Add hierarchy of EventBus classes

Author: jeongsoolee09

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -3,6 +3,7 @@ extensions:
       pack: codeql/javascript-all
       extensible: "typeModel"
     data:
+      - ["SapUICoreInstance", "global", "Member[sap].Member[ui].Member[getCore].ReturnValue"]
       - ["Control", "Control", "Instance"]
       - ["Control", "sap/ui/core/Control", ""]
       - ["Control", "global", "Member[sap].Member[ui].Member[core].Member[Control]"]
@@ -72,10 +73,18 @@ extensions:
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
       # Publishing and Subscribing to Events
-      - ["UI5EventBusPublish", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[publish]"]
+      - ["UI5EventBusInstance", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue"]
+      - ["UI5EventBusPublish", "UI5EventBusInstance", "Member[publish]"]
       - ["UI5EventBusPublishedEventData", "UI5EventBusPublish", "Argument[2]"]
-      - ["UI5EventBusSubscribe", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue.Member[subscribe]"]
+      - ["UI5EventBusSubscribe", "UI5EventBusInstance", "Member[subscribe]"]
       - ["UI5EventSubscriptionHandlerDataParameter", "UI5EventBusSubscribe", "Argument[2].Parameter[2]"]
+      - ["SapUICoreEventBusInstance", "SapUICoreInstance", "Member[getEventBus].ReturnValue"]
+      - ["SapUICoreEventBusPublish", "SapUICoreEventBusInstance", "Member[publish]"]
+      - ["SapUICoreEventBusPublishedEventData", "SapUICoreEventBusPublish", "Argument[2]"]
+      - ["SapUICoreEventBusSubscribe", "SapUICoreEventBusInstance", "Member[subscribe]"]
+      - ["SapUICoreEventSubscriptionHandlerDataParameter", "SapUICoreEventBusSubscribe", "Argument[2].Parameter[2]"]
+      # Extend Calls
+      # -
 
   - addsTo:
       pack: codeql/javascript-all

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -139,6 +139,15 @@ class WebApp extends HTML::HtmlFile {
  * by a call to `sap.ui.getCore()`.
  */
 class SapUiCore extends MethodCallNode {
+  /*
+   * NOTE: Ideally, we'd like to use `ModelOutput::getATypeNode("SapUICore").asSource()` to
+   * take advantage of the inter-procedural flexibility of MaD, but doing so causes
+   * non-monotomic recursion.
+   *
+   * So, we opt to use `SourceNode.getAPropertyRead/1` and `SourceNode.getAMethodCall/1`
+   * instead and get away with local flow tracking they provide.
+   */
+
   SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
@@ -1428,3 +1437,159 @@ class PropertyMetadata extends ObjectLiteralNode {
     inSameWebApp(this.getFile(), result.getFile())
   }
 }
+
+module EventBus {
+  abstract class EventBusPublishCall extends CallNode {
+    abstract EventBusSubscribeCall getMatchingSubscribeCall();
+
+    abstract DataFlow::Node getPublishedData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  abstract class EventBusSubscribeCall extends CallNode {
+    abstract EventBusPublishCall getMatchingPublishCall();
+
+    abstract DataFlow::Node getSubscriptionData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  class GlobalEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    GlobalEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("UI5EventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override GlobalEventBusSubscribeCall getMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("UI5EventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class SapUICoreEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    SapUICoreEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("SapUICoreEventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override SapUICoreEventBusSubscribeCall getMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("SapUICoreEventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusPublishCall extends EventBusPublishCall {
+    CustomController controller;
+    Component component;
+
+    ComponentEventBusPublishCall() {
+      component = controller.getOwnerComponent() and
+      this = controller.getOwnerComponentRef().getAMemberCall("publish")
+    }
+
+    override ComponentEventBusSubscribeCall getMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType() and
+      result.getComponent() = this.getComponent()
+    }
+
+    override DataFlow::Node getPublishedData() { result = this.getArgument(2) }
+
+    Component getComponent() { result = component }
+  }
+
+  class GlobalEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    GlobalEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("UI5EventBusSubscribe") and
+      this = subscribeMethod.getACall()
+    }
+
+    override GlobalEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
+  }
+
+  class SapUICoreEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    SapUICoreEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("SapUICoreInstance") and
+      this = subscribeMethod.getACall()
+    }
+
+    override SapUICoreEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("SapUICoreEventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusSubscribeCall extends EventBusSubscribeCall {
+    CustomController controller;
+    Component component;
+
+    ComponentEventBusSubscribeCall() {
+      component = controller.getOwnerComponent() and
+      this = controller.getOwnerComponentRef().getAMemberCall("subscribe")
+    }
+
+    override ComponentEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType() and
+      result.getComponent() = this.getComponent()
+    }
+
+    override DataFlow::Node getSubscriptionData() { result = this.getABoundCallbackParameter(2, 2) }
+
+    Component getComponent() { result = component }
+  }
+}

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/FlowSteps.qll

@@ -370,28 +370,12 @@ class LogArgumentToListener extends DataFlow::SharedFlowStep {
 class PublishedEventToEventSubscribedEventData extends DataFlow::SharedFlowStep {
   override predicate step(DataFlow::Node start, DataFlow::Node end) {
     exists(
-      API::Node publishMethod, API::Node publishedData, API::Node subscribeMethod,
-      API::Node subscribeMethodCallbackDataParameter
+      EventBus::EventBusPublishCall publishCall, EventBus::EventBusSubscribeCall subscribeCall
     |
-      publishMethod = ModelOutput::getATypeNode("UI5EventBusPublish") and
-      publishedData = ModelOutput::getATypeNode("UI5EventBusPublishedEventData") and
-      subscribeMethod = ModelOutput::getATypeNode("UI5EventBusSubscribe") and
-      subscribeMethodCallbackDataParameter =
-        ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter")
+      publishCall.getMatchingSubscribeCall() = subscribeCall
     |
-      /* Ensure that `publishedData` belongs to `publishMethod`. */
-      publishMethod.getASuccessor*() = publishedData and
-      /* Ensure that `subscribeMethodCallbackDataParameter` belongs to `subscribeMethod`. */
-      subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
-      /* Ensure that the published and subscribed channels are the same. */
-      publishMethod.getACall().getArgument(0).getALocalSource().getStringValue() =
-        subscribeMethod.getACall().getArgument(0).getALocalSource().getStringValue() and
-      /* Ensure that the published and subscribed message types are the same. */
-      publishMethod.getACall().getArgument(1).getALocalSource().getStringValue() =
-        subscribeMethod.getACall().getArgument(1).getALocalSource().getStringValue() and
-      /* Wire into the start and end of this step. */
-      start = publishedData.getInducingNode() and
-      end = subscribeMethodCallbackDataParameter.getInducingNode()
+      start = publishCall.getPublishedData() and
+      end = subscribeCall.getSubscriptionData()
     )
   }
 }