Merge pull request #258 from advanced-security/jeongsoolee09/add-eventbus-example

Model `sap/ui/core/EventBus`

Author: jeongsoolee09

.github/workflows/javascript.sarif.expected

@@ -3,12 +3,17 @@ extensions:
       pack: codeql/javascript-all
       extensible: "typeModel"
     data:
+      - ["SapUICoreInstance", "global", "Member[sap].Member[ui].Member[getCore].ReturnValue"]
       - ["Control", "Control", "Instance"]
       - ["Control", "sap/ui/core/Control", ""]
       - ["Control", "global", "Member[sap].Member[ui].Member[core].Member[Control]"]
+      - ["Controller", "Controller", "Instance"]
+      - ["Controller", "sap/ui/core/mvc/Controller", ""]
+      - ["Component", "sap/ui/core/mvc/Component", ""]
+      - ["Component", "sap/ui/core/UIComponent", ""]
       - ["Renderer", "Control", "Member[extend].Argument[1].Member[renderer]"]
       - ["Renderer", "sap/ui/core/RenderManager", "Member[extend].Argument[1].Member[renderer]"]
-      - ["Renderer", "sap/ui/core/Renderer", "Member[extend].Argument[1]"]
+      - ["Renderer", "sap/ui/core/Renderer", "Member[extend].Argument[1]"]  # ?
       - ["RenderManager", "RenderManager", "Instance"]
       - ["RenderManager", "sap/ui/core/RenderManager", ""]
       - ["RenderManager", "Renderer", "Parameter[0]"]
@@ -71,6 +76,31 @@ extensions:
       - ["UI5ClientStorage", "global", "Member[jQuery].Member[sap].Member[storage]"]
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
+      # Publishing and Subscribing to Events
+      - ["UI5EventBusInstance", "sap/ui/core/EventBus", "Member[getInstance].ReturnValue"]
+      - ["UI5EventBusPublish", "UI5EventBusInstance", "Member[publish]"]
+      - ["UI5EventBusPublishedEventData", "UI5EventBusPublish", "Argument[2]"]
+      - ["UI5EventBusSubscribe", "UI5EventBusInstance", "Member[subscribe,subscribeOnce]"]
+      - ["UI5EventSubscriptionHandlerDataParameter", "UI5EventBusSubscribe", "Argument[2].Parameter[2]"]
+      - ["SapUICoreEventBusInstance", "SapUICoreInstance", "Member[getEventBus].ReturnValue"]
+      - ["SapUICoreEventBusPublish", "SapUICoreEventBusInstance", "Member[publish]"]
+      - ["SapUICoreEventBusPublishedEventData", "SapUICoreEventBusPublish", "Argument[2]"]
+      - ["SapUICoreEventBusSubscribe", "SapUICoreEventBusInstance", "Member[subscribe,subscribeOnce]"]
+      - ["SapUICoreEventSubscriptionHandlerDataParameter", "SapUICoreEventBusSubscribe", "Argument[2].Parameter[2]"]
+      # Extend Calls
+      - ["CustomControl", "Control", "Member[extend]"]
+      - ["CustomController", "Controller", "Member[extend]"]
+      - ["CustomControllerContent", "Controller", "Member[extend].Argument[1]"]
+      - ["CustomControllerGetOwnerComponent", "CustomControllerContent", "Fuzzy.Member[getOwnerComponent].ReturnValue"]
+      - ["CustomControllerGetOwnerComponentEventBus", "CustomControllerGetOwnerComponent", "Member[getEventBus].ReturnValue"]
+      - ["CustomControllerGetOwnerComponentEventBusPublish", "CustomControllerGetOwnerComponentEventBus", "Member[publish]"]
+      - ["CustomControllerGetOwnerComponentEventBusPublishedData", "CustomControllerGetOwnerComponentEventBusPublish", "Argument[2]"]
+      - ["CustomControllerGetOwnerComponentEventBusSubscribe", "CustomControllerGetOwnerComponentEventBus", "Member[subscribe,subscribeOnce]"]
+      - ["CustomControllerGetOwnerComponentEventBusSubscriptionHandlerDataParameter", "CustomControllerGetOwnerComponentEventBusSubscribe", "Argument[2].Parameter[2]"]
+      - ["CustomComponent", "Component", "Member[extend]"]
+      - ["CustomRenderer", "Renderer", "Member[extend]"]
+      - ["ViewReference", "CustomController", "Member[getView].ReturnValue"]
+      - ["ControlReference", "ViewReference", "Member[byId].ReturnValue"]
 
   - addsTo:
       pack: codeql/javascript-all

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -4,20 +4,47 @@ import advanced_security.javascript.frameworks.ui5.UI5View
 import semmle.javascript.security.dataflow.XssThroughDomCustomizations
 private import semmle.javascript.frameworks.data.internal.ApiGraphModelsExtensions
 
-private class DataFromRemoteControlReference extends RemoteFlowSource {
-  DataFromRemoteControlReference() {
-    exists(UI5Control sourceControl, string typeAlias, ControlReference controlReference |
+abstract private class RemoteControlAPISource extends SourceNode { }
+
+private class RemoteControlReference extends RemoteControlAPISource, ControlReference {
+  RemoteControlReference() {
+    exists(UI5Control sourceControl, string typeAlias |
       typeModel(typeAlias, sourceControl.getImportPath(), _) and
       sourceModel(typeAlias, _, "remote", _) and
-      sourceControl.getAReference() = controlReference and
-      (
-        this = controlReference.getAMemberCall("getValue") or
-        this = controlReference.getAPropertyRead("value")
-      )
+      sourceControl.getAReference() = this
+    )
+  }
+}
+
+private class RemoteControlHandlerParameter extends RemoteControlAPISource, CallNode {
+  RemoteControlHandlerParameter() {
+    exists(UI5Control sourceControl, string typeAlias, UI5Handler handler |
+      typeModel(typeAlias, sourceControl.getImportPath(), _) and
+      sourceModel(typeAlias, _, "remote", _) and
+      handler.getControl() = sourceControl and
+      this = handler.getParameter(0).getAMemberCall("getSource")
+    )
+  }
+}
+
+private class UserDataFromRemoteControlAPISource extends RemoteFlowSource {
+  UserDataFromRemoteControlAPISource() {
+    exists(RemoteControlAPISource remoteControlAPISource |
+      /*
+       * 1. The `value` or its getter of `HTML` control reference, `CodeEditor` control reference,
+       * or handler parameters.
+       */
+
+      this = remoteControlAPISource.getAPropertyRead("value") or
+      this = remoteControlAPISource.getAMemberCall("getValue") or
+      /* 2. The `getCurrentValue` method call on `CodeEditor` control reference. */
+      this = remoteControlAPISource.getAMemberCall("getCurrentValue")
     )
   }
 
-  override string getSourceType() { result = "Data from a remote control" }
+  override string getSourceType() {
+    result = "User-provided data fetched from an input control via JavaScript API"
+  }
 }
 
 private class InputControlInstantiation extends ElementInstantiation {

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll

@@ -1,6 +1,7 @@
 import javascript
 import DataFlow
 import advanced_security.javascript.frameworks.ui5.JsonParser
+import advanced_security.javascript.frameworks.ui5.dataflow.TypeTrackers
 import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 import advanced_security.javascript.frameworks.ui5.UI5View
 import advanced_security.javascript.frameworks.ui5.UI5HTML
@@ -138,6 +139,15 @@ class WebApp extends HTML::HtmlFile {
  * by a call to `sap.ui.getCore()`.
  */
 class SapUiCore extends MethodCallNode {
+  /*
+   * NOTE: Ideally, we'd like to use `ModelOutput::getATypeNode("SapUICore").asSource()` to
+   * take advantage of the inter-procedural flexibility of MaD, but doing so causes
+   * non-monotomic recursion.
+   *
+   * So, we opt to use `SourceNode.getAPropertyRead/1` and `SourceNode.getAMethodCall/1`
+   * instead and get away with local flow tracking they provide.
+   */
+
   SapUiCore() { this = globalVarRef("sap").getAPropertyRead("ui").getAMethodCall("getCore") }
 }
 
@@ -247,9 +257,8 @@ class Renderer extends SapExtendCall {
 
 class CustomControl extends SapExtendCall {
   CustomControl() {
-    this =
-      TypeTrackers::hasDependency(["sap/ui/core/Control", "sap.ui.core.Control"])
-          .getAMemberCall("extend") or
+    this = ModelOutput::getATypeNode("CustomControl").getACall()
+    or
     exists(SapDefineModule sapModule | this.getDefine() = sapModule.getExtendingModule())
   }
 
@@ -449,17 +458,18 @@ class ControllerReference extends Reference {
 }
 
 class CustomController extends SapExtendCall {
+  API::Node customController;
   string name;
 
   CustomController() {
-    this =
-      TypeTrackers::hasDependency(["sap/ui/core/mvc/Controller", "sap.ui.core.mvc.Controller"])
-          .getAMemberCall("extend") and
-    name = this.getFile().getBaseName().regexpCapture("([a-zA-Z0-9]+).[cC]ontroller.js", 1)
+    customController = ModelOutput::getATypeNode("CustomController") and
+    this = customController.getACall() and
+    name = this.getFile().getBaseName().regexpCapture("(.+).[cC]ontroller.js", 1)
   }
 
   Component getOwnerComponent() {
-    exists(ManifestJson manifestJson, JsonObject rootObj | manifestJson = result.getManifestJson() |
+    exists(ManifestJson manifestJson, JsonObject rootObj |
+      manifestJson = result.getManifestJson() and
       rootObj
           .getPropValue("targets")
           .(JsonObject)
@@ -474,7 +484,12 @@ class CustomController extends SapExtendCall {
   }
 
   MethodCallNode getOwnerComponentRef() {
-    result = this.getAThisNode().getAMemberCall("getOwnerComponent")
+    exists(API::Node getOwnerComponent |
+      getOwnerComponent = ModelOutput::getATypeNode("CustomControllerGetOwnerComponent")
+    |
+      customController.getASuccessor+() = getOwnerComponent and
+      result = getOwnerComponent.asSource()
+    )
   }
 
   /**
@@ -757,14 +772,10 @@ class Component extends SapExtendCall {
      * It is the value flowing to a `setModel` call in a handler of a `CustomController` (which is represented by `ControllerHandler`), since it is the closest we can get to the actual model itself.
      */
 
-    this =
-      TypeTrackers::hasDependency([
-          "sap/ui/core/mvc/Component", "sap.ui.core.mvc.Component", "sap/ui/core/UIComponent",
-          "sap.ui.core.UIComponent"
-        ]).getAMemberCall("extend")
+    this = ModelOutput::getATypeNode("CustomComponent").getACall()
   }
 
-  string getId() { result = this.getName().regexpCapture("([a-zA-Z0-9.]+).Component", 1) }
+  string getId() { result = this.getName().regexpCapture("(.+).Component", 1) }
 
   ManifestJson getManifestJson() {
     this.getMetadata().getAPropertySource("manifest").asExpr().(StringLiteral).getValue() = "json" and
@@ -1428,18 +1439,162 @@ class PropertyMetadata extends ObjectLiteralNode {
   }
 }
 
-module TypeTrackers {
-  private SourceNode hasDependency(TypeTracker t, string dependencyPath) {
-    t.start() and
-    exists(UserModule d |
-      d.getADependency() = dependencyPath and
-      result = d.getRequiredObject(dependencyPath).asSourceNode()
-    )
-    or
-    exists(TypeTracker t2 | result = hasDependency(t2, dependencyPath).track(t2, t))
+module EventBus {
+  abstract class EventBusPublishCall extends CallNode {
+    abstract EventBusSubscribeCall getAMatchingSubscribeCall();
+
+    abstract DataFlow::Node getPublishedData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  abstract class EventBusSubscribeCall extends CallNode {
+    abstract EventBusPublishCall getMatchingPublishCall();
+
+    abstract DataFlow::Node getSubscriptionData();
+
+    string getChannelName() { result = this.getArgument(0).getALocalSource().getStringValue() }
+
+    string getMessageType() { result = this.getArgument(1).getALocalSource().getStringValue() }
+  }
+
+  class GlobalEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    GlobalEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("UI5EventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override GlobalEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("UI5EventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class SapUICoreEventBusPublishCall extends EventBusPublishCall {
+    API::Node publishMethod;
+
+    SapUICoreEventBusPublishCall() {
+      publishMethod = ModelOutput::getATypeNode("SapUICoreEventBusPublish") and
+      this = publishMethod.getACall()
+    }
+
+    override SapUICoreEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() {
+      exists(API::Node publishedData |
+        publishedData = ModelOutput::getATypeNode("SapUICoreEventBusPublishedEventData")
+      |
+        publishMethod.getASuccessor*() = publishedData and
+        result = publishedData.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusPublishCall extends EventBusPublishCall {
+    API::Node customController;
+
+    ComponentEventBusPublishCall() {
+      exists(API::Node customControllerGetOwnerComponentEventBusPublish |
+        customControllerGetOwnerComponentEventBusPublish =
+          ModelOutput::getATypeNode("CustomControllerGetOwnerComponentEventBusPublish")
+      |
+        customController = ModelOutput::getATypeNode("CustomController") and
+        customControllerGetOwnerComponentEventBusPublish = customController.getASuccessor+() and
+        this = customControllerGetOwnerComponentEventBusPublish.getACall()
+      )
+    }
+
+    override ComponentEventBusSubscribeCall getAMatchingSubscribeCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getPublishedData() { result = this.getArgument(2) }
   }
 
-  SourceNode hasDependency(string dependencyPath) {
-    result = hasDependency(TypeTracker::end(), dependencyPath)
+  class GlobalEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    GlobalEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("UI5EventBusSubscribe") and
+      this = subscribeMethod.getACall()
+    }
+
+    override GlobalEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("UI5EventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor*() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
+  }
+
+  class SapUICoreEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node subscribeMethod;
+
+    SapUICoreEventBusSubscribeCall() {
+      subscribeMethod = ModelOutput::getATypeNode("SapUICoreEventBusSubscribe") and
+      this = subscribeMethod.getACall()
+    }
+
+    override SapUICoreEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() {
+      exists(API::Node subscribeMethodCallbackDataParameter |
+        subscribeMethodCallbackDataParameter =
+          ModelOutput::getATypeNode("SapUICoreEventSubscriptionHandlerDataParameter")
+      |
+        subscribeMethod.getASuccessor+() = subscribeMethodCallbackDataParameter and
+        result = subscribeMethodCallbackDataParameter.getInducingNode()
+      )
+    }
+  }
+
+  class ComponentEventBusSubscribeCall extends EventBusSubscribeCall {
+    API::Node customController;
+
+    ComponentEventBusSubscribeCall() {
+      exists(API::Node customControllerGetOwnerComponentEventBusSubscribe |
+        customControllerGetOwnerComponentEventBusSubscribe =
+          ModelOutput::getATypeNode("CustomControllerGetOwnerComponentEventBusSubscribe")
+      |
+        customController = ModelOutput::getATypeNode("CustomController") and
+        customControllerGetOwnerComponentEventBusSubscribe = customController.getASuccessor+() and
+        this = customControllerGetOwnerComponentEventBusSubscribe.getACall()
+      )
+    }
+
+    override ComponentEventBusPublishCall getMatchingPublishCall() {
+      result.getChannelName() = this.getChannelName() and
+      result.getMessageType() = this.getMessageType()
+    }
+
+    override DataFlow::Node getSubscriptionData() { result = this.getABoundCallbackParameter(2, 2) }
   }
 }