Adds a local source for separate Control implementations.#329
Merged
data-douser merged 9 commits intomainfrom Mar 18, 2026
Merged
Adds a local source for separate Control implementations.#329data-douser merged 9 commits intomainfrom
data-douser merged 9 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the UI5 XSS query test expectations to account for a newly introduced “local source” representing custom control property metadata, so that XSS flows are also reported when the tainted value is modeled as coming from a custom control’s (string) property definition.
Changes:
- Added a new
DomBasedXss::Source(LocalModelStringPropertySource) inUI5DataFlow.qllthat maps a binding path’s target property to the corresponding custom controlPropertyMetadata. - Updated multiple
UI5Xss.expectedfiles to include the additional result path where the source is the custom control property metadata (e.g.,{ type: "string" }).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll | Adds a new “local” source class based on custom control property metadata reached from a binding path. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/UI5Xss.expected | Adds an additional expected result selecting the custom control property metadata as the source. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/UI5Xss.expected | Same as above for renderer resolved by name. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/UI5Xss.expected | Same as above for indirect control inheritance case. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/UI5Xss.expected | Same as above for jQuery-based custom control variant. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/UI5Xss.expected | Same as above for API v1-style renderer access. |
| javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/UI5Xss.expected | Same as above for API v2-style renderer access. |
...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll
Outdated
Show resolved
Hide resolved
...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll
Outdated
Show resolved
Hide resolved
...ript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/dataflow/UI5DataFlow.qll
Show resolved
Hide resolved
knewbury01
reviewed
Mar 12, 2026
javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/UI5Xss.expected
Show resolved
Hide resolved
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
...i5/test/queries/UI5Xss/xss-custom-control-apis/xss-custom-control-api3/webapp/control/xss.js
Fixed
Show fixed
Hide fixed
...i5/test/queries/UI5Xss/xss-custom-control-apis/xss-custom-control-api3/webapp/control/xss.js
Fixed
Show fixed
Hide fixed
Adds a test comprising of 2 separate UI5 apps
...i5/test/queries/UI5Xss/xss-custom-control-apis/xss-custom-control-api3/webapp/control/xss.js
Dismissed
Show dismissed
Hide dismissed
...i5/test/queries/UI5Xss/xss-custom-control-apis/xss-custom-control-api3/webapp/control/xss.js
Dismissed
Show dismissed
Hide dismissed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces improved detection of XSS vulnerabilities in UI5 custom controls, especially when string properties are used and the control implementation is separated from the main UI5 app.