UI5 client side log-injection improvements

- Adds dataflow step so that existing queries can follow the path through log handlers
- Implements 2 new queries
  1. **UI5UnsafeLogAccess**: alerts for potential injection only if a custom log handler or a call to `getLogEntries` is present
  2. **UI5LogsToHttp**: alerts on tainted logs sent over the network
- Test cases
- Help `.md` files

Author: mbaluda

.github/workflows/javascript.sarif.expected

@@ -4,7 +4,7 @@
 
 import javascript
 
-newtype CdlKind =
+private newtype CdlKind =
   Service(string value) { value = "service" } or
   Entity(string value) { value = "entity" } or
   Event(string value) { value = "event" } or

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CDL.qll

@@ -89,7 +89,7 @@ Expr getRootReceiver(Expr e) {
  * An aggregation type for the two ways to access the fluent API
  * provided by the module cds.ql
  */
-newtype TCqlClause =
+private newtype TCqlClause =
   MethodCall(MethodCallExpr callExpr) {
     exists(CqlQueryBase base | base = getRootReceiver(callExpr)) or
     exists(CqlQueryBaseCall call | call = getRootReceiver(callExpr))

javascript/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CQL.qll

@@ -25,6 +25,8 @@ extensions:
       - ["SapLogger", "global", "Member[jQuery].Member[sap].Member[log]"]
       # Logging functions as well as `getLogger` also serves as a constructor
       - ["SapLogger", "SapLogger", "Member[debug,error,fatal,info,setLevel,trace,warning,getLogger].ReturnValue"]
+      - ["SapLogEntries", "SapLogger", "Member[addLogListener].Parameter[0].Member[onLogEntry].Argument[0]"]
+      - ["SapLogEntries", "SapLogger", "Member[getLogEntries].ReturnValue"]
       - ["ResourceBundle", "ResourceBundle", "Instance"]
       - ["ResourceBundle", "sap/base/i18n/ResourceBundle", ""]
       - ["Properties", "Properties", "Instance"]
@@ -64,7 +66,6 @@ extensions:
       - ["UI5ClientStorage", "sap/ui/core/util/File", ""]
       - ["UI5ClientStorage", "global", "Member[sap].Member[ui].Member[core].Member[util].Member[File]"]
 
-
   - addsTo:
       pack: codeql/javascript-all
       extensible: "sourceModel"

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -848,7 +848,7 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
     )
   }
 
-  newtype TBindingPathComponentList =
+  private newtype TBindingPathComponentList =
     MkEmptyBindingPathComponentList() or
     MkConstBindingPathComponentList(NameToken headToken, BindingPathComponentList tail, Token source) {
       exists(Token nextToken | nextToken = getNextSkippingWhitespace(headToken) |
@@ -920,7 +920,7 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
     )
   }
 
-  newtype TBindingPath =
+  private newtype TBindingPath =
     MkAbsoluteBindingPath(BindingPathComponentList pathComponents, Token source) {
       source instanceof ForwardSlashToken and
       mkBindingPathComponentList(getNextSkippingWhitespace(source), pathComponents, _)
@@ -1038,7 +1038,7 @@ module BindingStringParser<BindingStringReaderSig BindingStringReader> {
     mkRelativeBindingPathWithModel(first, bindingPath, last)
   }
 
-  newtype TBinding =
+  private newtype TBinding =
     MkBindingPath(Token first, BindingPath bindingPath, Token last) {
       exists(
         LeftBracketToken leftBracketToken, RightBracketToken rightBracketToken,

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/BindingStringParser.qll

@@ -78,6 +78,10 @@ class WebAppManifest extends File {
   WebApp getWebapp() { result = webapp }
 }
 
+predicate inSameWebApp(File f1, File f2) {
+  exists(WebApp webApp | webApp.getAResource() = f1 and webApp.getAResource() = f2)
+}
+
 /** A UI5 bootstrapped web application. */
 class WebApp extends HTML::HtmlFile {
   SapUiCoreScriptElement coreScript;
@@ -368,9 +372,7 @@ class ControlReference extends Reference {
         result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = propertyName
       )
     ) and
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getFile(), result.getFile())
   }
 
   MethodCallNode getAWrite(string propertyName) {
@@ -400,9 +402,7 @@ class ControlReference extends Reference {
         result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = propertyName
       )
     ) and
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getFile(), result.getFile())
   }
 }
 
@@ -1297,7 +1297,7 @@ class Extension extends InvokeNode, MethodCallNode {
   SapDefineModule getDefine() { this.getEnclosingFunction() = result.getArgument(1).asExpr() }
 }
 
-newtype TSapElement =
+private newtype TSapElement =
   DefinitionOfElement(Extension extension) or
   ReferenceOfElement(Reference reference)
 
@@ -1437,9 +1437,7 @@ class PropertyMetadata extends ObjectLiteralNode {
       result.getMethodName() = "setProperty" and
       result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = name
     ) and
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getFile(), result.getFile())
   }
 
   MethodCallNode getARead() {
@@ -1474,8 +1472,6 @@ class PropertyMetadata extends ObjectLiteralNode {
       result.getMethodName() = "getProperty" and
       result.getArgument(0).getALocalSource().asExpr().(StringLiteral).getValue() = name
     ) and
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getFile(), result.getFile())
   }
 }

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5.qll

@@ -2,7 +2,7 @@ import javascript
 import DataFlow
 import advanced_security.javascript.frameworks.ui5.UI5
 
-newtype TFrameOptions =
+private newtype TFrameOptions =
   /*
    *  <script id='sap-ui-bootstrap'
    * 	  src='resources/sap-ui-core.js'

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5HTML.qll

@@ -136,9 +136,7 @@ abstract class UI5BindingPath extends BindingPath {
     )
     // and
     // /* This binding path and the resulting model should live inside the same webapp */
-    // exists(WebApp webApp |
-    //   webApp.getAResource() = this.getFile() and webApp.getAResource() = result.getFile()
-    // )
+    // inSameWebApp(this.getFile(), result.getFile())
   }
 
   /**
@@ -151,10 +149,7 @@ abstract class UI5BindingPath extends BindingPath {
       result.(DataFlow::PropWrite).getPropertyNameExpr() = p.getNameExpr() and
       this.getAbsolutePath() = model.getPathString(p) and
       /* Restrict search to inside the same webapp. */
-      exists(WebApp webApp |
-        webApp.getAResource() = this.getLocation().getFile() and
-        webApp.getAResource() = result.getFile()
-      )
+      inSameWebApp(this.getLocation().getFile(), result.getFile())
     )
     or
     /* 1-2. Internal (Client-side) model, model loaded from JSON file */
@@ -164,19 +159,13 @@ abstract class UI5BindingPath extends BindingPath {
       this.getPath() = model.getPathStringPropName(propName) and
       exists(JsonObject obj, JsonValue val | val = obj.getPropValue(propName)) and
       /* Restrict search to inside the same webapp. */
-      exists(WebApp webApp |
-        webApp.getAResource() = this.getLocation().getFile() and
-        webApp.getAResource() = result.getFile()
-      )
+      inSameWebApp(this.getLocation().getFile(), result.getFile())
     )
     or
     /* 2. External (Server-side) model */
     result = this.getModel().(UI5ExternalModel) and
     /* Restrict search to inside the same webapp. */
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getLocation().getFile() and
-      webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getLocation().getFile(), result.getFile())
   }
 }
 
@@ -212,9 +201,7 @@ abstract class UI5View extends File {
     /* The controller name should match between the view and the controller definition. */
     result.getName() = this.getControllerName() and
     /* The View and the Controller are in a same webapp. */
-    exists(WebApp webApp |
-      webApp.getAResource() = this and webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this, result.getFile())
   }
 
   abstract UI5Control getControl();
@@ -304,10 +291,7 @@ class JsView extends UI5View {
         /* 2. A custom control with implementation code found in the webapp */
         exists(CustomControl control |
           control.getName() = node.asExpr().getAChildExpr().(DotExpr).getQualifiedName() and
-          exists(WebApp webApp |
-            webApp.getAResource() = control.getFile() and
-            webApp.getAResource() = node.getFile()
-          )
+          inSameWebApp(control.getFile(), node.getFile())
         )
       )
     )
@@ -367,10 +351,7 @@ class JsonView extends UI5View {
         /* 2. A custom control with implementation code found in the webapp */
         exists(CustomControl control |
           control.getName() = object.getPropStringValue("Type") and
-          exists(WebApp webApp |
-            webApp.getAResource() = control.getFile() and
-            webApp.getAResource() = object.getFile()
-          )
+          inSameWebApp(control.getFile(), object.getFile())
         )
       )
     )
@@ -516,10 +497,7 @@ class HtmlView extends UI5View, HTML::HtmlFile {
         /* 2. A custom control with implementation code found in the webapp */
         exists(CustomControl control |
           control.getName() = element.getAttributeByName("sap-ui-type").getValue() and
-          exists(WebApp webApp |
-            webApp.getAResource() = control.getFile() and
-            webApp.getAResource() = element.getFile()
-          )
+          inSameWebApp(control.getFile(), element.getFile())
         )
       )
     )
@@ -699,17 +677,14 @@ class XmlView extends UI5View instanceof XmlFile {
         /* 2. A custom control with implementation code found in the webapp */
         exists(CustomControl control |
           control.getName() = element.getNamespace().getUri() + "." + element.getName() and
-          exists(WebApp webApp |
-            webApp.getAResource() = control.getFile() and
-            webApp.getAResource() = element.getFile()
-          )
+          inSameWebApp(control.getFile(), element.getFile())
         )
       )
     )
   }
 }
 
-newtype TUI5Control =
+private newtype TUI5Control =
   TXmlControl(XmlElement control) or
   TJsonControl(JsonObject control) {
     exists(JsonView view | control.getParent() = view.getRoot().getPropValue("content"))
@@ -801,10 +776,7 @@ class UI5Control extends TUI5Control {
    */
   CustomControl getDefinition() {
     result.getName() = this.getQualifiedType() and
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and
-      webApp.getAResource() = result.getFile()
-    )
+    inSameWebApp(this.getFile(), result.getFile())
   }
 
   /**
@@ -840,20 +812,14 @@ class UI5Control extends TUI5Control {
   bindingset[propName]
   MethodCallNode getARead(string propName) {
     // TODO: in same view
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and
-      webApp.getAResource() = result.getFile()
-    ) and
+    inSameWebApp(this.getFile(), result.getFile()) and
     result.getMethodName() = "get" + capitalize(propName)
   }
 
   bindingset[propName]
   MethodCallNode getAWrite(string propName) {
     // TODO: in same view
-    exists(WebApp webApp |
-      webApp.getAResource() = this.getFile() and
-      webApp.getAResource() = result.getFile()
-    ) and
+    inSameWebApp(this.getFile(), result.getFile()) and
     result.getMethodName() = "set" + capitalize(propName)
   }
 
@@ -879,7 +845,7 @@ class UI5Control extends TUI5Control {
   CustomController getController() { result = this.getView().getController() }
 }
 
-newtype TUI5ControlProperty =
+private newtype TUI5ControlProperty =
   TXmlControlProperty(XmlAttribute property) or
   TJsonControlProperty(JsonValue property) or
   TJsControlProperty(ValueNode property)

javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll

@@ -61,7 +61,7 @@ class LocalModelContentBoundBidirectionallyToHtmlISinkControl extends DomBasedXs
 }
 
 module UI5PathGraph {
-  newtype TNode =
+  private newtype TNode =
     TUI5BindingPathNode(UI5BindingPath path) or
     TDataFlowNode(DataFlow::Node node)
 
@@ -76,6 +76,12 @@ module UI5PathGraph {
       result = this.asUI5BindingPathNode().toString()
     }
 
+    File getFile() {
+      result = this.asDataFlowNode().getFile()
+      or
+      result = this.asUI5BindingPathNode().getView()
+    }
+
     predicate hasLocationInfo(
       string filepath, int startline, int startcolumn, int endline, int endcolumn
     ) {