Replace Project with WebApp

Project resolution relied on a property that doesn't hold for all SAP
UI5 projects.
The WebApp approach follows the bootstrapping process to determine the
definition of a webapp and uses the resource roots to resolve resources
beloning to a webapp.

Author: rvermeulen

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -5,12 +5,6 @@ private import semmle.javascript.security.dataflow.DomBasedXssCustomizations
 private import advanced_security.javascript.frameworks.ui5.UI5View
 
 module UI5 {
-  /**
-   * Helper predicate checking if two elements are in the same Project
-   */
-  predicate inSameUI5Project(File f1, File f2) {
-    exists(Project p | p.isInThisProject(f1) and p.isInThisProject(f2))
-  }
 
   bindingset[this]
   private class JsonStringReader extends string {
@@ -91,30 +85,49 @@ module UI5 {
     }
   }
 
-  class Project extends Folder {
-    /**
-     * An UI5 project root folder.
-     */
-    Project() { exists(File yamlFile | yamlFile = this.getFile("ui5.yaml")) }
+  /** A UI5 web application manifest associated with a bootstrapped UI5 web application. */
+  class WebAppManifest extends File {
+    WebApp webapp;
+    WebAppManifest() {
+      this.getBaseName() = "manifest.json"  and
+      this.getParentContainer() = webapp.getWebAppFolder()
+    }
 
-    /**
-     * The `ui5.yaml` file that declares a UI5 application.
-     */
-    File getProjectYaml() { result = this.getFile("ui5.yaml") }
+    WebApp getWebapp() { result = webapp }
+  }
 
-    predicate isInThisProject(File file) { this = file.getParentContainer*() }
+  /** A UI5 bootstrapped web application. */
+  class WebApp extends HTML::HtmlFile {
+    SapUiCoreScript coreScript;
 
-    private HTML::HtmlFile getSapUICoreScript() {
-      exists(HTML::ScriptElement script |
-        result = script.getFile() and
-        this.isInThisProject(result) and
-        script.getSourcePath().matches("%/sap-ui-core.js")
-      )
+    WebApp() {
+      coreScript.getFile() = this
     }
 
-    HTML::HtmlFile getMainHTML() { result = this.getSapUICoreScript() }
-  }
+    File getAResource() {
+      coreScript.getAResolvedResourceRoot().contains(result)
+    }
+
+    File getResource(string path) {
+      getWebAppFolder().getAbsolutePath() + "/" + path = result.getAbsolutePath()
+    }
 
+    Folder getWebAppFolder() {
+      result = this.getParentContainer()
+    }
+
+    WebAppManifest getManifest() {
+      result.getWebapp() = this
+    }
+
+    File getInitialModule() {
+      exists(string initialModuleResourcePath, string resolvedModulePath, ResolvedResourceRoot resourceRoot |
+        initialModuleResourcePath = coreScript.getAttributeByName("data-sap-ui-onInit").getValue() and coreScript.getAResolvedResourceRoot() = resourceRoot and
+        resolvedModulePath = initialModuleResourcePath.regexpReplaceAll("^module\\s*:\\s*", "").replaceAll(resourceRoot.getName(), resourceRoot.getRoot().getAbsolutePath()) and
+        result.getAbsolutePath() = resolvedModulePath + ".js"
+      )
+    }
+  }
   /**
    * https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.loader%23methods/sap.ui.loader.config
    */
@@ -156,7 +169,9 @@ module UI5 {
       )
     }
 
-    Project getProject() { result = this.getFile().getParentContainer*() }
+    WebApp getWebApp() {
+      this.getFile() = result.getAResource()
+    }
 
     SapDefineModule getExtendingDefine() {
       exists(Extension baseExtension, Extension subclassExtension, SapDefineModule subclassDefine |
@@ -371,12 +386,8 @@ module UI5 {
    */
   bindingset[path]
   JsonObject resolveDirectPath(string path) {
-    exists(Project project, File jsonFile |
-      // project contains this file
-      project.isInThisProject(jsonFile) and
-      jsonFile.getExtension() = "json" and
-      jsonFile.getAbsolutePath() = project.getASubFolder().getAbsolutePath() + "/" + path and
-      result.getJsonFile() = jsonFile
+    exists(WebApp webApp|
+      result.getJsonFile() = webApp.getResource(path)
     )
   }
 
@@ -582,14 +593,14 @@ module UI5 {
       result.getMethodName() = "setProperty" and
       result.getArgument(0).asExpr().(StringLiteral).getValue() = propName and
       // TODO: in same controller
-      inSameUI5Project(this.getFile(), result.getFile())
+      exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile())
     }
 
     bindingset[propName]
     MethodCallNode getARead(string propName) {
       result.getMethodName() = "get" + capitalize(propName) and
       // TODO: in same controller
-      inSameUI5Project(this.getFile(), result.getFile())
+      exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile())
     }
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5DataFlow.qll

@@ -12,7 +12,7 @@ module UI5DataFlow {
   private predicate bidiModelControl(DataFlow::Node start, DataFlow::Node end) {
     exists(DataFlow::SourceNode property, Metadata metadata, UI5BoundNode node |
       // same project
-      inSameUI5Project(metadata.getFile(), node.getFile()) and
+      exists(WebApp webApp | webApp.getAResource() = metadata.getFile() and webApp.getAResource() = node.getFile()) and
       (
         // same control
         metadata.getControl().getName() = node.getBindingPath().getControlQualifiedType()
@@ -87,22 +87,22 @@ module UI5DataFlow {
     UI5BindingPath getBindingPath() { result = bindingPath }
 
     UI5BoundNode() {
+      exists(WebApp webApp | webApp.getAResource() = this.getFile() and
+      webApp.getAResource() = bindingPath.getFile() |
       /* The relevant portion of the content of a JSONModel */
       exists(Property p, JsonModel model |
         // The property bound to an UI5View source
         this.(DataFlow::PropRef).getPropertyNameExpr() = p.getNameExpr() and
         // The binding path refers to this model
-        bindingPath.getAbsolutePath() = model.getPathString(p) and
-        inSameUI5Project(this.getFile(), bindingPath.getFile())
+        bindingPath.getAbsolutePath() = model.getPathString(p)
       )
       or
       /* The URI string to the JSONModel constructor call */
       exists(JsonModel model |
         this = model.getArgument(0) and
         this.asExpr() instanceof StringLiteral and
-        bindingPath.getAbsolutePath() = model.getPathString() and
-        inSameUI5Project(this.getFile(), bindingPath.getFile())
-      )
+        bindingPath.getAbsolutePath() = model.getPathString()
+      ))
     }
   }
 

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5HTML.qll

@@ -87,8 +87,8 @@ class FrameOptions extends TFrameOptions {
 /**
  * Holds if the frame options are left untouched as the default value `trusted`.
  */
-predicate thereIsNoFrameOptionSet(UI5::Project p) {
-  not exists(FrameOptions frameOptions | p.isInThisProject(frameOptions.getLocation().getFile()) |
+predicate thereIsNoFrameOptionSet(UI5::WebApp webapp) {
+  not exists(FrameOptions frameOptions | webapp.getAResource() = frameOptions.getLocation().getFile() |
     frameOptions.allowsSharedOriginEmbedding() or
     frameOptions.deniesEmbedding() or
     frameOptions.allowsAllOriginEmbedding()

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -98,8 +98,8 @@ abstract class UI5BindingPath extends Locatable {
       // The property bound to an UI5View source
       result.getPropertyNameExpr() = p.getNameExpr() and
       this.getAbsolutePath() = model.getPathString(p) and
-      //restrict search inside the same project
-      inSameUI5Project(this.getFile(), result.getFile())
+      //restrict search inside the same webapp
+      exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile())
     )
     // TODO
     /*
@@ -142,8 +142,8 @@ abstract class UI5View extends File {
   CustomController getController() {
     // The controller name should match
     result.getName() = this.getControllerName() and
-    // The View and the Controller are in a same project
-    inSameUI5Project(this, result.getFile())
+    // The View and the Controller are in a same webapp
+    exists(WebApp webApp | webApp.getAResource() = this and webApp.getAResource() = result.getFile())
   }
 
   abstract UI5BindingPath getASource();
@@ -490,10 +490,10 @@ class XmlView extends UI5View, XmlFile {
         (
           builtInControl(element.getNamespace())
           or
-          // or a custom control with implementation code found in the project
+          // or a custom control with implementation code found in the webapp
           exists(CustomControl control |
             control.getName() = element.getNamespace().getUri() + "." + element.getName() and
-            inSameUI5Project(control.getFile(), element.getFile())
+            exists(WebApp webApp | webApp.getAResource() = control.getFile() and webApp.getAResource() = element.getFile())
           )
         )
       )
@@ -563,20 +563,20 @@ class XmlControl extends UI5Control instanceof XmlElement  {
 
   override CustomControl getDefinition() {
     result.getName() = this.getQualifiedType() and
-    inSameUI5Project(this.getFile(), result.getFile())
+    exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile())
   }
 
   bindingset[propName]
   override MethodCallNode getARead(string propName) {
     // TODO: in same view
-    inSameUI5Project(this.getFile(), result.getFile()) and
+    exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()) and
     result.getMethodName() = "get" + capitalize(propName)
   }
 
   bindingset[propName]
   override MethodCallNode getAWrite(string propName) {
     // TODO: in same view
-    inSameUI5Project(this.getFile(), result.getFile()) and
+    exists(WebApp webApp | webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()) and
     result.getMethodName() = "set" + capitalize(propName)
   }
 

javascript/frameworks/ui5/src/UI5Clickjacking/UI5Clickjacking.ql

@@ -17,7 +17,7 @@ private import advanced_security.javascript.frameworks.ui5.UI5
 
 class FirstLineOfMainHtml extends HTML::DocumentElement, FirstLineOf {
   FirstLineOfMainHtml() {
-    exists(UI5::Project p | this.getFile().(FirstLineOf).getFile() = p.getMainHTML())
+    exists(UI5::WebApp app | this.getFile().(FirstLineOf).getFile() = app)
   }
 }
 
@@ -51,8 +51,8 @@ where
         " being set to `allow`."
   )
   or
-  exists(UI5::Project p | thereIsNoFrameOptionSet(p) |
-    alert.asFirstLineOfMainHtml().getFile() = p.getMainHTML() and
+  exists(UI5::WebApp app | thereIsNoFrameOptionSet(app) |
+    alert.asFirstLineOfMainHtml().getFile() = app and
     message = "Possible clickjacking vulnerability due to missing frame options."
   )
 select alert, message