Client side request forgery from jQuery.sap.getUriParameters()

javascript/frameworks/cap/ext/qlpack.yml

@@ -3,4 +3,4 @@ library: true
 name: advanced-security/javascript-sap-cap-models
 version: 2.25.0
 extensionTargets:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"

javascript/frameworks/cap/lib/qlpack.yml

@@ -5,4 +5,4 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"

javascript/frameworks/cap/src/qlpack.yml

@@ -5,6 +5,6 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-cap-all: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-cap-all: "2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/cap/test/qlpack.yml

@@ -3,7 +3,7 @@ name: advanced-security/javascript-sap-cap-queries-tests
 version: 2.25.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-cap-queries: "2.24.3"
-  advanced-security/javascript-sap-cap-models: "2.24.3"
-  advanced-security/javascript-sap-cap-all: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-cap-queries: "2.25.0"
+  advanced-security/javascript-sap-cap-models: "2.25.0"
+  advanced-security/javascript-sap-cap-all: "2.25.0"

javascript/frameworks/ui5-webcomponents/test/qlpack.yml

@@ -2,5 +2,5 @@ name: advanced-security/javascript-sap-ui5-webcomponents-for-react-test
 version: 2.25.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-ui5-all: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-ui5-all: "2.25.0"

javascript/frameworks/ui5/ext/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-ui5-models
 version: 2.25.0
 extensionTargets:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/ui5/ext/ui5.model.yml

@@ -118,8 +118,8 @@ extensions:
       - ["UI5CodeEditor", "Member[value]", "remote"]
       - ["UI5CodeEditor", "Member[getCurrentValue].ReturnValue", "remote"]
       - ["global", "Member[jQuery].Member[sap].Member[syncHead,syncGet,syncGetText,syncPost,syncPostText].ReturnValue", "remote"]
-      - ["UI5URIParameters", "Member[get].ReturnValue", "remote"]
-      - ["UI5URIParameters", "Member[getAll].ReturnValue", "remote"]
+      - ["UI5URIParameters", "Member[get].ReturnValue", "browser-url-query"]
+      - ["UI5URIParameters", "Member[getAll].ReturnValue", "browser-url-query"]
 
   - addsTo:
       pack: codeql/javascript-all

javascript/frameworks/ui5/lib/qlpack.yml

@@ -5,4 +5,4 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"

javascript/frameworks/ui5/src/qlpack.yml

@@ -5,6 +5,6 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-ui5-all: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-ui5-all: "2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/ui5/test/models/source/sourceTest.expected

@@ -54,7 +54,7 @@
 | source.js:92:17:92:25 | obj.value | Remote flow source of type: Source node (remote) [from data-extension] |
 | source.js:94:17:94:30 | obj.getValue() | Remote flow source of type: Remote flow |
 | source.js:94:17:94:30 | obj.getValue() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:96:17:96:51 | jQuery. ... ).get() | Remote flow source of type: Remote flow |
+| source.js:96:17:96:51 | jQuery. ... ).get() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:96:17:96:51 | jQuery. ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] |
 | source.js:98:17:98:37 | jQuery. ... cHead() | Remote flow source of type: Remote flow |
 | source.js:98:17:98:37 | jQuery. ... cHead() | Remote flow source of type: Source node (remote) [from data-extension] |
@@ -66,15 +66,15 @@
 | source.js:104:17:104:37 | jQuery. ... cPost() | Remote flow source of type: Source node (remote) [from data-extension] |
 | source.js:106:17:106:41 | jQuery. ... tText() | Remote flow source of type: Remote flow |
 | source.js:106:17:106:41 | jQuery. ... tText() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:108:17:108:52 | UriPara ... ).get() | Remote flow source of type: Remote flow |
+| source.js:108:17:108:52 | UriPara ... ).get() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:108:17:108:52 | UriPara ... ).get() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:109:17:109:55 | UriPara ... etAll() | Remote flow source of type: Remote flow |
+| source.js:109:17:109:55 | UriPara ... etAll() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:109:17:109:55 | UriPara ... etAll() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:112:17:112:25 | obj.get() | Remote flow source of type: Remote flow |
+| source.js:112:17:112:25 | obj.get() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:112:17:112:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:113:17:113:28 | obj.getAll() | Remote flow source of type: Remote flow |
+| source.js:113:17:113:28 | obj.getAll() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:113:17:113:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:115:17:115:28 | obj.getAll() | Remote flow source of type: Remote flow |
+| source.js:115:17:115:28 | obj.getAll() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:115:17:115:28 | obj.getAll() | Remote flow source of type: Source node (remote) [from data-extension] |
-| source.js:117:17:117:25 | obj.get() | Remote flow source of type: Remote flow |
+| source.js:117:17:117:25 | obj.get() | Remote flow source of type: Source node (browser-url-query) [from data-extension] |
 | source.js:117:17:117:25 | obj.get() | Remote flow source of type: Source node (remote) [from data-extension] |

javascript/frameworks/ui5/test/qlpack.yml

@@ -2,11 +2,11 @@ name: advanced-security/javascript-sap-ui5-queries-tests
 version: 2.25.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"
   # We use this dependency to run the standard Log Injection query to ensure that
   # no overlap occurs with the SAP UI5 queries. We therefore allow any version
   # greater than or equal to 1.2.0, as major breaking changes are not a concern.
   codeql/javascript-queries: ">1.2.0"
-  advanced-security/javascript-sap-ui5-queries: "2.24.3"
-  advanced-security/javascript-sap-ui5-models: "2.24.3"
-  advanced-security/javascript-sap-ui5-all: "2.24.3"
+  advanced-security/javascript-sap-ui5-queries: "2.25.0"
+  advanced-security/javascript-sap-ui5-models: "2.25.0"
+  advanced-security/javascript-sap-ui5-all: "2.25.0"

javascript/frameworks/ui5/test/queries/RequestForgery/ClientSideRequestForgery.expected

@@ -0,0 +1,8 @@
+edges
+| test.js:1:11:1:50 | jQuery. ... ("url") | test.js:2:34:2:36 | url | provenance |  |
+nodes
+| test.js:1:11:1:50 | jQuery. ... ("url") | semmle.label | jQuery. ... ("url") |
+| test.js:2:34:2:36 | url | semmle.label | url |
+subpaths
+#select
+| test.js:2:1:2:20 | new XMLHttpRequest() | test.js:1:11:1:50 | jQuery. ... ("url") | test.js:2:34:2:36 | url | The $@ of this request depends on a $@. | test.js:2:34:2:36 | url | URL | test.js:1:11:1:50 | jQuery. ... ("url") | user-provided value |

javascript/frameworks/ui5/test/queries/RequestForgery/ClientSideRequestForgery.qlref

@@ -0,0 +1 @@
+Security/CWE-918/ClientSideRequestForgery.ql

javascript/frameworks/ui5/test/queries/RequestForgery/RequestForgery.expected

@@ -0,0 +1,4 @@
+edges
+nodes
+subpaths
+#select

javascript/frameworks/ui5/test/queries/RequestForgery/RequestForgery.qlref

@@ -0,0 +1 @@
+Security/CWE-918/RequestForgery.ql

javascript/frameworks/ui5/test/queries/RequestForgery/test.js

@@ -0,0 +1,2 @@
+var url = jQuery.sap.getUriParameters().get("url");
+new XMLHttpRequest().open("GET", url, false);

javascript/frameworks/xsjs/ext/qlpack.yml

@@ -3,6 +3,6 @@ library: true
 name: advanced-security/javascript-sap-xsjs-models
 version: 2.25.0
 extensionTargets:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"
 dataExtensions:
   - "*.model.yml"

javascript/frameworks/xsjs/lib/qlpack.yml

@@ -5,4 +5,4 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"

javascript/frameworks/xsjs/src/qlpack.yml

@@ -5,6 +5,6 @@ version: 2.25.0
 suites: codeql-suites
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-xsjs-all: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-xsjs-all: "2.25.0"
 default-suite-file: codeql-suites/javascript-code-scanning.qls

javascript/frameworks/xsjs/test/qlpack.yml

@@ -3,7 +3,7 @@ name: advanced-security/javascript-sap-xsjs-tests
 version: 2.25.0
 extractor: javascript
 dependencies:
-  codeql/javascript-all: "^2.6.22"
-  advanced-security/javascript-sap-xsjs-queries: "2.24.3"
-  advanced-security/javascript-sap-xsjs-all: "2.24.3"
-  advanced-security/javascript-sap-xsjs-models: "2.24.3"
+  codeql/javascript-all: "^2.6.24"
+  advanced-security/javascript-sap-xsjs-queries: "2.25.0"
+  advanced-security/javascript-sap-xsjs-all: "2.25.0"
+  advanced-security/javascript-sap-xsjs-models: "2.25.0"

javascript/heuristic-models/ext/qlpack.yml

@@ -4,6 +4,6 @@ warnOnImplicitThis: false
 name: advanced-security/javascript-heuristic-models
 version: 2.25.0
 extensionTargets:
-  codeql/javascript-all: "^2.6.22"
+  codeql/javascript-all: "^2.6.24"
 dataExtensions:
   - "*.model.yml"

javascript/heuristic-models/tests/qlpack.yml

@@ -4,5 +4,5 @@ name: advanced-security/javascript-heuristic-models-tests
 version: 2.25.0
 extractor: javascript
 dependencies:
-  "codeql/javascript-all": "^2.6.22"
-  "advanced-security/javascript-heuristic-models": "2.24.3"
+  "codeql/javascript-all": "^2.6.24"
+  "advanced-security/javascript-heuristic-models": "2.25.0"