hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

JS: Port XmlBomb

Browse Source
This commit is contained in:
Asger F
2023-10-05 09:26:25 +02:00
parent 83095535f9
commit 03f8c0fc5e
3 changed files with 38 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
javascript/ql/lib/semmle/javascript/security/dataflow/XmlBombQuery.qll
View File

@@ -13,7 +13,23 @@ import XmlBombCustomizations::XmlBomb
/**
* A taint-tracking configuration for reasoning about XML-bomb vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
module XmlBombConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
/**
* Taint-tracking for reasoning about XML-bomb vulnerabilities.
*/
module XmlBombFlow = TaintTracking::Global<XmlBombConfig>;
/**
* DEPRECATED. Use the `XmlBombFlow` module instead.
*/
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "XmlBomb" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }

6
javascript/ql/src/Security/CWE-776/XmlBomb.ql
View File

@@ -14,10 +14,10 @@
import javascript
import semmle.javascript.security.dataflow.XmlBombQuery
import DataFlow::PathGraph
import XmlBombFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
from XmlBombFlow::PathNode source, XmlBombFlow::PathNode sink
where XmlBombFlow::flowPath(source, sink)
select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against uncontrolled entity expansion.",
source.getNode(), "user-provided value"

66
javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected
View File

@@ -1,60 +1,30 @@
nodes
| closure.js:2:7:2:36 | src |
| closure.js:2:13:2:36 | documen ... .search |
| closure.js:2:13:2:36 | documen ... .search |
| closure.js:4:24:4:26 | src |
| closure.js:4:24:4:26 | src |
| domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:2:13:2:36 | documen ... .search |
| domparser.js:6:37:6:39 | src |
| domparser.js:6:37:6:39 | src |
| domparser.js:11:55:11:57 | src |
| domparser.js:11:55:11:57 | src |
| domparser.js:14:57:14:59 | src |
| domparser.js:14:57:14:59 | src |
| expat.js:6:16:6:36 | req.par ... e-xml") |
| expat.js:6:16:6:36 | req.par ... e-xml") |
| expat.js:6:16:6:36 | req.par ... e-xml") |
| jquery.js:2:7:2:36 | src |
| jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:2:13:2:36 | documen ... .search |
| jquery.js:5:14:5:16 | src |
| jquery.js:5:14:5:16 | src |
| libxml.js:6:21:6:41 | req.par ... e-xml") |
| libxml.js:6:21:6:41 | req.par ... e-xml") |
| libxml.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
edges
| closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
| closure.js:2:7:2:36 | src | closure.js:4:24:4:26 | src |
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src |
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src |
| domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src |
| domparser.js:2:7:2:36 | src | domparser.js:6:37:6:39 | src |
| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
| domparser.js:2:7:2:36 | src | domparser.js:11:55:11:57 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:7:2:36 | src | domparser.js:14:57:14:59 | src |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| domparser.js:2:13:2:36 | documen ... .search | domparser.js:2:7:2:36 | src |
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") |
| jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
| jquery.js:2:7:2:36 | src | jquery.js:5:14:5:16 | src |
| jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src |
| jquery.js:2:13:2:36 | documen ... .search | jquery.js:2:7:2:36 | src |
| libxml.js:6:21:6:41 | req.par ... e-xml") | libxml.js:6:21:6:41 | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
nodes
| closure.js:2:7:2:36 | src | semmle.label | src |
| closure.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
| closure.js:4:24:4:26 | src | semmle.label | src |
| domparser.js:2:7:2:36 | src | semmle.label | src |
| domparser.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
| domparser.js:6:37:6:39 | src | semmle.label | src |
| domparser.js:11:55:11:57 | src | semmle.label | src |
| domparser.js:14:57:14:59 | src | semmle.label | src |
| expat.js:6:16:6:36 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
| jquery.js:2:7:2:36 | src | semmle.label | src |
| jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
| jquery.js:5:14:5:16 | src | semmle.label | src |
| libxml.js:6:21:6:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
| libxml.noent.js:6:21:6:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
subpaths
#select
| closure.js:4:24:4:26 | src | closure.js:2:13:2:36 | documen ... .search | closure.js:4:24:4:26 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | closure.js:2:13:2:36 | documen ... .search | user-provided value |
| domparser.js:6:37:6:39 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:6:37:6:39 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |