Polish documentation

python/ql/src/experimental/Security/CWE-611/XXE.py

@@ -0,0 +1,13 @@
+from flask import request, Flask
+import lxml.etree
+import xml.etree.ElementTree
+
+
+@app.route("/example")
+def example():
+    xml_content = request.args['xml_content']
+
+    parser = lxml.etree.XMLParser()
+    parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
+
+    return parsed_xml.text

python/ql/src/experimental/Security/CWE-611/XXE.ql

@@ -6,6 +6,8 @@
  * @id py/xxe
  * @tags security
  *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
  */
 
 // determine precision above

python/ql/src/experimental/Security/CWE-611/XXE.qlref

@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack.
+This type of attack uses external entity references to access arbitrary files on a system, carry out denial of
+service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band
+data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out
+in this situation.
+</p>
+<p>
+There are many XML parsers for Python, and most of them are vulnerable to XXE because their default settings enable
+parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers: 
+<code>xml.etree.ElementTree.XMLParser</code>, <code>lxml.etree.XMLParser</code>, <code>lxml.etree.get_default_parser</code>,
+<code>xml.sax.make_parser</code>.
+</p>
+</overview>
+
+<recommendation>
+<p>
+The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
+If this is not possible you should disable the parsing of external general entities and external parameter entities.
+This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example calls <code>xml.etree.ElementTree.fromstring</code> using a parser (<code>lxml.etree.XMLParser</code>)
+that is not safely configured on untrusted data, and is therefore inherently unsafe.
+</p>
+<sample src="XXE.py"/>
+</example>
+
+<references>
+<li>Python <a href="https://www.edureka.co/blog/python-xml-parser-tutorial/">XML Parsing</a>.</li>
+<li>OWASP vulnerability description: <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.</li>
+<li>OWASP guidance on parsing xml files: <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">XXE Prevention Cheat Sheet</a>.</li>
+<li>Paper by Timothy Morgen: <a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a></li>
+<li>Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013: <a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.</li>
+<li>Denial of service attack (Billion laughs): <a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a></li>
+</references>
+
+</qhelp>