hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Apply .getALocalSource() and fix xmltodict's vulnerable predicate

Browse Source
This commit is contained in:
jorgectf
2022-02-08 17:51:09 +01:00
parent 7c4a6a12b0
commit 01ad25f3f0
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
python/ql/src/experimental/semmle/python/frameworks/Xml.qll
View File

@@ -163,12 +163,16 @@ private module Xml {
override DataFlow::Node getAnInput() { none() } override DataFlow::Node getAnInput() { none() }
override predicate vulnerable(string kind) { override predicate vulnerable(string kind) {
kind = "XXE" and not this.getArgByName("resolve_entities").asExpr() = any(False f) kind = "XXE" and
not (
exists(this.getArgByName("resolve_entities")) or
this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)
)
or or
kind = ["Billion Laughs", "Quadratic Blowup"] and kind = ["Billion Laughs", "Quadratic Blowup"] and
( (
this.getArgByName("huge_tree").asExpr() = any(True t) and this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t) and
not this.getArgByName("resolve_entities").asExpr() = any(False f) not this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)
) )
} }
} }
@@ -231,7 +235,7 @@ private module Xml {
override predicate vulnerable(string kind) { override predicate vulnerable(string kind) {
kind = ["Billion Laughs", "Quadratic Blowup"] and kind = ["Billion Laughs", "Quadratic Blowup"] and
this.getAMethodCall("disable_entities").asExpr() = any(False f) this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
} }
} }