Skip to content

Port UI5PathGraph to use the newer data flow API #216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

Port UI5PathGraph to use the newer data flow API #216

wants to merge 18 commits into from

Conversation

jeongsoolee09
Copy link
Contributor

@jeongsoolee09 jeongsoolee09 commented Aug 13, 2025
edited
Loading

What This PR Contributes

Port over UI5PathGraph and all UI5 queries depending on it

Port UI5 queries from the old data flow API that uses TaintTracking::Configuration to the new one. Porting UI5 queries requires care since it depends on UI5PathGraph that enables UI5 binding paths appearing in UI5 views (e.g. XML views) to be included in the path information.

The implementation of UI5PathGraph previously depended upon the fact that there is only one PathNode type: DataFlow::PathNode. This is no longer the case with the newer API where each data flow configuration module has their own PathNode types. Therefore, the new UI5PathGraph is parameterized on a data flow configuration module like the following:

module UI5PathGraph<DataFlow::PathNodeSig ConfigPathNode, DataFlow::PathGraphSig<ConfigPathNode> ConfigPathGraph> {
  ...
}

One could argue that it could be shortened to module UI5PathGraph<DataFlow::GlobalFlowSig ConfigModule> based on the usage module UI5XssUI5PathGraph = UI5PathGraph<UI5XssFlow::PathNode, UI5XssFlow::PathGraph>, but ConfigModule::PathNode does not expose getNode since there is no type-level constraint on the member PathNode (its declaration is only class PathNode;).

Resolve deprecation warning on AmdModuleDefinition.getDependency/1

Use AmdModuleDefinition.getDependencyExpr/1 instead because of the above being deprecated.

Future Works

  • Write a developer's guideline on using the new UI5PathGraph, as it is easy to forget to import the instantiated UI5PathGraph.
  • Resolve the deprecation warning on PathString.

@jeongsoolee09
Parameterize UI5PathGraph on PathNodeSig and PathGraphSig
a97afee
@jeongsoolee09
Port over UI5Xss
17f2897
@jeongsoolee09
Update expected results of UI5Xss
c62ef21 
All of the disappeared edges are circular ones that "circles back"
on itself and does not influence the analysis at all.
@jeongsoolee09
Rename the second parameter to ConfigPathGraph
7a9f335
@jeongsoolee09
Port over UI5PathInjection
781ae31 
- Port over UI5PathInjection.
- Create a UI5PathInjectionQuery file and move the configuration there.
- Update expected results of the query.
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/port-UI5PathGraph
54a8654
@jeongsoolee09 jeongsoolee09 changed the title Port UI5PathGraph to use the newer data flow API Port UI5PathGraph to use the newer data flow API Aug 13, 2025
@knewbury01 knewbury01 mentioned this pull request Aug 15, 2025
Merged
@jeongsoolee09
Port over UI5LogInjection
5634682 
NOTE: The end-to-end results of the queries are okay (the #select portion is unchanged),
but there are difference in `nodes` and `edges` that probably needs attention.
@jeongsoolee09
Remove commented out code
4c5b7f6
@jeongsoolee09
Port over UI5LogsToHttp
32aba1c 
NOTE: The end-to-end results of the queries are okay (the `#select` portion is unchanged),
but there are difference in `nodes` and `edges` that probably needs attention.
@jeongsoolee09
Port over UI5UnsafeLogAccess
dbcdcbf
@jeongsoolee09
Port over UI5FormulaInjection
fbc03f5
@jeongsoolee09
Update expected results of UI5UnsafeLogAccess
eae4c93
@jeongsoolee09
Update expected results
9b09c02 
These are results with changes in only nodes and edges.
We accept it because it means there are no changes in
the overall behavior.
@jeongsoolee09
Update expected results
6df3a9e 
These are results with changes in only nodes and edges.
We accept it because it means there are no changes in
the overall behavior.
@jeongsoolee09
Merge branch 'main' into jeongsoolee09/port-UI5PathGraph
f7c00b7
@jeongsoolee09
Port over formulaSinkTest and expected results
638a1cc
@jeongsoolee09
Merge branch 'jeongsoolee09/port-UI5PathGraph' of github.com:advanced…
803f57e 
…-security/codeql-sap-js into jeongsoolee09/port-UI5PathGraph
@jeongsoolee09
Update expected results of formulaSinkTest
615c1b9
@jeongsoolee09 jeongsoolee09 marked this pull request as ready for review August 19, 2025 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knewbury01 knewbury01 Awaiting requested review from knewbury01

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jeongsoolee09