Add small investigative modelling for fragments - WIP #270
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/webapp/view/app.view.html
Dismissed
Show dismissed
Hide dismissed
javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/webapp/view/app.view.html
Dismissed
Show dismissed
Hide dismissed
data-douser
added
enhancement
There was a problem hiding this comment.
Pull request overview
This PR adds support for modeling XML fragments in SAPUI5 applications to enable XSS vulnerability detection. It introduces the ability to track data flow through programmatically instantiated fragments using both Controller.loadFragment() and Fragment.load() APIs.
Key changes:
- New
Fragment.qllmodule to model Fragment.load() API calls - Extended
UI5View.qllwith XmlFragment class to handle fragment definitions - Added two test cases demonstrating XSS detection through fragments loaded via different methods
Reviewed changes
Copilot reviewed 22 out of 24 changed files in this pull request and generated 9 comments.
| File | Description |
|---|---|
| javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Fragment.qll | New module defining FragmentLoad class to model sap.ui.core.Fragment.load() API calls and extract configuration parameters |
| javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll | Extended with XmlFragment class (lines 690-777) to model XML fragments, their controllers, sources, and sinks; updated TUI5Control to include fragment.xml files |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/* | Test case using Controller.loadFragment() to load a fragment with XSS source and sink |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/* | Test case using Fragment.load() with explicit controller parameter to load a fragment with XSS source and sink |
Files not reviewed (2)
- javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment-load/package-lock.json: Language not supported
- javascript/frameworks/ui5/test/queries/UI5Xss/xss-xml-fragment/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "sap/ui/model/json/JSONModel", | ||
| "sap/ui/core/Fragment" | ||
| ], function (Controller, JSONModel, Fragment) { | ||
| "use strict" |
There was a problem hiding this comment.
Missing semicolon after the "use strict" directive. This should be "use strict"; for consistency and to avoid potential issues with ASI (Automatic Semicolon Insertion).
| "use strict" | |
| "use strict"; |
| oView.placeAt("content"); | ||
| }); | ||
|
|
||
| }); No newline at end of file |
There was a problem hiding this comment.
Missing semicolon after the closing parenthesis of the function call. The statement should end with a semicolon for consistency with JavaScript best practices.
| }); | |
| }); |
| import advanced_security.javascript.frameworks.ui5.UI5 | ||
|
|
||
| /** | ||
| * Gets a reference to the Fragment module import. |
There was a problem hiding this comment.
The documentation comment says "Gets a reference to the Fragment module import" but the class name is FragmentLoad, which represents a Fragment.load() call rather than just a module import. The comment should be updated to clarify that this class models calls to Fragment.load() or Controller.loadFragment().
| * Gets a reference to the Fragment module import. | |
| * Models calls to sap.ui.core.Fragment.load() or Controller.loadFragment(). |
| /** | ||
| * A UI5 Fragment that might include XSS sources and sinks in standard controls. | ||
| */ | ||
| abstract class UI5Fragment extends File { | ||
| abstract UI5Control getControl(); | ||
|
|
||
| abstract UI5BindingPath getASource(); | ||
|
|
||
| abstract UI5BindingPath getAnHtmlISink(); | ||
| } |
There was a problem hiding this comment.
The abstract class UI5Fragment is defined but never used. The XmlFragment class extends UI5View instead of UI5Fragment. Either remove this unused abstract class or update XmlFragment to extend UI5Fragment if that was the original intent. If UI5Fragment is intended for future use (as mentioned in the PR description for JS fragments), consider adding a comment to clarify this.
| "sap/ui/core/mvc/Controller", | ||
| "sap/ui/model/json/JSONModel" | ||
| ], function (Controller, JSONModel) { | ||
| "use strict" |
There was a problem hiding this comment.
Missing semicolon after the "use strict" directive. This should be "use strict"; for consistency and to avoid potential issues with ASI (Automatic Semicolon Insertion).
| "use strict" | |
| "use strict"; |
| }.bind(this)); | ||
| } | ||
| }); | ||
| }) No newline at end of file |
There was a problem hiding this comment.
Missing semicolon after the closing parenthesis of the function call. The statement should end with a semicolon for consistency with JavaScript best practices.
| }) | |
| }); |
| }.bind(this)); | ||
| } | ||
| }); | ||
| }) No newline at end of file |
There was a problem hiding this comment.
Missing semicolon after the closing parenthesis of the function call. The statement should end with a semicolon for consistency with JavaScript best practices.
| }) | |
| }); |
| oView.placeAt("content"); | ||
| }); | ||
|
|
||
| }); No newline at end of file |
There was a problem hiding this comment.
Missing semicolon after the closing parenthesis of the function call. The statement should end with a semicolon for consistency with JavaScript best practices.
| }); | |
| }); | |
| ; |
| or | ||
| exists(RequiredObject requiredModule, SapDefineModule sapModule | | ||
| this = requiredModule.asSourceNode().getAMemberCall("load") and | ||
| //ensure it is an sap module define |
There was a problem hiding this comment.
Inconsistent comment style. This line uses a C++-style comment (//) while the rest of the file uses QLDoc comments (/** ... */). Consider using a QLDoc comment or block comment for consistency.
| //ensure it is an sap module define | |
| /* ensure it is an sap module define */ |
What This PR Contributes
QL models and tests for Xml Fragments that are programatically instantiated
Future Works
<Fragment>tags and no programatic controller association (declarative views)