Skip to content

Improve UI5Xss.ql query to detect default OData model with bindElement #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
data-douser wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Improve UI5Xss.ql query to detect default OData model with bindElement #283

data-douser wants to merge 2 commits into from

Conversation

@data-douser
Copy link
Collaborator

@data-douser data-douser commented Jan 23, 2026

What This PR Contributes

This pull request improves the detection of XSS vulnerabilities in SAP UI5 applications by enhancing the binding analysis logic and adding a comprehensive test case for scenarios involving fragments and default OData models. The main changes include refining how context bindings via bindElement are tracked, updating the logic for identifying default model usage, and introducing a new test suite to validate the detection of XSS in this context.

Outline of Changes

Key improvements include:

Improvements to OData Default Model Binding Detection:

  • Added a new method getBindElementCall() to the Binding class to accurately retrieve the bindElement method call node for context bindings.
  • Updated the asBinding() method in DefaultODataServiceModel to match context bindings whose bindElement call is this node, improving the association between the model and its bindings.
  • Refined the logic in UI5BindingPath to only consider setModel calls within the same webapp, preventing false associations with unrelated models.

New Test Case for XSS Vulnerability:

  • Added a complete test scenario (xss-fragment-odata-default-model) demonstrating an XSS vulnerability when a fragment is bound to an OData entity via the default model and displays unsanitized data. This includes all necessary configuration, controller, fragment, and manifest files. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

@data-douser
UI5 XSS detect default OData model w/ bindElement
c36405e 
The setModel check in UI5BindingPath.getASource() was globally scoped, causing
detection to fail when apps with explicit setModel calls were in the same
database as apps using default OData models from manifest.json.

Changes:
- Bindings.qll: Add getBindElementCall() method to Binding class
- RemoteFlowSources.qll: Fix DefaultODataServiceModel.asBinding() to use
  getBindElementCall() for proper context binding matching
- UI5View.qll: Scope setModel check to same webapp using inSameWebApp()
- Add test case xss-fragment-odata-default-model validating the fix

All 26 UI5Xss tests pass.
@data-douser data-douser requested a review from Copilot January 23, 2026 02:51
@data-douser data-douser self-assigned this Jan 23, 2026
Copilot AI reviewed Jan 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request enhances the detection of XSS vulnerabilities in SAP UI5 applications by improving how context bindings via bindElement are tracked when using default OData models. The changes refine the query logic to more accurately identify when fragments bound to OData entities through the default model contain XSS vulnerabilities.

Changes:

  • Added getBindElementCall() method to retrieve the bindElement call node from context bindings
  • Fixed DefaultODataServiceModel.asBinding() to correctly match bindings by their bindElement call
  • Refined model resolution logic to only consider setModel calls within the same webapp
  • Added comprehensive test case demonstrating XSS vulnerability detection with fragments and default OData models

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

File Description
javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/Bindings.qll Added getBindElementCall() method to extract bindElement call from context bindings
javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/RemoteFlowSources.qll Fixed DefaultODataServiceModel.asBinding() to correctly match bindings using the new method
javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5View.qll Refined model resolution to only check setModel calls in same webapp
javascript/frameworks/ui5/test/queries/UI5Xss/xss-fragment-odata-default-model/* Complete test case with manifest, controllers, views, fragments, and expected results

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 23, 2026
View reviewed changes
...st/queries/UI5Xss/xss-fragment-odata-default-model/webapp/fragments/DataDisplay.fragment.xml
<VBox class="sapUiSmallMargin">
<Label text="Message from OData:" />
<!-- XSS vulnerability: HTML content bound to OData property containing unsanitized data -->
<core:HTML content="{message}" />

Check failure

Code scanning / CodeQL

UI5 Client-side cross-site scripting High test

XSS vulnerability due to
user-provided value
Loading
.
@data-douser data-douser marked this pull request as ready for review January 23, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mbaluda mbaluda Awaiting requested review from mbaluda

@knewbury01 knewbury01 Awaiting requested review from knewbury01

At least 1 approving review is required to merge this pull request.

Assignees

@data-douser data-douser

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@data-douser