Finish modeling

python/ql/src/experimental/semmle/python/frameworks/XML.qll

@@ -76,7 +76,7 @@ private module XML {
 
   private class LXMLParsing extends DataFlow::CallCfgNode, XMLParsing::Range {
     LXMLParsing() {
-      this = lxmlEtree().getMember(["fromstring", "fromstringlist", "XML"]).getACall()
+      this = lxmlEtree().getMember(["fromstring", "fromstringlist", "XML", "parse"]).getACall()
     }
 
     override DataFlow::Node getAnInput() { result = this.getArg(0) }
@@ -87,4 +87,31 @@ private module XML {
       )
     }
   }
+
+  private API::Node xmltodict() { result = API::moduleImport("xmltodict") }
+
+  private class XMLtoDictParsing extends DataFlow::CallCfgNode, XMLParsing::Range {
+    XMLtoDictParsing() { this = xmltodict().getMember("parse").getACall() }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override predicate mayBeDangerous() {
+      DataFlow::localFlow(DataFlow::exprNode(any(False falseName)),
+        this.getArgByName("disable_entities"))
+    }
+  }
+
+  private API::Node xmlDom() { result = xml().getMember("dom").getMember(["mini", "pull"] + "dom") }
+
+  private class XMLDomParsing extends DataFlow::CallCfgNode, XMLParsing::Range {
+    XMLDomParsing() { this = xmlDom().getMember("parse").getACall() }
+
+    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+
+    override predicate mayBeDangerous() {
+      exists(XMLParser xmlParser |
+        xmlParser.mayBeDangerous() and this.getArgByName("parser").getALocalSource() = xmlParser
+      )
+    }
+  }
 }

python/ql/test/experimental/query-tests/Security/CWE-611/general.py

@@ -7,31 +7,6 @@ import xml.dom.minidom
 import xml.dom.pulldom
 import xmltodict
 
-'''
-TO-DO
-
-Extend tests
-Model xmltodict and xml.dom
-
-XML Parsers:
-  xml.etree.ElementTree.XMLParser() - no options, vuln by default
-  lxml.etree.XMLParser() - no_network=True huge_tree=False resolve_entities=True
-  lxml.etree.get_default_parser() - no options, default above options
-  xml.sax.make_parser() - parser.setFeature(xml.sax.handler.feature_external_ges, True)
-
-XML Parsing:
-  string:
-    xml.etree.ElementTree.fromstring(list)
-    xml.etree.ElementTree.XML
-    lxml.etree.fromstring(list)
-    lxml.etree.XML
-    xmltodict.parse
-
-  file StringIO(), BytesIO(b):
-    xml.etree.ElementTree.parse
-    lxml.etree.parse
-    xml.dom.(mini|pull)dom.parse(String)
-'''
 
 app = Flask(__name__)
 
@@ -46,7 +21,7 @@ def test1():
     return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
 
 
-@app.route("/XMLParser-Empty&xml.etree.ElementTree.parse")  # !
+@app.route("/XMLParser-Empty&xml.etree.ElementTree.parse")
 def test1():
     # <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
     xml_content = request.args['xml_content']
@@ -65,7 +40,7 @@ def test1():
     return lxml.etree.fromstring(xml_content, parser=parser).text  # 'jorgectf'
 
 
-@app.route("/XMLParser-Empty&xml.etree.parse")  # !
+@app.route("/XMLParser-Empty&xml.etree.parse")
 def test1():
     # <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
     xml_content = request.args['xml_content']