Merge pull request #88 from advanced-security/mbaluda-same-app

jeongsoolee09 · web-flow · commit 22007961b919 · 2024-02-01T14:31:57.000-08:00
Path should not cross different apps
diff --git a/.github/codeql/codeql-config.yaml b/.github/codeql/codeql-config.yaml
@@ -1,12 +1,13 @@
 name: "My CodeQL config"
 
 queries:
-  # for log-injection
-  - uses: security-and-quality
-  # for ui5 queries
-  - uses: ./javascript/frameworks/ui5/src
+  - uses: security-extended
+  # for ui5/cap queries
+  - uses: ./javascript/frameworks/ui5/src/codeql-suites/sap-ui5-security-extended.qls
+  - uses: ./javascript/frameworks/cap/src
 
 paths:
   - "**/*.xml"
   - "**/*.json"
-
+paths-ignore:
+  - "**/frameworks/*/test/models"
diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll
@@ -145,28 +145,29 @@ abstract class UI5BindingPath extends BindingPath {
    * Gets the `DataFlow::Node` that represents this binding path.
    */
   Node getNode() {
-    /* 1-1. Internal (Client-side) model, model hardcoded in JS code */
-    exists(Property p, JsonModel model |
-      /* Get the property of an JS object bound to this binding path. */
-      result.(DataFlow::PropWrite).getPropertyNameExpr() = p.getNameExpr() and
-      this.getAbsolutePath() = model.getPathString(p) and
-      /* Restrict search to inside the same webapp. */
-      exists(WebApp webApp |
-        webApp.getAResource() = this.getLocation().getFile() and
-        webApp.getAResource() = result.getFile()
+    /* Restrict search to the same webapp. */
+    exists(WebApp webApp |
+      webApp.getAResource() = this.getLocation().getFile() and
+      webApp.getAResource() = result.getFile()
+    |
+      /* 1-1. Internal (Client-side) model, model hardcoded in JS code */
+      exists(Property p, JsonModel model |
+        /* Get the property of an JS object bound to this binding path. */
+        result.(DataFlow::PropWrite).getPropertyNameExpr() = p.getNameExpr() and
+        this.getAbsolutePath() = model.getPathString(p)
       )
+      or
+      /* 1-2. Internal (Client-side) model, model loaded from JSON file */
+      exists(string propName, JsonModel model |
+        /* Get the property of an JS object bound to this binding path. */
+        result = model.getArgument(0).getALocalSource() and
+        this.getPath() = model.getPathStringPropName(propName) and
+        exists(JsonObject obj, JsonValue val | val = obj.getPropValue(propName))
+      )
+      or
+      /* 2. External (Server-side) model */
+      result = this.getModel().(UI5ExternalModel)
     )
-    or
-    /* 1-2. Internal (Client-side) model, model loaded from JSON file */
-    exists(string propName, JsonModel model |
-      /* Get the property of an JS object bound to this binding path. */
-      result = model.getArgument(0).getALocalSource() and
-      this.getPath() = model.getPathStringPropName(propName) and
-      exists(JsonObject obj, JsonValue val | val = obj.getPropValue(propName))
-    )
-    or
-    /* 2. External (Server-side) model */
-    result = this.getModel().(UI5ExternalModel)
   }
 }
 
