0 ui5-queries/codeql-pack.lock.yml | 14 ----- ui5-queries/qlpack.yml | 7 --- 93 files changed, 128 insertions(+), 139 deletions(-) rename .github/codeql/extensions/{codeql-pack.yml => qlpack.yml} (66%) rename .github/codeql/extensions/{ui5-data-extension.yml => ui5-data-extensions.yml} (90%) delete mode 100644 integration-tests/codeql-workspace.yml rename {ui5-models => src}/codeql-pack.lock.yml (100%) rename {ui5-models => src/models}/UI5.qll (100%) rename {ui5-models => src/models}/UI5AMDModule.qll (100%) rename {ui5-models => src}/qlpack.yml (66%) rename {ui5-queries => src/queries}/XssWithCustomControl.ql (98%) rename test/{ => models}/control/control.js (100%) rename test/{ => models}/sink/sink.js (100%) create mode 100644 test/models/sink/sinkTest.expected create mode 100644 test/models/sink/sinkTest.ql create mode 100644 test/models/source/source.js create mode 100644 test/models/source/sourceTest.expected rename test/{ => models}/source/sourceTest.ql (86%) rename test/{ => models}/summary/summary.js (100%) rename test/{ => models}/validate/validate.js (100%) create mode 100644 test/queries/README.md create mode 100644 test/queries/XssWithCustomControl.qlref rename {integration-tests => test/queries}/xss-custom-control-api1/package-lock.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/package.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api1/webapp/view/app.view.xml (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/package-lock.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/package.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-custom-control-api2/webapp/view/app.view.xml (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/package-lock.json (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/package.json (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-custom-control-jquery/webapp/view/app.view.xml (100%) rename {integration-tests => test/queries}/xss-html-control/package-lock.json (100%) rename {integration-tests => test/queries}/xss-html-control/package.json (100%) rename {integration-tests => test/queries}/xss-html-control/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-html-control/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-html-control/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-html-control/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-html-control/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-html-control/webapp/view/app.view.xml (81%) rename {integration-tests => test/queries}/xss-json-view/package-lock.json (100%) rename {integration-tests => test/queries}/xss-json-view/package.json (100%) rename {integration-tests => test/queries}/xss-json-view/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-json-view/webapp/view/app.view.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/package-lock.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/package.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/control/xssRenderer.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer-byname/webapp/view/app.view.xml (100%) rename {integration-tests => test/queries}/xss-separate-renderer/package-lock.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer/package.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer/ui5.yaml (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/control/renderer.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/control/xss.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/controller/app.controller.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/index.html (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/index.js (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/manifest.json (100%) rename {integration-tests => test/queries}/xss-separate-renderer/webapp/view/app.view.xml (100%) delete mode 100644 test/sink/sinkTest.expected delete mode 100644 test/sink/sinkTest.ql delete mode 100644 test/source/source.js delete mode 100644 test/source/sourceTest.expected delete mode 100644 ui5-queries/codeql-pack.lock.yml delete mode 100644 ui5-queries/qlpack.yml diff --git a/.github/codeql/extensions/codeql-pack.yml b/.github/codeql/extensions/qlpack.yml similarity index 66% rename from .github/codeql/extensions/codeql-pack.yml rename to .github/codeql/extensions/qlpack.yml index e4525192e..9d38182d4 100644 --- a/.github/codeql/extensions/codeql-pack.yml +++ b/.github/codeql/extensions/qlpack.yml @@ -1,9 +1,9 @@ --- library: true -name: sap-js/ui5-data-extension-pack +name: sap-js/ui5-data-extensions-pack version: 0.0.1 extensionTargets: codeql/javascript-all: "*" codeql/javascript-queries: "*" dataExtensions: - - ui5-data-extension.yml + - ui5-data-extensions.yml diff --git a/.github/codeql/extensions/ui5-data-extension.yml b/.github/codeql/extensions/ui5-data-extensions.yml similarity index 90% rename from .github/codeql/extensions/ui5-data-extension.yml rename to .github/codeql/extensions/ui5-data-extensions.yml index b6bb19243..dcf455a7f 100644 --- a/.github/codeql/extensions/ui5-data-extension.yml +++ b/.github/codeql/extensions/ui5-data-extensions.yml @@ -16,13 +16,14 @@ extensions: pack: codeql/javascript-all extensible: sourceModel data: - # sap.ui.commons.TextField.value + # sap.ui.commons.TextField.value sap.ui.commons.TextField#getValue - ["sap/ui/commons/TextField", "Instance.Member[value]", "remote"] - # sap.m.InputBase.value + - ["sap/ui/commons/TextField", "Instance.Member[getValue].ReturnValue", "remote"] + # sap.m.InputBase.value sap.m.InputBase#getValue - ["sap/m/InputBase", "Instance.Member[value]", "remote"] - # sap.m.Input.value + - ["sap/m/InputBase", "Instance.Member[getValue]", "remote"] + # sap.m.Input.value sap.m.Input#getValue() - ["sap/m/Input", "Instance.Member[value]", "remote"] - # sap.m.Input#getValue() - ["sap/m/Input", "Instance.Member[getValue].ReturnValue", "remote"] # jQuery.sap.getUriParameters() return - ["global", "Member[jQuery].Member[sap].Member[getUriParameters].ReturnValue.Member[get]", "remote"] @@ -36,8 +37,7 @@ extensions: - ["global", "Member[jQuery].Member[sap].Member[syncPost].ReturnValue", "remote"] # jQuery.sap.syncPostText() return - ["global", "Member[jQuery].Member[sap].Member[syncPostText].ReturnValue", "remote"] - # UriParameters#get - # UriParameters#getAll + # UriParameters#get UriParameters#getAll - ["sap/base/util/UriParameters", "Member[fromQuery].ReturnValue.Member[get].ReturnValue", "remote"] - ["sap/base/util/UriParameters", "Member[fromQuery].ReturnValue.Member[getAll].ReturnValue", "remote"] - addsTo: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1733e6fbd..a36532593 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,7 +53,7 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + queries: security-extended,./test/queries/XssWithCustomControl.ql,./test/models/source/sourceTest.ql,./test/models/sink/sinkTest.ql # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). diff --git a/codeql-workspace.yml b/codeql-workspace.yml index f8edfa90d..95b958985 100644 --- a/codeql-workspace.yml +++ b/codeql-workspace.yml @@ -1,3 +1,2 @@ provide: - "**/qlpack.yml" - - "**/codeql-workspace.yml" diff --git a/integration-tests/README.md b/integration-tests/README.md index 0221cd786..64bdc2d54 100644 --- a/integration-tests/README.md +++ b/integration-tests/README.md @@ -9,30 +9,3 @@ Not fully working, meaning you cannot run `ui5 serve` and play with the app, tes Anyways, here is the app's structure pertaining to the XSS vulnerability: ![Diagram of current app](./xss-example/diagram.svg "Diagram") - -## xss-custom-control-api1 -- custom Control -- classic string-based API -- `renderer` property is set to a render function - -## xss-custom-control-api2 -- custom Control -- DOM-like API -- `renderer` property is set to an object literal - -## xss-custom-control-jquery -- custom Control declared using JQuery - -## xss-html-control -- `sap.ui.core.HTML` Control - -## xss-json-view -- `sap.ui.core.mvc.JSONView` View - -## xss-separate-renderer -- `renderer` property is set to a class name (a string) -- Renderer implemented in it's own module - -## xss-separate-renderer-byname -- `renderer` property is unassigned -- Renderer implemented in its own module with naming convention `Renderer` diff --git a/integration-tests/codeql-workspace.yml b/integration-tests/codeql-workspace.yml deleted file mode 100644 index f8edfa90d..000000000 --- a/integration-tests/codeql-workspace.yml +++ /dev/null @@ -1,3 +0,0 @@ -provide: - - "**/qlpack.yml" - - "**/codeql-workspace.yml" diff --git a/ui5-models/codeql-pack.lock.yml b/src/codeql-pack.lock.yml similarity index 100% rename from ui5-models/codeql-pack.lock.yml rename to src/codeql-pack.lock.yml diff --git a/ui5-models/UI5.qll b/src/models/UI5.qll similarity index 100% rename from ui5-models/UI5.qll rename to src/models/UI5.qll diff --git a/ui5-models/UI5AMDModule.qll b/src/models/UI5AMDModule.qll similarity index 100% rename from ui5-models/UI5AMDModule.qll rename to src/models/UI5AMDModule.qll diff --git a/ui5-models/qlpack.yml b/src/qlpack.yml similarity index 66% rename from ui5-models/qlpack.yml rename to src/qlpack.yml index 1bf353057..5f52fc6d5 100644 --- a/ui5-models/qlpack.yml +++ b/src/qlpack.yml @@ -1,6 +1,7 @@ --- library: true -name: sap-js/ui5-models +name: sap-js/ui5 version: 0.0.1 +extractor: javascript dependencies: codeql/javascript-all: "*" diff --git a/ui5-queries/XssWithCustomControl.ql b/src/queries/XssWithCustomControl.ql similarity index 98% rename from ui5-queries/XssWithCustomControl.ql rename to src/queries/XssWithCustomControl.ql index 050b27dca..fe5e1dc2e 100644 --- a/ui5-queries/XssWithCustomControl.ql +++ b/src/queries/XssWithCustomControl.ql @@ -1,5 +1,5 @@ import javascript -import UI5::UI5 +import models.UI5::UI5 import semmle.javascript.security.dataflow.DomBasedXssQuery class XssWithCustomControl extends Configuration { diff --git a/test/control/control.js b/test/models/control/control.js similarity index 100% rename from test/control/control.js rename to test/models/control/control.js diff --git a/test/sink/sink.js b/test/models/sink/sink.js similarity index 100% rename from test/sink/sink.js rename to test/models/sink/sink.js diff --git a/test/models/sink/sinkTest.expected b/test/models/sink/sinkTest.expected new file mode 100644 index 000000000..52450fd1c --- /dev/null +++ b/test/models/sink/sinkTest.expected @@ -0,0 +1,11 @@ +| sink.js:12:31:12:34 | code | +| sink.js:15:52:15:55 | code | +| sink.js:17:24:17:27 | code | +| sink.js:19:25:19:28 | code | +| sink.js:23:22:23:25 | code | +| sink.js:27:18:27:21 | code | +| sink.js:29:27:29:30 | code | +| sink.js:31:34:31:37 | code | +| sink.js:33:21:33:24 | code | +| sink.js:35:21:35:24 | code | +| sink.js:37:23:37:26 | code | diff --git a/test/models/sink/sinkTest.ql b/test/models/sink/sinkTest.ql new file mode 100644 index 000000000..82ba1224f --- /dev/null +++ b/test/models/sink/sinkTest.ql @@ -0,0 +1,7 @@ +import javascript +import semmle.javascript.security.dataflow.DomBasedXssQuery +import models.UI5AMDModule + +from DataFlow::Configuration cfg, DataFlow::Node sink +where cfg.isSink(sink, _) +select sink diff --git a/test/models/source/source.js b/test/models/source/source.js new file mode 100644 index 000000000..2b6ead789 --- /dev/null +++ b/test/models/source/source.js @@ -0,0 +1,45 @@ +sap.ui.require(["sap/ui/commons/TextField", "sap/m/InputBase", "sap/m/Input", "sap/base/util/UriParameters"], + function (TextField, InputBase, Input, UriParameters) { + + //////// + // Sources of user-controlled data + //////// + + // sap.ui.commons.TextField.value + var f = new TextField(); + var remoteInput = f.value; + + // sap.m.InputBase.value + var ib = new InputBase(); + remoteInput = ib.value; + + // sap.m.Input.value + // sap.m.Input#setValue() + var input = new Input(); + remoteInput = input.value; + remoteInput = input.getValue(); + + // jQuery.sap.getUriParameters() return + var value = jQuery.sap.getUriParameters().get("foo"); + + // jQuery.sap.syncHead return + var value = jQuery.sap.syncHead("url", "param") + + // jQuery.sap.syncGet return + var value = jQuery.sap.syncGet("url", "param") + + // jQuery.sap.syncGetText return + var value = jQuery.sap.syncGetText("url", "param") + + // jQuery.sap.syncPost return + var value = jQuery.sap.syncPost("url", "param") + + // jQuery.sap.syncPostText return + var value = jQuery.sap.syncPostText("url", "param") + + // UriParameters#get + // UriParameters#getAll + var uri = UriParameters.fromQuery(window.location.search) + var sValue = uri.get("foo") + var sValue = uri.getAll("foo") + }); diff --git a/test/models/source/sourceTest.expected b/test/models/source/sourceTest.expected new file mode 100644 index 000000000..08a2905f7 --- /dev/null +++ b/test/models/source/sourceTest.expected @@ -0,0 +1,14 @@ +| source.js:10:27:10:33 | f.value | +| source.js:14:23:14:30 | ib.value | +| source.js:19:23:19:33 | input.value | +| source.js:20:23:20:38 | input.getValue() | +| source.js:23:21:23:53 | jQuery. ... s().get | +| source.js:26:21:26:55 | jQuery. ... param") | +| source.js:29:21:29:54 | jQuery. ... param") | +| source.js:32:21:32:58 | jQuery. ... param") | +| source.js:35:21:35:55 | jQuery. ... param") | +| source.js:38:21:38:59 | jQuery. ... param") | +| source.js:42:43:42:57 | window.location | +| source.js:42:43:42:64 | window. ... .search | +| source.js:43:22:43:35 | uri.get("foo") | +| source.js:44:22:44:38 | uri.getAll("foo") | diff --git a/test/source/sourceTest.ql b/test/models/source/sourceTest.ql similarity index 86% rename from test/source/sourceTest.ql rename to test/models/source/sourceTest.ql index 4b25f7afa..b4b8d4aaa 100644 --- a/test/source/sourceTest.ql +++ b/test/models/source/sourceTest.ql @@ -1,6 +1,6 @@ import javascript import semmle.javascript.security.dataflow.DomBasedXssQuery -import UI5AMDModule +import models.UI5AMDModule from DataFlow::Configuration cfg, DataFlow::Node source where cfg.isSource(source, _) diff --git a/test/summary/summary.js b/test/models/summary/summary.js similarity index 100% rename from test/summary/summary.js rename to test/models/summary/summary.js diff --git a/test/validate/validate.js b/test/models/validate/validate.js similarity index 100% rename from test/validate/validate.js rename to test/models/validate/validate.js diff --git a/test/qlpack.yml b/test/qlpack.yml index 7e177c1d0..a52e4552c 100644 --- a/test/qlpack.yml +++ b/test/qlpack.yml @@ -1,7 +1,9 @@ --- -library: false -name: sap-js/ui5-models-test +library: true +name: sap-js/ui5-test version: 0.0.1 -dependencies: - sap-js/ui5-models: "*" extractor: javascript +dependencies: + sap-js/ui5: "*" + codeql/javascript-all: "*" + sap-js/ui5-data-extensions-pack: "*" diff --git a/test/queries/README.md b/test/queries/README.md new file mode 100644 index 000000000..2f22bc1fc --- /dev/null +++ b/test/queries/README.md @@ -0,0 +1,30 @@ +# Queries unit tests + +All XSS examples run locally using the [UI5 tooling](https://sap.github.io/ui5-tooling/stable/) + +## xss-custom-control-api1 +- custom Control +- classic string-based API +- `renderer` property is set to a render function + +## xss-custom-control-api2 +- custom Control +- DOM-like API +- `renderer` property is set to an object literal + +## xss-custom-control-jquery +- custom Control declared using JQuery + +## xss-html-control +- `sap.ui.core.HTML` Control + +## xss-json-view +- `sap.ui.core.mvc.JSONView` View + +## xss-separate-renderer +- `renderer` property is set to a class name (a string) +- Renderer implemented in it's own module + +## xss-separate-renderer-byname +- `renderer` property is unassigned +- Renderer implemented in its own module with naming convention `Renderer` diff --git a/test/queries/XssWithCustomControl.qlref b/test/queries/XssWithCustomControl.qlref new file mode 100644 index 000000000..3d249c242 --- /dev/null +++ b/test/queries/XssWithCustomControl.qlref @@ -0,0 +1 @@ +queries/XssWithCustomControl.ql \ No newline at end of file diff --git a/integration-tests/xss-custom-control-api1/package-lock.json b/test/queries/xss-custom-control-api1/package-lock.json similarity index 100% rename from integration-tests/xss-custom-control-api1/package-lock.json rename to test/queries/xss-custom-control-api1/package-lock.json diff --git a/integration-tests/xss-custom-control-api1/package.json b/test/queries/xss-custom-control-api1/package.json similarity index 100% rename from integration-tests/xss-custom-control-api1/package.json rename to test/queries/xss-custom-control-api1/package.json diff --git a/integration-tests/xss-custom-control-api1/ui5.yaml b/test/queries/xss-custom-control-api1/ui5.yaml similarity index 100% rename from integration-tests/xss-custom-control-api1/ui5.yaml rename to test/queries/xss-custom-control-api1/ui5.yaml diff --git a/integration-tests/xss-custom-control-api1/webapp/control/xss.js b/test/queries/xss-custom-control-api1/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/control/xss.js rename to test/queries/xss-custom-control-api1/webapp/control/xss.js diff --git a/integration-tests/xss-custom-control-api1/webapp/controller/app.controller.js b/test/queries/xss-custom-control-api1/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/controller/app.controller.js rename to test/queries/xss-custom-control-api1/webapp/controller/app.controller.js diff --git a/integration-tests/xss-custom-control-api1/webapp/index.html b/test/queries/xss-custom-control-api1/webapp/index.html similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/index.html rename to test/queries/xss-custom-control-api1/webapp/index.html diff --git a/integration-tests/xss-custom-control-api1/webapp/index.js b/test/queries/xss-custom-control-api1/webapp/index.js similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/index.js rename to test/queries/xss-custom-control-api1/webapp/index.js diff --git a/integration-tests/xss-custom-control-api1/webapp/manifest.json b/test/queries/xss-custom-control-api1/webapp/manifest.json similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/manifest.json rename to test/queries/xss-custom-control-api1/webapp/manifest.json diff --git a/integration-tests/xss-custom-control-api1/webapp/view/app.view.xml b/test/queries/xss-custom-control-api1/webapp/view/app.view.xml similarity index 100% rename from integration-tests/xss-custom-control-api1/webapp/view/app.view.xml rename to test/queries/xss-custom-control-api1/webapp/view/app.view.xml diff --git a/integration-tests/xss-custom-control-api2/package-lock.json b/test/queries/xss-custom-control-api2/package-lock.json similarity index 100% rename from integration-tests/xss-custom-control-api2/package-lock.json rename to test/queries/xss-custom-control-api2/package-lock.json diff --git a/integration-tests/xss-custom-control-api2/package.json b/test/queries/xss-custom-control-api2/package.json similarity index 100% rename from integration-tests/xss-custom-control-api2/package.json rename to test/queries/xss-custom-control-api2/package.json diff --git a/integration-tests/xss-custom-control-api2/ui5.yaml b/test/queries/xss-custom-control-api2/ui5.yaml similarity index 100% rename from integration-tests/xss-custom-control-api2/ui5.yaml rename to test/queries/xss-custom-control-api2/ui5.yaml diff --git a/integration-tests/xss-custom-control-api2/webapp/control/xss.js b/test/queries/xss-custom-control-api2/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/control/xss.js rename to test/queries/xss-custom-control-api2/webapp/control/xss.js diff --git a/integration-tests/xss-custom-control-api2/webapp/controller/app.controller.js b/test/queries/xss-custom-control-api2/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/controller/app.controller.js rename to test/queries/xss-custom-control-api2/webapp/controller/app.controller.js diff --git a/integration-tests/xss-custom-control-api2/webapp/index.html b/test/queries/xss-custom-control-api2/webapp/index.html similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/index.html rename to test/queries/xss-custom-control-api2/webapp/index.html diff --git a/integration-tests/xss-custom-control-api2/webapp/index.js b/test/queries/xss-custom-control-api2/webapp/index.js similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/index.js rename to test/queries/xss-custom-control-api2/webapp/index.js diff --git a/integration-tests/xss-custom-control-api2/webapp/manifest.json b/test/queries/xss-custom-control-api2/webapp/manifest.json similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/manifest.json rename to test/queries/xss-custom-control-api2/webapp/manifest.json diff --git a/integration-tests/xss-custom-control-api2/webapp/view/app.view.xml b/test/queries/xss-custom-control-api2/webapp/view/app.view.xml similarity index 100% rename from integration-tests/xss-custom-control-api2/webapp/view/app.view.xml rename to test/queries/xss-custom-control-api2/webapp/view/app.view.xml diff --git a/integration-tests/xss-custom-control-jquery/package-lock.json b/test/queries/xss-custom-control-jquery/package-lock.json similarity index 100% rename from integration-tests/xss-custom-control-jquery/package-lock.json rename to test/queries/xss-custom-control-jquery/package-lock.json diff --git a/integration-tests/xss-custom-control-jquery/package.json b/test/queries/xss-custom-control-jquery/package.json similarity index 100% rename from integration-tests/xss-custom-control-jquery/package.json rename to test/queries/xss-custom-control-jquery/package.json diff --git a/integration-tests/xss-custom-control-jquery/ui5.yaml b/test/queries/xss-custom-control-jquery/ui5.yaml similarity index 100% rename from integration-tests/xss-custom-control-jquery/ui5.yaml rename to test/queries/xss-custom-control-jquery/ui5.yaml diff --git a/integration-tests/xss-custom-control-jquery/webapp/control/xss.js b/test/queries/xss-custom-control-jquery/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/control/xss.js rename to test/queries/xss-custom-control-jquery/webapp/control/xss.js diff --git a/integration-tests/xss-custom-control-jquery/webapp/controller/app.controller.js b/test/queries/xss-custom-control-jquery/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/controller/app.controller.js rename to test/queries/xss-custom-control-jquery/webapp/controller/app.controller.js diff --git a/integration-tests/xss-custom-control-jquery/webapp/index.html b/test/queries/xss-custom-control-jquery/webapp/index.html similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/index.html rename to test/queries/xss-custom-control-jquery/webapp/index.html diff --git a/integration-tests/xss-custom-control-jquery/webapp/index.js b/test/queries/xss-custom-control-jquery/webapp/index.js similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/index.js rename to test/queries/xss-custom-control-jquery/webapp/index.js diff --git a/integration-tests/xss-custom-control-jquery/webapp/manifest.json b/test/queries/xss-custom-control-jquery/webapp/manifest.json similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/manifest.json rename to test/queries/xss-custom-control-jquery/webapp/manifest.json diff --git a/integration-tests/xss-custom-control-jquery/webapp/view/app.view.xml b/test/queries/xss-custom-control-jquery/webapp/view/app.view.xml similarity index 100% rename from integration-tests/xss-custom-control-jquery/webapp/view/app.view.xml rename to test/queries/xss-custom-control-jquery/webapp/view/app.view.xml diff --git a/integration-tests/xss-html-control/package-lock.json b/test/queries/xss-html-control/package-lock.json similarity index 100% rename from integration-tests/xss-html-control/package-lock.json rename to test/queries/xss-html-control/package-lock.json diff --git a/integration-tests/xss-html-control/package.json b/test/queries/xss-html-control/package.json similarity index 100% rename from integration-tests/xss-html-control/package.json rename to test/queries/xss-html-control/package.json diff --git a/integration-tests/xss-html-control/ui5.yaml b/test/queries/xss-html-control/ui5.yaml similarity index 100% rename from integration-tests/xss-html-control/ui5.yaml rename to test/queries/xss-html-control/ui5.yaml diff --git a/integration-tests/xss-html-control/webapp/controller/app.controller.js b/test/queries/xss-html-control/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-html-control/webapp/controller/app.controller.js rename to test/queries/xss-html-control/webapp/controller/app.controller.js diff --git a/integration-tests/xss-html-control/webapp/index.html b/test/queries/xss-html-control/webapp/index.html similarity index 100% rename from integration-tests/xss-html-control/webapp/index.html rename to test/queries/xss-html-control/webapp/index.html diff --git a/integration-tests/xss-html-control/webapp/index.js b/test/queries/xss-html-control/webapp/index.js similarity index 100% rename from integration-tests/xss-html-control/webapp/index.js rename to test/queries/xss-html-control/webapp/index.js diff --git a/integration-tests/xss-html-control/webapp/manifest.json b/test/queries/xss-html-control/webapp/manifest.json similarity index 100% rename from integration-tests/xss-html-control/webapp/manifest.json rename to test/queries/xss-html-control/webapp/manifest.json diff --git a/integration-tests/xss-html-control/webapp/view/app.view.xml b/test/queries/xss-html-control/webapp/view/app.view.xml similarity index 81% rename from integration-tests/xss-html-control/webapp/view/app.view.xml rename to test/queries/xss-html-control/webapp/view/app.view.xml index 12ed18e2c..bea0eb4fd 100644 --- a/integration-tests/xss-html-control/webapp/view/app.view.xml +++ b/test/queries/xss-html-control/webapp/view/app.view.xml @@ -5,5 +5,5 @@ - + diff --git a/integration-tests/xss-json-view/package-lock.json b/test/queries/xss-json-view/package-lock.json similarity index 100% rename from integration-tests/xss-json-view/package-lock.json rename to test/queries/xss-json-view/package-lock.json diff --git a/integration-tests/xss-json-view/package.json b/test/queries/xss-json-view/package.json similarity index 100% rename from integration-tests/xss-json-view/package.json rename to test/queries/xss-json-view/package.json diff --git a/integration-tests/xss-json-view/ui5.yaml b/test/queries/xss-json-view/ui5.yaml similarity index 100% rename from integration-tests/xss-json-view/ui5.yaml rename to test/queries/xss-json-view/ui5.yaml diff --git a/integration-tests/xss-json-view/webapp/control/xss.js b/test/queries/xss-json-view/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-json-view/webapp/control/xss.js rename to test/queries/xss-json-view/webapp/control/xss.js diff --git a/integration-tests/xss-json-view/webapp/controller/app.controller.js b/test/queries/xss-json-view/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-json-view/webapp/controller/app.controller.js rename to test/queries/xss-json-view/webapp/controller/app.controller.js diff --git a/integration-tests/xss-json-view/webapp/index.html b/test/queries/xss-json-view/webapp/index.html similarity index 100% rename from integration-tests/xss-json-view/webapp/index.html rename to test/queries/xss-json-view/webapp/index.html diff --git a/integration-tests/xss-json-view/webapp/index.js b/test/queries/xss-json-view/webapp/index.js similarity index 100% rename from integration-tests/xss-json-view/webapp/index.js rename to test/queries/xss-json-view/webapp/index.js diff --git a/integration-tests/xss-json-view/webapp/manifest.json b/test/queries/xss-json-view/webapp/manifest.json similarity index 100% rename from integration-tests/xss-json-view/webapp/manifest.json rename to test/queries/xss-json-view/webapp/manifest.json diff --git a/integration-tests/xss-json-view/webapp/view/app.view.json b/test/queries/xss-json-view/webapp/view/app.view.json similarity index 100% rename from integration-tests/xss-json-view/webapp/view/app.view.json rename to test/queries/xss-json-view/webapp/view/app.view.json diff --git a/integration-tests/xss-separate-renderer-byname/package-lock.json b/test/queries/xss-separate-renderer-byname/package-lock.json similarity index 100% rename from integration-tests/xss-separate-renderer-byname/package-lock.json rename to test/queries/xss-separate-renderer-byname/package-lock.json diff --git a/integration-tests/xss-separate-renderer-byname/package.json b/test/queries/xss-separate-renderer-byname/package.json similarity index 100% rename from integration-tests/xss-separate-renderer-byname/package.json rename to test/queries/xss-separate-renderer-byname/package.json diff --git a/integration-tests/xss-separate-renderer-byname/ui5.yaml b/test/queries/xss-separate-renderer-byname/ui5.yaml similarity index 100% rename from integration-tests/xss-separate-renderer-byname/ui5.yaml rename to test/queries/xss-separate-renderer-byname/ui5.yaml diff --git a/integration-tests/xss-separate-renderer-byname/webapp/control/xss.js b/test/queries/xss-separate-renderer-byname/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/control/xss.js rename to test/queries/xss-separate-renderer-byname/webapp/control/xss.js diff --git a/integration-tests/xss-separate-renderer-byname/webapp/control/xssRenderer.js b/test/queries/xss-separate-renderer-byname/webapp/control/xssRenderer.js similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/control/xssRenderer.js rename to test/queries/xss-separate-renderer-byname/webapp/control/xssRenderer.js diff --git a/integration-tests/xss-separate-renderer-byname/webapp/controller/app.controller.js b/test/queries/xss-separate-renderer-byname/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/controller/app.controller.js rename to test/queries/xss-separate-renderer-byname/webapp/controller/app.controller.js diff --git a/integration-tests/xss-separate-renderer-byname/webapp/index.html b/test/queries/xss-separate-renderer-byname/webapp/index.html similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/index.html rename to test/queries/xss-separate-renderer-byname/webapp/index.html diff --git a/integration-tests/xss-separate-renderer-byname/webapp/index.js b/test/queries/xss-separate-renderer-byname/webapp/index.js similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/index.js rename to test/queries/xss-separate-renderer-byname/webapp/index.js diff --git a/integration-tests/xss-separate-renderer-byname/webapp/manifest.json b/test/queries/xss-separate-renderer-byname/webapp/manifest.json similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/manifest.json rename to test/queries/xss-separate-renderer-byname/webapp/manifest.json diff --git a/integration-tests/xss-separate-renderer-byname/webapp/view/app.view.xml b/test/queries/xss-separate-renderer-byname/webapp/view/app.view.xml similarity index 100% rename from integration-tests/xss-separate-renderer-byname/webapp/view/app.view.xml rename to test/queries/xss-separate-renderer-byname/webapp/view/app.view.xml diff --git a/integration-tests/xss-separate-renderer/package-lock.json b/test/queries/xss-separate-renderer/package-lock.json similarity index 100% rename from integration-tests/xss-separate-renderer/package-lock.json rename to test/queries/xss-separate-renderer/package-lock.json diff --git a/integration-tests/xss-separate-renderer/package.json b/test/queries/xss-separate-renderer/package.json similarity index 100% rename from integration-tests/xss-separate-renderer/package.json rename to test/queries/xss-separate-renderer/package.json diff --git a/integration-tests/xss-separate-renderer/ui5.yaml b/test/queries/xss-separate-renderer/ui5.yaml similarity index 100% rename from integration-tests/xss-separate-renderer/ui5.yaml rename to test/queries/xss-separate-renderer/ui5.yaml diff --git a/integration-tests/xss-separate-renderer/webapp/control/renderer.js b/test/queries/xss-separate-renderer/webapp/control/renderer.js similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/control/renderer.js rename to test/queries/xss-separate-renderer/webapp/control/renderer.js diff --git a/integration-tests/xss-separate-renderer/webapp/control/xss.js b/test/queries/xss-separate-renderer/webapp/control/xss.js similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/control/xss.js rename to test/queries/xss-separate-renderer/webapp/control/xss.js diff --git a/integration-tests/xss-separate-renderer/webapp/controller/app.controller.js b/test/queries/xss-separate-renderer/webapp/controller/app.controller.js similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/controller/app.controller.js rename to test/queries/xss-separate-renderer/webapp/controller/app.controller.js diff --git a/integration-tests/xss-separate-renderer/webapp/index.html b/test/queries/xss-separate-renderer/webapp/index.html similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/index.html rename to test/queries/xss-separate-renderer/webapp/index.html diff --git a/integration-tests/xss-separate-renderer/webapp/index.js b/test/queries/xss-separate-renderer/webapp/index.js similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/index.js rename to test/queries/xss-separate-renderer/webapp/index.js diff --git a/integration-tests/xss-separate-renderer/webapp/manifest.json b/test/queries/xss-separate-renderer/webapp/manifest.json similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/manifest.json rename to test/queries/xss-separate-renderer/webapp/manifest.json diff --git a/integration-tests/xss-separate-renderer/webapp/view/app.view.xml b/test/queries/xss-separate-renderer/webapp/view/app.view.xml similarity index 100% rename from integration-tests/xss-separate-renderer/webapp/view/app.view.xml rename to test/queries/xss-separate-renderer/webapp/view/app.view.xml diff --git a/test/sink/sinkTest.expected b/test/sink/sinkTest.expected deleted file mode 100644 index e69de29bb..000000000 diff --git a/test/sink/sinkTest.ql b/test/sink/sinkTest.ql deleted file mode 100644 index 35a0e1e31..000000000 --- a/test/sink/sinkTest.ql +++ /dev/null @@ -1,11 +0,0 @@ -import javascript -import UI5AMDModule -import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions - -// import UI5::UI5 -// from DataFlow::Configuration cfg, DataFlow::Node sink -// where cfg.isSink(sink, _) -// select sink -from string type, string path, string kind -where sinkModel(type, path, kind) -select type, path, kind diff --git a/test/source/source.js b/test/source/source.js deleted file mode 100644 index 48fa90671..000000000 --- a/test/source/source.js +++ /dev/null @@ -1,59 +0,0 @@ -sap.ui.require( - [ - "sap/ui/commons/TextField", - "sap/m/InputBase", - "sap/m/Input", - "sap/base/util/UriParameters", - ], - function (TextField, InputBase, Input, UriParameters) { - //////// - // Sources of user-controlled data - //////// - - /* TextField Deprecated as of version 1.38 */ - // sap.ui.commons.TextField.value - var f = new TextField(); - var remoteInput = f.value; - var inputValue1 = f.getValue(); - - // sap.m.InputBase.value - var ib = new InputBase(); - remoteInput = ib.value; - var inputValue2 = ib.getValue(); - - // sap.m.Input.value - // sap.m.Input#setValue() - var input = new Input(); - remoteInput = input.value; - remoteInput = input.getValue(); - - /* The namespace jQuery.sap is deprecated as of version 1.58, so - I'm not sure if we should be modeling these. */ - - // jQuery.sap.getUriParameters() return - var sValue = jQuery.sap.getUriParameters().get("foo"); - - // jQuery.sap.syncHead return - var value = jQuery.sap.syncHead("url", "param"); - - // jQuery.sap.syncGet return - var value = jQuery.sap.syncGet("url", "param"); - - // jQuery.sap.syncGetText return - var value = jQuery.sap.syncGetText("url", "param"); - - // jQuery.sap.syncPost return - var value = jQuery.sap.syncPost("url", "param"); - - // jQuery.sap.syncPostText return - var value = jQuery.sap.syncPostText("url", "param"); - - // Q?: should these be summaries as vales are tainted only - // if the object is tainted - // UriParameters#get - // UriParameters#getAll - var uri = UriParameters.fromQuery(window.location.search); - var sValue = uri.get("foo"); - var sValue = uri.getAll("foo"); - } -); diff --git a/test/source/sourceTest.expected b/test/source/sourceTest.expected deleted file mode 100644 index e69de29bb..000000000 diff --git a/ui5-queries/codeql-pack.lock.yml b/ui5-queries/codeql-pack.lock.yml deleted file mode 100644 index 04d1acb4b..000000000 --- a/ui5-queries/codeql-pack.lock.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -lockVersion: 1.0.0 -dependencies: - codeql/javascript-all: - version: 0.6.3 - codeql/regex: - version: 0.0.14 - codeql/tutorial: - version: 0.0.11 - codeql/util: - version: 0.0.11 - codeql/yaml: - version: 0.0.3 -compiled: false diff --git a/ui5-queries/qlpack.yml b/ui5-queries/qlpack.yml deleted file mode 100644 index a6a4c252a..000000000 --- a/ui5-queries/qlpack.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -library: false -name: sap-js/ui5-queries -version: 0.0.1 -dependencies: - codeql/javascript-all: "*" - sap-js/ui5-models: "*" From 0a2258e04be5a74d572039e044cfd129fa9c565b Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 12:58:07 +0200 Subject: [PATCH 02/11] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a36532593..173836ddf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -53,7 +53,7 @@ jobs: # Prefix the list here with "+" to use these queries and those in the config file. # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: security-extended,./test/queries/XssWithCustomControl.ql,./test/models/source/sourceTest.ql,./test/models/sink/sinkTest.ql + queries: security-extended,./src/queries/XssWithCustomControl.ql,./test/models/source/sourceTest.ql,./test/models/sink/sinkTest.ql # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). From b89ad08e025a67413b39dec058148e3867ddb497 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 14:59:57 +0200 Subject: [PATCH 03/11] Add query metadata --- src/queries/XssWithCustomControl.ql | 8 +++++++- test/models/sink/sinkTest.expected | 22 ++++++++++---------- test/models/sink/sinkTest.ql | 8 +++++++- test/models/source/sourceTest.expected | 28 +++++++++++++------------- test/models/source/sourceTest.ql | 8 +++++++- 5 files changed, 46 insertions(+), 28 deletions(-) diff --git a/src/queries/XssWithCustomControl.ql b/src/queries/XssWithCustomControl.ql index fe5e1dc2e..823ec6fc2 100644 --- a/src/queries/XssWithCustomControl.ql +++ b/src/queries/XssWithCustomControl.ql @@ -1,3 +1,9 @@ +/** + * @id xss-custom-control + * @name XSS with custom control + * @kind problem + */ + import javascript import models.UI5::UI5 import semmle.javascript.security.dataflow.DomBasedXssQuery @@ -41,4 +47,4 @@ class XssWithCustomControl extends Configuration { from XssWithCustomControl xss, UnsafeHtmlXssSource source, UnsafeHtmlXssSink sink where xss.hasFlow(source, sink) -select source, sink +select source, source.toString(), sink, sink.toString() diff --git a/test/models/sink/sinkTest.expected b/test/models/sink/sinkTest.expected index 52450fd1c..20e3cf379 100644 --- a/test/models/sink/sinkTest.expected +++ b/test/models/sink/sinkTest.expected @@ -1,11 +1,11 @@ -| sink.js:12:31:12:34 | code | -| sink.js:15:52:15:55 | code | -| sink.js:17:24:17:27 | code | -| sink.js:19:25:19:28 | code | -| sink.js:23:22:23:25 | code | -| sink.js:27:18:27:21 | code | -| sink.js:29:27:29:30 | code | -| sink.js:31:34:31:37 | code | -| sink.js:33:21:33:24 | code | -| sink.js:35:21:35:24 | code | -| sink.js:37:23:37:26 | code | +| sink.js:12:31:12:34 | code | code | +| sink.js:15:52:15:55 | code | code | +| sink.js:17:24:17:27 | code | code | +| sink.js:19:25:19:28 | code | code | +| sink.js:23:22:23:25 | code | code | +| sink.js:27:18:27:21 | code | code | +| sink.js:29:27:29:30 | code | code | +| sink.js:31:34:31:37 | code | code | +| sink.js:33:21:33:24 | code | code | +| sink.js:35:21:35:24 | code | code | +| sink.js:37:23:37:26 | code | code | diff --git a/test/models/sink/sinkTest.ql b/test/models/sink/sinkTest.ql index 82ba1224f..7e2d276bf 100644 --- a/test/models/sink/sinkTest.ql +++ b/test/models/sink/sinkTest.ql @@ -1,7 +1,13 @@ +/** + * @id xss-sinks + * @name XSS sinks + * @kind problem + */ + import javascript import semmle.javascript.security.dataflow.DomBasedXssQuery import models.UI5AMDModule from DataFlow::Configuration cfg, DataFlow::Node sink where cfg.isSink(sink, _) -select sink +select sink, sink.toString() diff --git a/test/models/source/sourceTest.expected b/test/models/source/sourceTest.expected index 08a2905f7..b1c2a23f8 100644 --- a/test/models/source/sourceTest.expected +++ b/test/models/source/sourceTest.expected @@ -1,14 +1,14 @@ -| source.js:10:27:10:33 | f.value | -| source.js:14:23:14:30 | ib.value | -| source.js:19:23:19:33 | input.value | -| source.js:20:23:20:38 | input.getValue() | -| source.js:23:21:23:53 | jQuery. ... s().get | -| source.js:26:21:26:55 | jQuery. ... param") | -| source.js:29:21:29:54 | jQuery. ... param") | -| source.js:32:21:32:58 | jQuery. ... param") | -| source.js:35:21:35:55 | jQuery. ... param") | -| source.js:38:21:38:59 | jQuery. ... param") | -| source.js:42:43:42:57 | window.location | -| source.js:42:43:42:64 | window. ... .search | -| source.js:43:22:43:35 | uri.get("foo") | -| source.js:44:22:44:38 | uri.getAll("foo") | +| source.js:10:27:10:33 | f.value | f.value | +| source.js:14:23:14:30 | ib.value | ib.value | +| source.js:19:23:19:33 | input.value | input.value | +| source.js:20:23:20:38 | input.getValue() | input.getValue() | +| source.js:23:21:23:53 | jQuery. ... s().get | jQuery. ... s().get | +| source.js:26:21:26:55 | jQuery. ... param") | jQuery. ... param") | +| source.js:29:21:29:54 | jQuery. ... param") | jQuery. ... param") | +| source.js:32:21:32:58 | jQuery. ... param") | jQuery. ... param") | +| source.js:35:21:35:55 | jQuery. ... param") | jQuery. ... param") | +| source.js:38:21:38:59 | jQuery. ... param") | jQuery. ... param") | +| source.js:42:43:42:57 | window.location | window.location | +| source.js:42:43:42:64 | window. ... .search | window. ... .search | +| source.js:43:22:43:35 | uri.get("foo") | uri.get("foo") | +| source.js:44:22:44:38 | uri.getAll("foo") | uri.getAll("foo") | diff --git a/test/models/source/sourceTest.ql b/test/models/source/sourceTest.ql index b4b8d4aaa..d0c3fc338 100644 --- a/test/models/source/sourceTest.ql +++ b/test/models/source/sourceTest.ql @@ -1,7 +1,13 @@ +/** + * @id xss-sources + * @name XSS sources + * @kind problem + */ + import javascript import semmle.javascript.security.dataflow.DomBasedXssQuery import models.UI5AMDModule from DataFlow::Configuration cfg, DataFlow::Node source where cfg.isSource(source, _) -select source +select source, source.toString() From 9b7626bdeda6c6dc71e088bdb79db2dae7003798 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 15:18:51 +0200 Subject: [PATCH 04/11] Update codeql.yml --- .github/workflows/codeql.yml | 47 +++--------------------------------- 1 file changed, 3 insertions(+), 44 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 173836ddf..b697b86f0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,14 +1,3 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: "CodeQL" on: @@ -23,22 +12,12 @@ on: jobs: analyze: name: Analyze - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + runs-on: 'ubuntu-latest' permissions: actions: read contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] - # Use only 'java' to analyze code written in Java, Kotlin or both - # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - name: Checkout repository uses: actions/checkout@v3 @@ -47,29 +26,9 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - + languages: 'javascript' # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: security-extended,./src/queries/XssWithCustomControl.ql,./test/models/source/sourceTest.ql,./test/models/sink/sinkTest.ql - - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh + queries: ./src,./test - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From aa4a736018a38049c370daeca5c1e94dac2164e3 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 15:33:27 +0200 Subject: [PATCH 05/11] Update codeql.yml --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b697b86f0..ecd7c52d6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,7 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: - languages: 'javascript' + languages: javascript # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs queries: ./src,./test From a42c6db9be622b3bc647a7a388d1be28cf5c55b4 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 15:41:00 +0200 Subject: [PATCH 06/11] Update codeql.yml --- .github/workflows/codeql.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ecd7c52d6..246ac1adb 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,5 +32,3 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" From eb643e3289cb8aba82dd3d19b3dcd374624e484f Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 15:45:13 +0200 Subject: [PATCH 07/11] CodeQl workflows --- .github/workflows/codeql_queries.yml | 34 +++++++++++++++++++ .../workflows/{codeql.yml => codeql_test.yml} | 4 +-- 2 files changed, 36 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/codeql_queries.yml rename .github/workflows/{codeql.yml => codeql_test.yml} (95%) diff --git a/.github/workflows/codeql_queries.yml b/.github/workflows/codeql_queries.yml new file mode 100644 index 000000000..7a9e98922 --- /dev/null +++ b/.github/workflows/codeql_queries.yml @@ -0,0 +1,34 @@ +name: "CodeQL Queries" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '39 12 * * 2' + +jobs: + analyze: + name: Analyze + runs-on: 'ubuntu-latest' + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: javascript + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + queries: security-extended,./src + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql_test.yml similarity index 95% rename from .github/workflows/codeql.yml rename to .github/workflows/codeql_test.yml index 246ac1adb..5d82ab44f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql_test.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: "CodeQL Tests" on: push: @@ -28,7 +28,7 @@ jobs: with: languages: javascript # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: ./src,./test + queries: ./test - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 From db5845bf153fdf6a98021cee2271e4c36fefce07 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 16:06:34 +0200 Subject: [PATCH 08/11] Update qlpack.yml --- .github/codeql/extensions/qlpack.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/codeql/extensions/qlpack.yml b/.github/codeql/extensions/qlpack.yml index 9d38182d4..b992f5f16 100644 --- a/.github/codeql/extensions/qlpack.yml +++ b/.github/codeql/extensions/qlpack.yml @@ -6,4 +6,4 @@ extensionTargets: codeql/javascript-all: "*" codeql/javascript-queries: "*" dataExtensions: - - ui5-data-extensions.yml + - ui5-data-extensions.yaml From 518507f19948fd93dc7fbd95fea21bda059d2e6b Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 16:06:43 +0200 Subject: [PATCH 09/11] Rename ui5-data-extensions.yml to ui5-data-extensions.yaml --- .../{ui5-data-extensions.yml => ui5-data-extensions.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/codeql/extensions/{ui5-data-extensions.yml => ui5-data-extensions.yaml} (100%) diff --git a/.github/codeql/extensions/ui5-data-extensions.yml b/.github/codeql/extensions/ui5-data-extensions.yaml similarity index 100% rename from .github/codeql/extensions/ui5-data-extensions.yml rename to .github/codeql/extensions/ui5-data-extensions.yaml From 658fba993f49fdff87329b7b80f9bcdf0b6a0424 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 21:02:41 +0200 Subject: [PATCH 10/11] Run CLI unit tests --- .github/codeql/extensions/qlpack.yml | 2 +- ...xtensions.yaml => ui5-data-extensions.yml} | 3 ++ .github/workflows/codeql_test.yml | 23 ++++---------- test/models/source/source.js | 8 +++-- test/models/source/sourceTest.expected | 30 ++++++++++--------- 5 files changed, 32 insertions(+), 34 deletions(-) rename .github/codeql/extensions/{ui5-data-extensions.yaml => ui5-data-extensions.yml} (95%) diff --git a/.github/codeql/extensions/qlpack.yml b/.github/codeql/extensions/qlpack.yml index a540bfca5..99106efc2 100644 --- a/.github/codeql/extensions/qlpack.yml +++ b/.github/codeql/extensions/qlpack.yml @@ -6,4 +6,4 @@ extensionTargets: codeql/javascript-all: "*" codeql/javascript-queries: "*" dataExtensions: - - ui5-data-extensions.yaml \ No newline at end of file + - ui5-data-extensions.yml \ No newline at end of file diff --git a/.github/codeql/extensions/ui5-data-extensions.yaml b/.github/codeql/extensions/ui5-data-extensions.yml similarity index 95% rename from .github/codeql/extensions/ui5-data-extensions.yaml rename to .github/codeql/extensions/ui5-data-extensions.yml index dcf455a7f..162e5a907 100644 --- a/.github/codeql/extensions/ui5-data-extensions.yaml +++ b/.github/codeql/extensions/ui5-data-extensions.yml @@ -22,6 +22,9 @@ extensions: # sap.m.InputBase.value sap.m.InputBase#getValue - ["sap/m/InputBase", "Instance.Member[value]", "remote"] - ["sap/m/InputBase", "Instance.Member[getValue]", "remote"] + # sap.m.SearchField.value sap.m.InputBase#getValue + - ["sap/m/SearchField", "Instance.Member[value]", "remote"] + - ["sap/m/SearchField", "Instance.Member[getValue]", "remote"] # sap.m.Input.value sap.m.Input#getValue() - ["sap/m/Input", "Instance.Member[value]", "remote"] - ["sap/m/Input", "Instance.Member[getValue].ReturnValue", "remote"] diff --git a/.github/workflows/codeql_test.yml b/.github/workflows/codeql_test.yml index 5d82ab44f..3e579a439 100644 --- a/.github/workflows/codeql_test.yml +++ b/.github/workflows/codeql_test.yml @@ -1,4 +1,4 @@ -name: "CodeQL Tests" +name: "UI5 Unit Tests" on: push: @@ -10,25 +10,14 @@ on: - cron: '39 12 * * 2' jobs: - analyze: - name: Analyze + unit_test: + name: Run Unit Tests runs-on: 'ubuntu-latest' - permissions: - actions: read - contents: read - security-events: write - + steps: - name: Checkout repository uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: javascript - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - queries: ./test - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + - run: | + codeql test run --show-extractor-output test diff --git a/test/models/source/source.js b/test/models/source/source.js index 2b6ead789..7b503d5b2 100644 --- a/test/models/source/source.js +++ b/test/models/source/source.js @@ -1,9 +1,13 @@ -sap.ui.require(["sap/ui/commons/TextField", "sap/m/InputBase", "sap/m/Input", "sap/base/util/UriParameters"], - function (TextField, InputBase, Input, UriParameters) { +sap.ui.require(["sap/m/SearchField", "sap/ui/commons/TextField", "sap/m/InputBase", "sap/m/Input", "sap/base/util/UriParameters"], + function (SearchField, TextField, InputBase, Input, UriParameters) { //////// // Sources of user-controlled data //////// + // sap.ui.commons.SearchField.value + var f = new SearchField(); + var remoteInput = f.value; + var remoteInput = f.getValue(); // sap.ui.commons.TextField.value var f = new TextField(); diff --git a/test/models/source/sourceTest.expected b/test/models/source/sourceTest.expected index b1c2a23f8..9b062dcba 100644 --- a/test/models/source/sourceTest.expected +++ b/test/models/source/sourceTest.expected @@ -1,14 +1,16 @@ -| source.js:10:27:10:33 | f.value | f.value | -| source.js:14:23:14:30 | ib.value | ib.value | -| source.js:19:23:19:33 | input.value | input.value | -| source.js:20:23:20:38 | input.getValue() | input.getValue() | -| source.js:23:21:23:53 | jQuery. ... s().get | jQuery. ... s().get | -| source.js:26:21:26:55 | jQuery. ... param") | jQuery. ... param") | -| source.js:29:21:29:54 | jQuery. ... param") | jQuery. ... param") | -| source.js:32:21:32:58 | jQuery. ... param") | jQuery. ... param") | -| source.js:35:21:35:55 | jQuery. ... param") | jQuery. ... param") | -| source.js:38:21:38:59 | jQuery. ... param") | jQuery. ... param") | -| source.js:42:43:42:57 | window.location | window.location | -| source.js:42:43:42:64 | window. ... .search | window. ... .search | -| source.js:43:22:43:35 | uri.get("foo") | uri.get("foo") | -| source.js:44:22:44:38 | uri.getAll("foo") | uri.getAll("foo") | +| source.js:9:27:9:33 | f.value | f.value | +| source.js:10:27:10:36 | f.getValue | f.getValue | +| source.js:14:27:14:33 | f.value | f.value | +| source.js:18:23:18:30 | ib.value | ib.value | +| source.js:23:23:23:33 | input.value | input.value | +| source.js:24:23:24:38 | input.getValue() | input.getValue() | +| source.js:27:21:27:53 | jQuery. ... s().get | jQuery. ... s().get | +| source.js:30:21:30:55 | jQuery. ... param") | jQuery. ... param") | +| source.js:33:21:33:54 | jQuery. ... param") | jQuery. ... param") | +| source.js:36:21:36:58 | jQuery. ... param") | jQuery. ... param") | +| source.js:39:21:39:55 | jQuery. ... param") | jQuery. ... param") | +| source.js:42:21:42:59 | jQuery. ... param") | jQuery. ... param") | +| source.js:46:43:46:57 | window.location | window.location | +| source.js:46:43:46:64 | window. ... .search | window. ... .search | +| source.js:47:22:47:35 | uri.get("foo") | uri.get("foo") | +| source.js:48:22:48:38 | uri.getAll("foo") | uri.getAll("foo") | From 29e15e3c7df03760c7884e96287cec7f6aac9869 Mon Sep 17 00:00:00 2001 From: Mauro Baluda Date: Tue, 27 Jun 2023 21:08:31 +0200 Subject: [PATCH 11/11] Delete codeql_test.yml --- .github/workflows/codeql_test.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 .github/workflows/codeql_test.yml diff --git a/.github/workflows/codeql_test.yml b/.github/workflows/codeql_test.yml deleted file mode 100644 index 3e579a439..000000000 --- a/.github/workflows/codeql_test.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: "UI5 Unit Tests" - -on: - push: - branches: [ "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "main" ] - schedule: - - cron: '39 12 * * 2' - -jobs: - unit_test: - name: Run Unit Tests - runs-on: 'ubuntu-latest' - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - run: | - codeql test run --show-extractor-output test