Restructured to have unit tests working

.github/codeql/extensions/codeql-pack.yml → .github/codeql/extensions/qlpack.yml

@@ -1,9 +1,9 @@
 ---
 library: true
-name: sap-js/ui5-data-extension-pack
+name: sap-js/ui5-data-extensions-pack
 version: 0.0.1
 extensionTargets:
   codeql/javascript-all: "*"
   codeql/javascript-queries: "*"
 dataExtensions:
-  - ui5-data-extension.yaml
+  - ui5-data-extensions.yml

.github/codeql/extensions/ui5-data-extension.yaml → .github/codeql/extensions/ui5-data-extensions.yml

@@ -16,13 +16,17 @@ extensions:
       pack: codeql/javascript-all
       extensible: sourceModel
     data:
-      # sap.ui.commons.TextField.value
+      # sap.ui.commons.TextField.value sap.ui.commons.TextField#getValue
       - ["sap/ui/commons/TextField", "Instance.Member[value]", "remote"]
-      # sap.m.InputBase.value
+      - ["sap/ui/commons/TextField", "Instance.Member[getValue].ReturnValue", "remote"]
+      # sap.m.InputBase.value sap.m.InputBase#getValue
       - ["sap/m/InputBase", "Instance.Member[value]", "remote"]
-      # sap.m.Input.value
+      - ["sap/m/InputBase", "Instance.Member[getValue]", "remote"]
+      # sap.m.SearchField.value sap.m.InputBase#getValue
+      - ["sap/m/SearchField", "Instance.Member[value]", "remote"]
+      - ["sap/m/SearchField", "Instance.Member[getValue]", "remote"]
+      # sap.m.Input.value sap.m.Input#getValue()
       - ["sap/m/Input", "Instance.Member[value]", "remote"]
-      #  sap.m.Input#getValue()
       - ["sap/m/Input", "Instance.Member[getValue].ReturnValue", "remote"]
       # jQuery.sap.getUriParameters() return
       - ["global", "Member[jQuery].Member[sap].Member[getUriParameters].ReturnValue.Member[get]", "remote"]
@@ -36,8 +40,7 @@ extensions:
       - ["global", "Member[jQuery].Member[sap].Member[syncPost].ReturnValue", "remote"]
       # jQuery.sap.syncPostText() return
       - ["global", "Member[jQuery].Member[sap].Member[syncPostText].ReturnValue", "remote"]
-      # UriParameters#get
-      # UriParameters#getAll
+      # UriParameters#get UriParameters#getAll
       - ["sap/base/util/UriParameters", "Member[fromQuery].ReturnValue.Member[get].ReturnValue", "remote"]
       - ["sap/base/util/UriParameters", "Member[fromQuery].ReturnValue.Member[getAll].ReturnValue", "remote"]
   - addsTo:

.github/workflows/codeql_queries.yml

@@ -0,0 +1,34 @@
+name: "CodeQL Queries"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '39 12 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: 'ubuntu-latest'
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: javascript
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        queries: security-extended,./src
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

codeql-workspace.yml

@@ -1,3 +1,2 @@
 provide:
   - "**/qlpack.yml"
-  - "**/codeql-workspace.yml"

integration-tests/README.md

@@ -9,30 +9,3 @@ Not fully working, meaning you cannot run `ui5 serve` and play with the app, tes
 Anyways, here is the app's structure pertaining to the XSS vulnerability:
 
 ![Diagram of current app](./xss-example/diagram.svg "Diagram")
-
-## xss-custom-control-api1
-- custom Control
-- classic string-based API
-- `renderer` property is set to a render function
-
-## xss-custom-control-api2
-- custom Control
-- DOM-like API
-- `renderer` property is set to an object literal 
-
-## xss-custom-control-jquery
-- custom Control declared using JQuery
-
-## xss-html-control
-- `sap.ui.core.HTML` Control
-
-## xss-json-view
-- `sap.ui.core.mvc.JSONView` View
-
-## xss-separate-renderer
-- `renderer` property is set to a class name (a string)
-- Renderer implemented in it's own module
-
-## xss-separate-renderer-byname
-- `renderer` property is unassigned
-- Renderer implemented in its own module with naming convention `<CustomControl>Renderer`

ui5-models/qlpack.yml → src/qlpack.yml

@@ -1,6 +1,7 @@
 ---
 library: true
-name: sap-js/ui5-models
+name: sap-js/ui5
 version: 0.0.1
+extractor: javascript
 dependencies:
   codeql/javascript-all: "*"

ui5-queries/XssWithCustomControl.ql → src/queries/XssWithCustomControl.ql

@@ -1,5 +1,11 @@
+/**
+ * @id xss-custom-control
+ * @name XSS with custom control
+ * @kind problem
+ */
+
 import javascript
-import UI5::UI5
+import models.UI5::UI5
 import semmle.javascript.security.dataflow.DomBasedXssQuery
 
 class XssWithCustomControl extends Configuration {
@@ -41,4 +47,4 @@ class XssWithCustomControl extends Configuration {
 
 from XssWithCustomControl xss, UnsafeHtmlXssSource source, UnsafeHtmlXssSink sink
 where xss.hasFlow(source, sink)
-select source, sink
+select source, source.toString(), sink, sink.toString()

test/models/sink/sinkTest.expected

@@ -0,0 +1,11 @@
+| sink.js:12:31:12:34 | code | code |
+| sink.js:15:52:15:55 | code | code |
+| sink.js:17:24:17:27 | code | code |
+| sink.js:19:25:19:28 | code | code |
+| sink.js:23:22:23:25 | code | code |
+| sink.js:27:18:27:21 | code | code |
+| sink.js:29:27:29:30 | code | code |
+| sink.js:31:34:31:37 | code | code |
+| sink.js:33:21:33:24 | code | code |
+| sink.js:35:21:35:24 | code | code |
+| sink.js:37:23:37:26 | code | code |

test/models/sink/sinkTest.ql

@@ -0,0 +1,13 @@
+/**
+ * @id xss-sinks
+ * @name XSS sinks
+ * @kind problem
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DomBasedXssQuery
+import models.UI5AMDModule
+
+from DataFlow::Configuration cfg, DataFlow::Node sink
+where cfg.isSink(sink, _)
+select sink, sink.toString()

test/models/source/source.js

@@ -0,0 +1,49 @@
+sap.ui.require(["sap/m/SearchField", "sap/ui/commons/TextField", "sap/m/InputBase", "sap/m/Input", "sap/base/util/UriParameters"],
+    function (SearchField, TextField, InputBase, Input, UriParameters) {
+
+        ////////
+        // Sources of user-controlled data
+        ////////
+        // sap.ui.commons.SearchField.value
+        var f = new SearchField();
+        var remoteInput = f.value;
+        var remoteInput = f.getValue();
+
+        // sap.ui.commons.TextField.value
+        var f = new TextField();
+        var remoteInput = f.value;
+
+        // sap.m.InputBase.value
+        var ib = new InputBase();
+        remoteInput = ib.value;
+
+        // sap.m.Input.value
+        // sap.m.Input#setValue()
+        var input = new Input();
+        remoteInput = input.value;
+        remoteInput = input.getValue();
+
+        // jQuery.sap.getUriParameters() return
+        var value = jQuery.sap.getUriParameters().get("foo");
+
+        // jQuery.sap.syncHead return
+        var value = jQuery.sap.syncHead("url", "param")
+
+        // jQuery.sap.syncGet return
+        var value = jQuery.sap.syncGet("url", "param")
+
+        // jQuery.sap.syncGetText return
+        var value = jQuery.sap.syncGetText("url", "param")
+
+        // jQuery.sap.syncPost return
+        var value = jQuery.sap.syncPost("url", "param")
+
+        // jQuery.sap.syncPostText return
+        var value = jQuery.sap.syncPostText("url", "param")
+
+        // UriParameters#get
+        // UriParameters#getAll
+        var uri = UriParameters.fromQuery(window.location.search)
+        var sValue = uri.get("foo")
+        var sValue = uri.getAll("foo")
+    });

test/models/source/sourceTest.expected

@@ -0,0 +1,16 @@
+| source.js:9:27:9:33 | f.value | f.value |
+| source.js:10:27:10:36 | f.getValue | f.getValue |
+| source.js:14:27:14:33 | f.value | f.value |
+| source.js:18:23:18:30 | ib.value | ib.value |
+| source.js:23:23:23:33 | input.value | input.value |
+| source.js:24:23:24:38 | input.getValue() | input.getValue() |
+| source.js:27:21:27:53 | jQuery. ... s().get | jQuery. ... s().get |
+| source.js:30:21:30:55 | jQuery. ... param") | jQuery. ... param") |
+| source.js:33:21:33:54 | jQuery. ... param") | jQuery. ... param") |
+| source.js:36:21:36:58 | jQuery. ... param") | jQuery. ... param") |
+| source.js:39:21:39:55 | jQuery. ... param") | jQuery. ... param") |
+| source.js:42:21:42:59 | jQuery. ... param") | jQuery. ... param") |
+| source.js:46:43:46:57 | window.location | window.location |
+| source.js:46:43:46:64 | window. ... .search | window. ... .search |
+| source.js:47:22:47:35 | uri.get("foo") | uri.get("foo") |
+| source.js:48:22:48:38 | uri.getAll("foo") | uri.getAll("foo") |

test/source/sourceTest.ql → test/models/source/sourceTest.ql

@@ -1,7 +1,13 @@
+/**
+ * @id xss-sources
+ * @name XSS sources
+ * @kind problem
+ */
+
 import javascript
 import semmle.javascript.security.dataflow.DomBasedXssQuery
-import UI5AMDModule
+import models.UI5AMDModule
 
 from DataFlow::Configuration cfg, DataFlow::Node source
 where cfg.isSource(source, _)
-select source
+select source, source.toString()

test/qlpack.yml

@@ -1,7 +1,9 @@
 ---
-library: false
-name: sap-js/ui5-models-test
+library: true
+name: sap-js/ui5-test
 version: 0.0.1
-dependencies:
-  sap-js/ui5-models: "*"
 extractor: javascript
+dependencies:
+  sap-js/ui5: "*"
+  codeql/javascript-all: "*"
+  sap-js/ui5-data-extensions-pack: "*"

test/queries/README.md

@@ -0,0 +1,30 @@
+# Queries unit tests
+
+All XSS examples run locally using the [UI5 tooling](https://sap.github.io/ui5-tooling/stable/)
+
+## xss-custom-control-api1
+- custom Control
+- classic string-based API
+- `renderer` property is set to a render function
+
+## xss-custom-control-api2
+- custom Control
+- DOM-like API
+- `renderer` property is set to an object literal 
+
+## xss-custom-control-jquery
+- custom Control declared using JQuery
+
+## xss-html-control
+- `sap.ui.core.HTML` Control
+
+## xss-json-view
+- `sap.ui.core.mvc.JSONView` View
+
+## xss-separate-renderer
+- `renderer` property is set to a class name (a string)
+- Renderer implemented in it's own module
+
+## xss-separate-renderer-byname
+- `renderer` property is unassigned
+- Renderer implemented in its own module with naming convention `<CustomControl>Renderer`

test/queries/XssWithCustomControl.qlref

@@ -0,0 +1 @@
+queries/XssWithCustomControl.ql

integration-tests/xss-html-control/webapp/view/app.view.xml → test/queries/xss-html-control/webapp/view/app.view.xml

@@ -5,5 +5,5 @@
     <Input placeholder="Enter Payload" 
         description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;" 
         value="{/input}" />  <!--User input source sap.m.Input.value -->
-    <core:HTML content="{/input}"/>
+    <core:HTML content="{/input}"/> <!--XSS sink sap.ui.core.HTML.content -->
 </mvc:View>