Track dataflow through event handlers and their parameters #40

mbaluda · 2023-08-29T22:57:37Z

This PR adds support for dataflow through event handlers and their parameters, as well as a few other fixes as follows:

Support dataflow through event handlers Fix /issues/24

cherry-pick modelling from Cover various event handlers #28
Implement class UI5Handler and ControlTypeInHandlerModel to model references to Controls inside the handler Javascript code (e.g. oEvent.getSource() this.getView().byId("id")) (see tests doSomething3 and doSomething4)
bindingPathCapture now covers event handler parameters syntax like.doSomething(${/input}) (limited to an infividual call with a single argument)
isAdditionalFlowStep includes edge from UI5BindingPath to handler when passed as parameter (see test doSomething2)
isAdditionalFlowStep includes edge from UI5BindingPath to handler when passed as parameter (see test doSomething2)
PathGraph includes edges through XML (js->xml->js) to show handler parameters flow
A large part of the dataflow configuration is now shared between the dataflow queries

Varia

Improves the workflow scripts with better naming and error messages
Modify data extension typeModel section so that types are selected as well as their instances (this is to avoid the need for Instance.Member in sourceModel entries)
Restores Renderer definition that was broken in MaD and remove unneeded RenderManager class and getRenderer() predicate
Remove redundant UnsafeHtmlXssSource and UnsafeHtmlXssSink classes
move test xss-example from integration-test folder to test
Fix writeAttributeEscaped erroneously included in SinkModel #34

merge main

github-advanced-security · 2023-09-01T00:29:20Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

test/queries/xss/xss-event-handlers/webapp/view/app.view.xml

-    <Button text="Press Me XSS2" press=".doSomething2(${/input})"/>
-    <core:HTML content="{/output2}"/> <!--XSS sink sap.ui.core.HTML.content -->
+    <Button text="Press Me XSS1" press=".doSomething1" />
+    <core:HTML content="{/output1}" /> <!--XSS sink sap.ui.core.HTML.content -->


test/queries/xss/xss-event-handlers/webapp/view/app.view.xml

-	    liveChange=".doSomething3" />
-    <core:HTML content="{/output3}"/> <!--XSS sink sap.ui.core.HTML.content -->
+    <Button text="Press Me XSS2" press=".doSomething2(${/input})" />
+    <core:HTML content="{/output2}" /> <!--XSS sink sap.ui.core.HTML.content -->


test/queries/xss/xss-event-handlers/webapp/view/app.view.xml

mbaluda · 2023-09-01T12:24:59Z

Tests doSomething3 and doSomething4 are now supported!
There is however a bug in CodeQL (see PR github/codeql#14120) that can luckily be worked around

test/queries/xss/xss-event-handlers/webapp/view/app.view.xml

+    <Input placeholder="Enter Payload"
+        description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
+        liveChange=".doSomething3" />
+    <core:HTML content="{/output3}" /> <!--XSS sink sap.ui.core.HTML.content -->


test/queries/xss/xss-event-handlers/webapp/controller/app.controller.js

+            var oHtmlOutput = oView.byId("htmlOutput");
+
+            var value = oInput.getValue() // User input source sap.m.Input#getValue
+            oHtmlOutput.setContent(value) // XSS sink sap.ui.core.HTML#setContent


integration-tests/README.md

src/models/UI5.qll

src/models/UI5View.qll

jeongsoolee09 · 2023-09-06T20:48:31Z

Left some partial comments above.

src/models/UI5DataFlowShared.qll

jeongsoolee09 · 2023-09-07T00:17:07Z

Submitted another batch of comments.

.github/codeql/extensions/ui5-data-extensions.yml

jeongsoolee09

Thank you a gigaton, @mbaluda ! It's truly a magnificent work.

mbaluda added 11 commits August 30, 2023 00:53

restore RenderManager data-extension and tests

f96b035

Merge pull request #39 from advanced-security/main

7e54681

merge main

Update codeql_tests.yml

31b7d0b

Improved workflow error message

4e86583

Model controller references in handlers as types

8798395

Move ControlTypeInHandlerModel

68da715

Get Control types in event handlers

805cccf

Merge remote-tracking branch 'origin/main' into mbaluda-handlers

95de829

Detects XSS flowing through doSomething2

29c0eb9

Fix formatting

ee86335

Improve workflow configuration

074ce57

github-advanced-security bot found potential problems Sep 1, 2023

View reviewed changes

mbaluda added 2 commits September 1, 2023 02:47

BindingPath maps to nodes in the same project

866f72d

Improve pathgraph with extra edges

688ea79

mbaluda changed the title ~~Mbaluda handlers~~ Track dataflow through event handlers and their parameters Sep 1, 2023

Sharing more dataflow configuration

d3f2e82

github-advanced-security bot found potential problems Sep 1, 2023

View reviewed changes

test/queries/xss/xss-event-handlers/webapp/view/app.view.xml Fixed Show fixed Hide fixed

test/queries/xss/xss-event-handlers/webapp/view/app.view.xml Fixed Show fixed Hide fixed

Refectoring queries and tests

21bded5

github-advanced-security bot found potential problems Sep 4, 2023

View reviewed changes

Document log-injection workaround

af17dab

mbaluda marked this pull request as ready for review September 5, 2023 01:28

mbaluda requested a review from jeongsoolee09 September 5, 2023 01:28

mbaluda added 2 commits September 5, 2023 12:47

Fix LogInjection sinks

ad20b12

Fix issues 34

23857cc

mbaluda mentioned this pull request Sep 5, 2023

writeAttributeEscaped erroneously included in SinkModel #34

Closed

mbaluda added 2 commits September 5, 2023 17:32

Update README.md

bb7b2c8

Ignore spaces in regex matches

0304474