advanced-security · jeongsoolee09 · Apr 3, 2025 · Mar 28, 2025 · Mar 28, 2025 · Apr 3, 2025
diff --git a/...t/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll b/...t/frameworks/cap/lib/advanced_security/javascript/frameworks/cap/CAPLogInjectionQuery.qll
@@ -45,7 +45,8 @@ class CdsLogSink extends DataFlow::Node {
 
 class CAPLogInjectionConfiguration extends LogInjectionConfiguration {
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    super.isSource(start)
+    or
     start instanceof RemoteFlowSource
   }
 

diff --git a/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll b/javascript/frameworks/ui5/lib/advanced_security/javascript/frameworks/ui5/UI5XssQuery.qll
@@ -2,7 +2,6 @@ import javascript
 import advanced_security.javascript.frameworks.ui5.dataflow.DataFlow as UI5DataFlow
 import advanced_security.javascript.frameworks.ui5.UI5View
 import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
-import semmle.javascript.security.dataflow.ClientSideUrlRedirectCustomizations::ClientSideUrlRedirect as UrlRedirect
 
 class Configuration extends DomBasedXss::Configuration {
   override predicate isSource(DataFlow::Node start) {
@@ -56,21 +55,20 @@ class Configuration extends DomBasedXss::Configuration {
 
   override predicate isSink(DataFlow::Node node) {
     node instanceof UI5ExtHtmlISink or
-    node instanceof UrlRedirect::LocationSink or
     node instanceof UI5ModelHtmlISink
   }
 }
 
 /**
  * An HTML injection sink associated with a `UI5BoundNode`, typically for library controls acting as sinks.
  */
-class UI5ModelHtmlISink extends DomBasedXss::Sink {
+class UI5ModelHtmlISink extends DataFlow::Node {
   UI5ModelHtmlISink() { exists(UI5View view | view.getAnHtmlISink().getNode() = this) }
 }
 
 /**
  * An HTML injection sink typically for custom controls whose RenderManager calls acting as sinks.
  */
-private class UI5ExtHtmlISink extends DomBasedXss::Sink {
+private class UI5ExtHtmlISink extends DataFlow::Node {
   UI5ExtHtmlISink() { this = ModelOutput::getASinkNode("ui5-html-injection").asSink() }
 }
diff --git a/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll b/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSReflectedXssQuery.qll
@@ -1,6 +1,6 @@
 import javascript
 import advanced_security.javascript.frameworks.xsjs.AsyncXSJS
-import semmle.javascript.security.dataflow.DomBasedXssQuery as DomBasedXss
+import semmle.javascript.security.dataflow.ReflectedXssQuery as ReflectedXssQuery
 
 class XSJSResponseSetBodyCall extends MethodCallNode {
   XSJSResponse response;
@@ -13,17 +13,13 @@ class XSJSResponseSetBodyCall extends MethodCallNode {
   XSJSResponse getParentXSJSResponse() { result = response }
 }
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "XSJS Reflected XSS Query" }
-
+class Configuration extends ReflectedXssQuery::Configuration {
   override predicate isSource(DataFlow::Node start) {
     super.isSource(start) or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end)
-    or
     exists(XSJSResponseSetBodyCall setBody, XSJSResponse thisOrAnotherXSJSResponse |
       thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse() or
       thisOrAnotherXSJSResponse = setBody.getParentXSJSResponse().getAPredOrSuccResponse()

diff --git a/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll b/...rameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSSqlInjectionQuery.qll
@@ -12,16 +12,14 @@ class XSJSDBConnectionPrepareStatementArgument extends DataFlow::ValueNode {
   predicate isConcatenated() { this.getAPredecessor+() instanceof StringOps::ConcatenationNode }
 }
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "XSJS SQL Injection Query" }
-
+class Configuration extends SqlInjection::Configuration {
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    super.isSource(start)
+    or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end) or
     end.(XSJSDBConnectionPrepareStatementArgument).isConcatenated()
   }
 }
diff --git a/...frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll b/...frameworks/xsjs/lib/advanced_security/javascript/frameworks/xsjs/XSJSUrlRedirectQuery.qll
@@ -2,17 +2,14 @@ import javascript
 import advanced_security.javascript.frameworks.xsjs.AsyncXSJS
 import semmle.javascript.security.dataflow.ServerSideUrlRedirectQuery as UrlRedirect
 
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "XSJS URL Redirect Query" }
-
+class Configuration extends UrlRedirect::Configuration {
   override predicate isSource(DataFlow::Node start) {
-    super.isSource(start) or
+    super.isSource(start)
+    or
     start instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node end) {
-    super.isSink(end)
-    or
     exists(XSJSRequestOrResponseHeaders headers |
       end = headers.getHeaderSetCall("location").getArgument(1)
     )

diff --git a/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected b/javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.expected
@@ -3,49 +3,16 @@ WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSR
 WARNING: type 'PathNode' has been deprecated and may be removed in future (XSJSReflectedXss.ql:17,55-73)
 nodes
 | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") |
-| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") |
 | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") |
 | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") |
 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 |
 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 |
-| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") |
-| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") |
-| XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) |
-| XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) |
-| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 |
-| XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 |
-| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") |
-| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") |
-| XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) |
-| XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) |
-| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 |
 edges
 | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
-| XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
 | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
 | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:11:7:11:67 | someParameterValue1 |
 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
 | XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:13:46:13:64 | someParameterValue1 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) |
-| XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 | XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 |
-| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 |
-| XSJSReflectedXss.xsjs:21:29:21:67 | request ... eter2") | XSJSReflectedXss.xsjs:21:7:21:67 | someParameterValue2 |
-| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) |
-| XSJSReflectedXss.xsjs:23:46:23:64 | someParameterValue2 | XSJSReflectedXss.xsjs:23:22:23:65 | request ... Value2) |
-| XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 | XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 |
-| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 |
-| XSJSReflectedXss.xsjs:31:29:31:67 | request ... eter3") | XSJSReflectedXss.xsjs:31:7:31:67 | someParameterValue3 |
-| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) |
-| XSJSReflectedXss.xsjs:32:46:32:64 | someParameterValue3 | XSJSReflectedXss.xsjs:32:22:32:65 | request ... Value3) |
 #select
 | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | XSJSReflectedXss.xsjs:13:22:13:65 | request ... Value1) | Reflected XSS vulnerability due to $@. | XSJSReflectedXss.xsjs:11:29:11:67 | request ... eter1") | user-provided value |