Skip to content

Extend bindings modeling #69

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 50 commits into from
Dec 18, 2023
Merged

Extend bindings modeling #69

Show file tree
Hide file tree
Changes from 45 commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
d0f9ac1
Add draft binding string parser
rvermeulen Nov 3, 2023
7e34a50
Add draft binding modeling
rvermeulen Nov 3, 2023
8fc7310
Add support for binding path parsing in path values
rvermeulen Nov 14, 2023
276664f
Add predicate to parse bindings
rvermeulen Nov 14, 2023
149d64a
Use binding parser on binding strings
rvermeulen Nov 14, 2023
34c0093
Address incorrect identification of context binding attribute
rvermeulen Nov 15, 2023
b599ada
Reuse StringBinding class
rvermeulen Nov 15, 2023
751981f
Add test for XML property and context binding
rvermeulen Nov 15, 2023
d7d23d4
Add JavaScript binding calls to the list of considered string
rvermeulen Nov 15, 2023
e108f54
Generalize late JavaScript bindings
rvermeulen Nov 15, 2023
e521396
Extend the binding test cases
rvermeulen Nov 15, 2023
49e7d71
Handle composite bindings
rvermeulen Nov 15, 2023
e37fb86
Add qldoc to clarify the different bindings
rvermeulen Nov 15, 2023
969f8a4
Format QL module
rvermeulen Nov 15, 2023
78f69fb
Improve early JavaScript binding detection
rvermeulen Nov 16, 2023
db28c78
Add HTML test case to bindings tests
rvermeulen Nov 16, 2023
f95dc01
Address incorrect expected file
rvermeulen Nov 16, 2023
ee0dcda
Add support for JSON bindings
rvermeulen Nov 16, 2023
0813a1e
Add qldoc to Binding class
rvermeulen Nov 17, 2023
c8b05ed
Apply query format
rvermeulen Nov 17, 2023
1fa88f2
Rename StringBinding to BindingString
rvermeulen Nov 17, 2023
54945ae
Improve Bindings module interface by hiding implementation details
rvermeulen Nov 17, 2023
d656503
Add JSON test file with bindings
rvermeulen Nov 22, 2023
979d14b
Rename BindingValue to StaticBindingValue
rvermeulen Nov 23, 2023
d7c5cfb
Generalize dynamic binding to Node instead
rvermeulen Nov 23, 2023
b1b7ced
Associate binding with possible binding paths
rvermeulen Nov 30, 2023
b3b49bf
Add support for binding paths using a `.` separator
rvermeulen Nov 30, 2023
2e413a9
Find binding paths in arrays such as in composite bindings
rvermeulen Nov 30, 2023
41714aa
Move implementation to binding
rvermeulen Nov 30, 2023
d9da3cc
Add todo to getBindingString for missing case
rvermeulen Nov 30, 2023
10fd422
Add location information to the parsed binding strings
rvermeulen Dec 1, 2023
b88fa58
Improve early and late JavaScript binding
rvermeulen Dec 1, 2023
b39c64a
Add location to binding
rvermeulen Dec 1, 2023
9522319
QL formatting
rvermeulen Dec 1, 2023
a3856b2
Address cases where a value can both be constant and a name
rvermeulen Dec 2, 2023
8c90643
Improve relative binding path detection
rvermeulen Dec 2, 2023
4271a25
Add getLocation for debugging purposes
rvermeulen Dec 2, 2023
3b90c42
Make number and name token mutual excusive
rvermeulen Dec 2, 2023
26221fd
Add helper predicates
rvermeulen Dec 4, 2023
067f34c
Remove superfluous signature
rvermeulen Dec 7, 2023
d2e1c1b
Fix QL doc formatting
rvermeulen Dec 7, 2023
a59d696
Replace late binding newtype with abstract class
rvermeulen Dec 7, 2023
1c82a52
Change JSON property binding definition
rvermeulen Dec 7, 2023
05e043e
Add a class BindingTarget to represents binding targets
rvermeulen Dec 7, 2023
22530c6
Add member predicate to get the string representation of a binding path
rvermeulen Dec 7, 2023
8248bfe
Add QLdocs
rvermeulen Dec 7, 2023
a52c867
Address incorrect argument for bindValue
rvermeulen Dec 8, 2023
70f105f
Give appropiate name to parameter
rvermeulen Dec 8, 2023
952d3c2
Address incorrect expected file
rvermeulen Dec 8, 2023
6d6eb47
Fix formatting
rvermeulen Dec 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,121 changes: 1,121 additions & 0 deletions ...pt/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll
View file
Open in desktop

Large diffs are not rendered by default.

578 changes: 578 additions & 0 deletions javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll
View file
Open in desktop

Large diffs are not rendered by default.

6 changes: 6 additions & 0 deletions javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
| test.js:1:30:1:45 | {/foo/bar/baz} |
| test.js:2:30:2:44 | {foo/bar/baz} |
| test.js:4:41:4:62 | {model>/foo/bar/baz} |
| test.js:5:41:5:61 | {model>foo/bar/baz} |
| test.js:7:41:7:98 | {path : /foo/bar/baz, type : "sap.ui.model.type.String"} |
| test.js:8:41:8:97 | {path : foo/bar/baz, type : "sap.ui.model.type.String"} |
20 changes: 20 additions & 0 deletions javascript/frameworks/ui5/test/lib/BindingStringParser/BindingStringParser.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
import javascript
import advanced_security.javascript.frameworks.ui5.Bindings
import advanced_security.javascript.frameworks.ui5.BindingStringParser as Make

class BindingStringReader extends StringLiteral {
BindingStringReader() {
this.getValue().matches("{%}")
}

string getBindingString() {
result = this.getValue()
}
}

module BindingStringParser = Make::BindingStringParser<BindingStringReader>;

from BindingStringParser::Binding binding
select binding


8 changes: 8 additions & 0 deletions javascript/frameworks/ui5/test/lib/BindingStringParser/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
const simple_absolute_path = '{/foo/bar/baz}';
const simple_relative_path = '{foo/bar/baz}';

const simple_absolute_path_with_model = '{model>/foo/bar/baz}';
const simple_relative_path_with_model = '{model>foo/bar/baz}';

const simple_absolute_with_properties = "{path: '/foo/bar/baz', type: 'sap.ui.model.type.String'}";
const simple_relative_with_properties = "{path: 'foo/bar/baz', type: 'sap.ui.model.type.String'}";
22 changes: 22 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/Bindings.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
| test.html:5:11:5:31 | XML property binding: data-value to {/input} |
| test.html:8:11:8:33 | XML property binding: data-content to {/input} |
| test.js:10:20:10:33 | Early JavaScript property binding: {\\n ... } to "{/root/name}" |
| test.js:21:28:21:34 | JavaScript context binding: oInput to "/root" |
| test.js:23:38:23:43 | Late JavaScript property binding: value to "name" |
| test.js:26:60:34:9 | Early JavaScript property binding: {\\n ... } to {\\n ... } |
| test.js:38:48:44:9 | Late JavaScript property binding: value to {\\n ... } |
| test.js:48:19:48:42 | Early JavaScript property binding: {\\n ... } to "{/#foo ... label}" |
| test.json:9:21:9:29 | JSON property binding: items to {/Base} |
| test.json:15:30:15:38 | JSON property binding: value to {input} |
| test.json:19:32:19:78 | JSON property binding: content to {path : /input, formatter : ".valueFormatter"} |
| test.xml:2:5:2:28 | XML property binding: value to {foo} |
| test.xml:3:5:3:29 | XML property binding: value to {/foo} |
| test.xml:4:5:4:34 | XML property binding: value to {model>foo} |
| test.xml:5:5:5:35 | XML property binding: value to {model>/foo} |
| test.xml:6:5:8:29 | XML context binding: binding to {/root} |
| test.xml:6:5:8:29 | XML property binding: value to {foo} |
| test.xml:9:5:9:70 | XML property binding: value to {path : foo, type : "sap.ui.model.type.String"} |
| test.xml:10:5:10:71 | XML property binding: value to {path : /foo, type : "sap.ui.model.type.String"} |
| test.xml:11:5:11:77 | XML property binding: value to {path : model>/foo, type : "sap.ui.model.type.String"} |
| test.xml:12:5:12:76 | XML property binding: value to {path : model>foo, type : "sap.ui.model.type.String"} |
| test.xml:14:5:22:45 | XML property binding: value to {parts : [{path : foo}, {path : bar/baz}, {path : quux}], formatter : "some.formatter"} |
4 changes: 4 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/Bindings.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
import javascript
import advanced_security.javascript.frameworks.ui5.Bindings

select any(Binding b)
10 changes: 10 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/test.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<template data-controller-name="codeql-sap-js.controller.app">
<div data-sap-ui-type="sap.m.Input"
data-placeholder="Enter Payload"
data-description="Try: &lt;img src=x onerror=alert(&quot;XSS&quot;)&gt;"
data-value="{/input}">
</div>
<div data-sap-ui-type="sap.ui.core.HTML"
data-content="{/input}">
</div>
</template>
52 changes: 52 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
sap.ui.define([
"sap/ui/core/mvc/Controller"
], function(Controller) {
"use strict";

return Controller.extend("foo", {
onInit: function() {
// Early property binding
var oInputWithEarlyPropertyBinding = new sap.m.Input({

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable oInputWithEarlyPropertyBinding.
value: "{/root/name}"
});

// Early dynamic property binding
const model = "model";
var oInputWithEarlyDynamicPropertyBinding = new sap.m.Input({

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable oInputWithEarlyDynamicPropertyBinding.
value: "{" + model + "</root/name}"
});

var oInputWithLateBinding = this.byId("foo");

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable oInputWithLateBinding.
// Late context binding
oInput.bindElement("/root");
// Late property binding
oInput.bindProperty("value", "name");

// Early composite binding
var oInputWithEarlyContextBinding = new sap.m.Input({

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable oInputWithEarlyContextBinding.
value: {
parts: [
{ path: "/foo", type: new sap.ui.model.type.String() },
{ path: "/bar" },
{ path: "baz>/quux", type: new sap.ui.model.type.Float() }
]
}
});

// Late composite binding
var oInputWithLateContextBinding = this.byId("foo");
oInputWithLateContextBinding.bindValue({
parts: [
{ path: "/foo", type: new sap.ui.model.type.String() },
{ path: "/bar" },
{ path: "baz>/quux", type: new sap.ui.model.type.Float() }
]
});

// Early property metadata binding
var oLabel = new sap.m.Label({

Check notice

Code scanning / CodeQL

Unused variable, import, function or class

Unused variable oLabel.
text: "{/#foo/bar/@sap:label}"
});
}
});
});
24 changes: 24 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/test.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"Type": "sap.ui.core.mvc.JSONView",
"controllerName": "codeql-sap-js.controller.app",
"content": [
{
"Type": "sap.ui.commons.Carousel",
"width": "100%",
"orientation": "horizontal",
"items":"{/Base}",
"content": [
{
"Type": "sap.m.Input",
"placeholder": "Enter Payload",
"description": "Try: <img src=x onerror=alert(\"XSS\")>",
"value": "{input}"
},
{
"Type": "sap.ui.core.HTML",
"content": "{path:'/input', formatter: '.valueFormatter'}"
}
]
}
]
}
23 changes: 23 additions & 0 deletions javascript/frameworks/ui5/test/lib/Bindings/test.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
<mvc:View xmlns:mvc="sap.ui.core.mvc" xmlns="sap.m">
<Input value="{foo}" />
<Input value="{/foo}" />
<Input value="{model>foo}" />
<Input value="{model>/foo}" />
<Input
value="{foo}"
binding="{/root}" />
<Input value="{path: 'foo', type: 'sap.ui.model.type.String'}" />
<Input value="{path: '/foo', type: 'sap.ui.model.type.String'}" />
<Input value="{path: 'model>/foo', type: 'sap.ui.model.type.String'}" />
<Input value="{path: 'model>foo', type: 'sap.ui.model.type.String'}" />

<Input
value="{
parts:
[
{path: 'foo'},
{path: 'bar/baz'},
{path: 'quux'}
],
formatter: 'some.formatter'}" />
</mvc:View>