Swift: Rewrite XXEQuery to use DataFlow::ConfigSig

2025-12-24 04:36:35 +01:00 · 2023-04-03 16:21:07 +02:00
parent 9220bea3ec
commit 0ff607c930
3 changed files with 26 additions and 6 deletions
--- a/swift/ql/lib/codeql/swift/security/XXEQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/XXEQuery.qll
@@ -12,7 +12,7 @@ import codeql.swift.security.XXEExtensions
 /**
 * A taint-tracking configuration for XML external entities (XXE) vulnerabilities.
 */
-class XxeConfiguration extends TaintTracking::Configuration {
+deprecated class XxeConfiguration extends TaintTracking::Configuration {
  XxeConfiguration() { this = "XxeConfiguration" }

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -25,3 +25,23 @@ class XxeConfiguration extends TaintTracking::Configuration {
    any(XxeAdditionalTaintStep s).step(n1, n2)
  }
 }
+
+/**
+ * A taint-tracking configuration for XML external entities (XXE) vulnerabilities.
+ */
+module XxeConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof XxeSink }
+
+  predicate isBarrier(DataFlow::Node sanitizer) { sanitizer instanceof XxeSanitizer }
+
+  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
+    any(XxeAdditionalTaintStep s).step(n1, n2)
+  }
+}
+
+/**
+ * Detect taint flow of XML external entities (XXE) vulnerabilities.
+ */
+module XxeFlow = TaintTracking::Global<XxeConfig>;
--- a/swift/ql/src/queries/Security/CWE-611/XXE.ql
+++ b/swift/ql/src/queries/Security/CWE-611/XXE.ql
@@ -16,10 +16,10 @@
 import swift
 import codeql.swift.dataflow.DataFlow
 import codeql.swift.security.XXEQuery
-import DataFlow::PathGraph
+import XxeFlow::PathGraph

-from DataFlow::PathNode source, DataFlow::PathNode sink
-where any(XxeConfiguration c).hasFlowPath(source, sink)
+from XxeFlow::PathNode source, XxeFlow::PathNode sink
+where XxeFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
  "XML parsing depends on a $@ without guarding against external entity expansion.",
  source.getNode(), "user-provided value"
--- a/swift/ql/test/query-tests/Security/CWE-611/XXETest.ql
+++ b/swift/ql/test/query-tests/Security/CWE-611/XXETest.ql
@@ -15,8 +15,8 @@ class XxeTest extends InlineExpectationsTest {
  override string getARelevantTag() { result = "hasXXE" }

  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(XxeConfiguration config, DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
-      config.hasFlow(source, sink) and
+    exists(DataFlow::Node source, DataFlow::Node sink, Expr sinkExpr |
+      XxeFlow::flow(source, sink) and
      sinkExpr = sink.asExpr() and
      location = sinkExpr.getLocation() and
      element = sinkExpr.toString() and