hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 06:55:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15181 from felickz/go-xxe-libxml2

Browse Source 
GO - Add sink for libxml2 in go/xml/xpath-injection via XPath.qll
This commit is contained in:
Owen Mansel-Chan
2023-12-24 22:04:46 +00:00
committed by GitHub
parent bbe3269b8c 730f6ed5b0
commit 19c5d1fd1d
7 changed files with 264 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.

13
go/ql/lib/semmle/go/frameworks/XPath.qll
View File

@@ -142,6 +142,19 @@ module XPath {
}
}
/**
* An XPath expression string used in an API function of the
* [lestrrat-go/libxml2](https://github.com/lestrrat-go/libxml2) package.
*/
private class LestratGoLibxml2XPathExpressionString extends Range {
LestratGoLibxml2XPathExpressionString() {
exists(Method m, string name | name.matches("Parse%") |
m.hasQualifiedName(package("github.com/lestrrat-go/libxml2", "parser"), "Parser", name) and
this = m.getACall().getArgument(0)
)
}
}
/**
* An XPath expression string used in an API function of the
* [xpathparser](https://github.com/santhosh-tekuri/xpathparser) package.

284
go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected
View File

@@ -1,149 +1,155 @@
edges
| XPathInjection.go:13:14:13:19 | selection of Form | XPathInjection.go:13:14:13:35 | call to Get |
| XPathInjection.go:13:14:13:35 | call to Get | XPathInjection.go:16:29:16:91 | ...+... |
| tst.go:32:14:32:19 | selection of Form | tst.go:32:14:32:35 | call to Get |
| tst.go:32:14:32:35 | call to Get | tst.go:35:23:35:85 | ...+... |
| tst.go:32:14:32:35 | call to Get | tst.go:38:24:38:86 | ...+... |
| tst.go:32:14:32:35 | call to Get | tst.go:41:24:41:82 | ...+... |
| tst.go:46:14:46:19 | selection of Form | tst.go:46:14:46:35 | call to Get |
| tst.go:46:14:46:35 | call to Get | tst.go:49:26:49:84 | ...+... |
| tst.go:46:14:46:35 | call to Get | tst.go:52:29:52:87 | ...+... |
| tst.go:46:14:46:35 | call to Get | tst.go:55:33:55:91 | ...+... |
| tst.go:46:14:46:35 | call to Get | tst.go:58:30:58:88 | ...+... |
| tst.go:63:14:63:19 | selection of Form | tst.go:63:14:63:35 | call to Get |
| tst.go:63:14:63:35 | call to Get | tst.go:66:25:66:83 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:69:28:69:86 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:72:25:72:83 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:75:34:75:92 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:78:32:78:90 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:81:29:81:87 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:84:23:84:85 | ...+... |
| tst.go:63:14:63:35 | call to Get | tst.go:87:22:87:84 | ...+... |
| tst.go:92:14:92:19 | selection of Form | tst.go:92:14:92:35 | call to Get |
| tst.go:92:14:92:35 | call to Get | tst.go:95:26:95:84 | ...+... |
| tst.go:92:14:92:35 | call to Get | tst.go:98:29:98:87 | ...+... |
| tst.go:92:14:92:35 | call to Get | tst.go:101:33:101:91 | ...+... |
| tst.go:92:14:92:35 | call to Get | tst.go:104:30:104:88 | ...+... |
| tst.go:109:14:109:19 | selection of Form | tst.go:109:14:109:35 | call to Get |
| tst.go:109:14:109:35 | call to Get | tst.go:112:25:112:87 | ...+... |
| tst.go:109:14:109:35 | call to Get | tst.go:115:26:115:88 | ...+... |
| tst.go:120:14:120:19 | selection of Form | tst.go:120:14:120:35 | call to Get |
| tst.go:120:14:120:35 | call to Get | tst.go:124:23:124:126 | ...+... |
| tst.go:120:14:120:35 | call to Get | tst.go:127:24:127:127 | ...+... |
| tst.go:120:14:120:35 | call to Get | tst.go:130:27:130:122 | ...+... |
| tst.go:121:14:121:19 | selection of Form | tst.go:121:14:121:35 | call to Get |
| tst.go:121:14:121:35 | call to Get | tst.go:124:23:124:126 | ...+... |
| tst.go:121:14:121:35 | call to Get | tst.go:127:24:127:127 | ...+... |
| tst.go:121:14:121:35 | call to Get | tst.go:130:27:130:122 | ...+... |
| tst.go:138:14:138:19 | selection of Form | tst.go:138:14:138:35 | call to Get |
| tst.go:138:14:138:35 | call to Get | tst.go:141:27:141:89 | ...+... |
| tst.go:138:14:138:35 | call to Get | tst.go:144:28:144:90 | ...+... |
| tst.go:149:14:149:19 | selection of Form | tst.go:149:14:149:35 | call to Get |
| tst.go:149:14:149:35 | call to Get | tst.go:153:33:153:136 | ...+... |
| tst.go:149:14:149:35 | call to Get | tst.go:156:18:156:121 | ...+... |
| tst.go:149:14:149:35 | call to Get | tst.go:162:31:162:126 | ...+... |
| tst.go:149:14:149:35 | call to Get | tst.go:171:21:171:116 | ...+... |
| tst.go:149:14:149:35 | call to Get | tst.go:180:27:180:122 | ...+... |
| tst.go:150:14:150:19 | selection of Form | tst.go:150:14:150:35 | call to Get |
| tst.go:150:14:150:35 | call to Get | tst.go:153:33:153:136 | ...+... |
| tst.go:150:14:150:35 | call to Get | tst.go:156:18:156:121 | ...+... |
| tst.go:150:14:150:35 | call to Get | tst.go:162:31:162:126 | ...+... |
| tst.go:150:14:150:35 | call to Get | tst.go:171:21:171:116 | ...+... |
| tst.go:150:14:150:35 | call to Get | tst.go:180:27:180:122 | ...+... |
| tst.go:34:14:34:19 | selection of Form | tst.go:34:14:34:35 | call to Get |
| tst.go:34:14:34:35 | call to Get | tst.go:37:23:37:85 | ...+... |
| tst.go:34:14:34:35 | call to Get | tst.go:40:24:40:86 | ...+... |
| tst.go:34:14:34:35 | call to Get | tst.go:43:24:43:82 | ...+... |
| tst.go:48:14:48:19 | selection of Form | tst.go:48:14:48:35 | call to Get |
| tst.go:48:14:48:35 | call to Get | tst.go:51:26:51:84 | ...+... |
| tst.go:48:14:48:35 | call to Get | tst.go:54:29:54:87 | ...+... |
| tst.go:48:14:48:35 | call to Get | tst.go:57:33:57:91 | ...+... |
| tst.go:48:14:48:35 | call to Get | tst.go:60:30:60:88 | ...+... |
| tst.go:65:14:65:19 | selection of Form | tst.go:65:14:65:35 | call to Get |
| tst.go:65:14:65:35 | call to Get | tst.go:68:25:68:83 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:71:28:71:86 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:74:25:74:83 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:77:34:77:92 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:80:32:80:90 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:83:29:83:87 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:86:23:86:85 | ...+... |
| tst.go:65:14:65:35 | call to Get | tst.go:89:22:89:84 | ...+... |
| tst.go:94:14:94:19 | selection of Form | tst.go:94:14:94:35 | call to Get |
| tst.go:94:14:94:35 | call to Get | tst.go:97:26:97:84 | ...+... |
| tst.go:94:14:94:35 | call to Get | tst.go:100:29:100:87 | ...+... |
| tst.go:94:14:94:35 | call to Get | tst.go:103:33:103:91 | ...+... |
| tst.go:94:14:94:35 | call to Get | tst.go:106:30:106:88 | ...+... |
| tst.go:111:14:111:19 | selection of Form | tst.go:111:14:111:35 | call to Get |
| tst.go:111:14:111:35 | call to Get | tst.go:114:25:114:87 | ...+... |
| tst.go:111:14:111:35 | call to Get | tst.go:117:26:117:88 | ...+... |
| tst.go:122:14:122:19 | selection of Form | tst.go:122:14:122:35 | call to Get |
| tst.go:122:14:122:35 | call to Get | tst.go:126:23:126:126 | ...+... |
| tst.go:122:14:122:35 | call to Get | tst.go:129:24:129:127 | ...+... |
| tst.go:122:14:122:35 | call to Get | tst.go:132:27:132:122 | ...+... |
| tst.go:123:14:123:19 | selection of Form | tst.go:123:14:123:35 | call to Get |
| tst.go:123:14:123:35 | call to Get | tst.go:126:23:126:126 | ...+... |
| tst.go:123:14:123:35 | call to Get | tst.go:129:24:129:127 | ...+... |
| tst.go:123:14:123:35 | call to Get | tst.go:132:27:132:122 | ...+... |
| tst.go:140:14:140:19 | selection of Form | tst.go:140:14:140:35 | call to Get |
| tst.go:140:14:140:35 | call to Get | tst.go:143:27:143:89 | ...+... |
| tst.go:140:14:140:35 | call to Get | tst.go:146:28:146:90 | ...+... |
| tst.go:151:14:151:19 | selection of Form | tst.go:151:14:151:35 | call to Get |
| tst.go:151:14:151:35 | call to Get | tst.go:155:33:155:136 | ...+... |
| tst.go:151:14:151:35 | call to Get | tst.go:158:18:158:121 | ...+... |
| tst.go:151:14:151:35 | call to Get | tst.go:164:31:164:126 | ...+... |
| tst.go:151:14:151:35 | call to Get | tst.go:173:21:173:116 | ...+... |
| tst.go:151:14:151:35 | call to Get | tst.go:182:27:182:122 | ...+... |
| tst.go:152:14:152:19 | selection of Form | tst.go:152:14:152:35 | call to Get |
| tst.go:152:14:152:35 | call to Get | tst.go:155:33:155:136 | ...+... |
| tst.go:152:14:152:35 | call to Get | tst.go:158:18:158:121 | ...+... |
| tst.go:152:14:152:35 | call to Get | tst.go:164:31:164:126 | ...+... |
| tst.go:152:14:152:35 | call to Get | tst.go:173:21:173:116 | ...+... |
| tst.go:152:14:152:35 | call to Get | tst.go:182:27:182:122 | ...+... |
| tst.go:193:14:193:19 | selection of Form | tst.go:193:14:193:35 | call to Get |
| tst.go:193:14:193:35 | call to Get | tst.go:198:23:198:85 | ...+... |
nodes
| XPathInjection.go:13:14:13:19 | selection of Form | semmle.label | selection of Form |
| XPathInjection.go:13:14:13:35 | call to Get | semmle.label | call to Get |
| XPathInjection.go:16:29:16:91 | ...+... | semmle.label | ...+... |
| tst.go:32:14:32:19 | selection of Form | semmle.label | selection of Form |
| tst.go:32:14:32:35 | call to Get | semmle.label | call to Get |
| tst.go:35:23:35:85 | ...+... | semmle.label | ...+... |
| tst.go:38:24:38:86 | ...+... | semmle.label | ...+... |
| tst.go:41:24:41:82 | ...+... | semmle.label | ...+... |
| tst.go:46:14:46:19 | selection of Form | semmle.label | selection of Form |
| tst.go:46:14:46:35 | call to Get | semmle.label | call to Get |
| tst.go:49:26:49:84 | ...+... | semmle.label | ...+... |
| tst.go:52:29:52:87 | ...+... | semmle.label | ...+... |
| tst.go:55:33:55:91 | ...+... | semmle.label | ...+... |
| tst.go:58:30:58:88 | ...+... | semmle.label | ...+... |
| tst.go:63:14:63:19 | selection of Form | semmle.label | selection of Form |
| tst.go:63:14:63:35 | call to Get | semmle.label | call to Get |
| tst.go:66:25:66:83 | ...+... | semmle.label | ...+... |
| tst.go:69:28:69:86 | ...+... | semmle.label | ...+... |
| tst.go:72:25:72:83 | ...+... | semmle.label | ...+... |
| tst.go:75:34:75:92 | ...+... | semmle.label | ...+... |
| tst.go:78:32:78:90 | ...+... | semmle.label | ...+... |
| tst.go:81:29:81:87 | ...+... | semmle.label | ...+... |
| tst.go:84:23:84:85 | ...+... | semmle.label | ...+... |
| tst.go:87:22:87:84 | ...+... | semmle.label | ...+... |
| tst.go:92:14:92:19 | selection of Form | semmle.label | selection of Form |
| tst.go:92:14:92:35 | call to Get | semmle.label | call to Get |
| tst.go:95:26:95:84 | ...+... | semmle.label | ...+... |
| tst.go:98:29:98:87 | ...+... | semmle.label | ...+... |
| tst.go:101:33:101:91 | ...+... | semmle.label | ...+... |
| tst.go:104:30:104:88 | ...+... | semmle.label | ...+... |
| tst.go:109:14:109:19 | selection of Form | semmle.label | selection of Form |
| tst.go:109:14:109:35 | call to Get | semmle.label | call to Get |
| tst.go:112:25:112:87 | ...+... | semmle.label | ...+... |
| tst.go:115:26:115:88 | ...+... | semmle.label | ...+... |
| tst.go:120:14:120:19 | selection of Form | semmle.label | selection of Form |
| tst.go:120:14:120:35 | call to Get | semmle.label | call to Get |
| tst.go:121:14:121:19 | selection of Form | semmle.label | selection of Form |
| tst.go:121:14:121:35 | call to Get | semmle.label | call to Get |
| tst.go:124:23:124:126 | ...+... | semmle.label | ...+... |
| tst.go:127:24:127:127 | ...+... | semmle.label | ...+... |
| tst.go:130:27:130:122 | ...+... | semmle.label | ...+... |
| tst.go:138:14:138:19 | selection of Form | semmle.label | selection of Form |
| tst.go:138:14:138:35 | call to Get | semmle.label | call to Get |
| tst.go:141:27:141:89 | ...+... | semmle.label | ...+... |
| tst.go:144:28:144:90 | ...+... | semmle.label | ...+... |
| tst.go:149:14:149:19 | selection of Form | semmle.label | selection of Form |
| tst.go:149:14:149:35 | call to Get | semmle.label | call to Get |
| tst.go:150:14:150:19 | selection of Form | semmle.label | selection of Form |
| tst.go:150:14:150:35 | call to Get | semmle.label | call to Get |
| tst.go:153:33:153:136 | ...+... | semmle.label | ...+... |
| tst.go:156:18:156:121 | ...+... | semmle.label | ...+... |
| tst.go:162:31:162:126 | ...+... | semmle.label | ...+... |
| tst.go:171:21:171:116 | ...+... | semmle.label | ...+... |
| tst.go:180:27:180:122 | ...+... | semmle.label | ...+... |
| tst.go:34:14:34:19 | selection of Form | semmle.label | selection of Form |
| tst.go:34:14:34:35 | call to Get | semmle.label | call to Get |
| tst.go:37:23:37:85 | ...+... | semmle.label | ...+... |
| tst.go:40:24:40:86 | ...+... | semmle.label | ...+... |
| tst.go:43:24:43:82 | ...+... | semmle.label | ...+... |
| tst.go:48:14:48:19 | selection of Form | semmle.label | selection of Form |
| tst.go:48:14:48:35 | call to Get | semmle.label | call to Get |
| tst.go:51:26:51:84 | ...+... | semmle.label | ...+... |
| tst.go:54:29:54:87 | ...+... | semmle.label | ...+... |
| tst.go:57:33:57:91 | ...+... | semmle.label | ...+... |
| tst.go:60:30:60:88 | ...+... | semmle.label | ...+... |
| tst.go:65:14:65:19 | selection of Form | semmle.label | selection of Form |
| tst.go:65:14:65:35 | call to Get | semmle.label | call to Get |
| tst.go:68:25:68:83 | ...+... | semmle.label | ...+... |
| tst.go:71:28:71:86 | ...+... | semmle.label | ...+... |
| tst.go:74:25:74:83 | ...+... | semmle.label | ...+... |
| tst.go:77:34:77:92 | ...+... | semmle.label | ...+... |
| tst.go:80:32:80:90 | ...+... | semmle.label | ...+... |
| tst.go:83:29:83:87 | ...+... | semmle.label | ...+... |
| tst.go:86:23:86:85 | ...+... | semmle.label | ...+... |
| tst.go:89:22:89:84 | ...+... | semmle.label | ...+... |
| tst.go:94:14:94:19 | selection of Form | semmle.label | selection of Form |
| tst.go:94:14:94:35 | call to Get | semmle.label | call to Get |
| tst.go:97:26:97:84 | ...+... | semmle.label | ...+... |
| tst.go:100:29:100:87 | ...+... | semmle.label | ...+... |
| tst.go:103:33:103:91 | ...+... | semmle.label | ...+... |
| tst.go:106:30:106:88 | ...+... | semmle.label | ...+... |
| tst.go:111:14:111:19 | selection of Form | semmle.label | selection of Form |
| tst.go:111:14:111:35 | call to Get | semmle.label | call to Get |
| tst.go:114:25:114:87 | ...+... | semmle.label | ...+... |
| tst.go:117:26:117:88 | ...+... | semmle.label | ...+... |
| tst.go:122:14:122:19 | selection of Form | semmle.label | selection of Form |
| tst.go:122:14:122:35 | call to Get | semmle.label | call to Get |
| tst.go:123:14:123:19 | selection of Form | semmle.label | selection of Form |
| tst.go:123:14:123:35 | call to Get | semmle.label | call to Get |
| tst.go:126:23:126:126 | ...+... | semmle.label | ...+... |
| tst.go:129:24:129:127 | ...+... | semmle.label | ...+... |
| tst.go:132:27:132:122 | ...+... | semmle.label | ...+... |
| tst.go:140:14:140:19 | selection of Form | semmle.label | selection of Form |
| tst.go:140:14:140:35 | call to Get | semmle.label | call to Get |
| tst.go:143:27:143:89 | ...+... | semmle.label | ...+... |
| tst.go:146:28:146:90 | ...+... | semmle.label | ...+... |
| tst.go:151:14:151:19 | selection of Form | semmle.label | selection of Form |
| tst.go:151:14:151:35 | call to Get | semmle.label | call to Get |
| tst.go:152:14:152:19 | selection of Form | semmle.label | selection of Form |
| tst.go:152:14:152:35 | call to Get | semmle.label | call to Get |
| tst.go:155:33:155:136 | ...+... | semmle.label | ...+... |
| tst.go:158:18:158:121 | ...+... | semmle.label | ...+... |
| tst.go:164:31:164:126 | ...+... | semmle.label | ...+... |
| tst.go:173:21:173:116 | ...+... | semmle.label | ...+... |
| tst.go:182:27:182:122 | ...+... | semmle.label | ...+... |
| tst.go:193:14:193:19 | selection of Form | semmle.label | selection of Form |
| tst.go:193:14:193:35 | call to Get | semmle.label | call to Get |
| tst.go:198:23:198:85 | ...+... | semmle.label | ...+... |
subpaths
#select
| XPathInjection.go:16:29:16:91 | ...+... | XPathInjection.go:13:14:13:19 | selection of Form | XPathInjection.go:16:29:16:91 | ...+... | XPath expression depends on a $@. | XPathInjection.go:13:14:13:19 | selection of Form | user-provided value |
| tst.go:35:23:35:85 | ...+... | tst.go:32:14:32:19 | selection of Form | tst.go:35:23:35:85 | ...+... | XPath expression depends on a $@. | tst.go:32:14:32:19 | selection of Form | user-provided value |
| tst.go:38:24:38:86 | ...+... | tst.go:32:14:32:19 | selection of Form | tst.go:38:24:38:86 | ...+... | XPath expression depends on a $@. | tst.go:32:14:32:19 | selection of Form | user-provided value |
| tst.go:41:24:41:82 | ...+... | tst.go:32:14:32:19 | selection of Form | tst.go:41:24:41:82 | ...+... | XPath expression depends on a $@. | tst.go:32:14:32:19 | selection of Form | user-provided value |
| tst.go:49:26:49:84 | ...+... | tst.go:46:14:46:19 | selection of Form | tst.go:49:26:49:84 | ...+... | XPath expression depends on a $@. | tst.go:46:14:46:19 | selection of Form | user-provided value |
| tst.go:52:29:52:87 | ...+... | tst.go:46:14:46:19 | selection of Form | tst.go:52:29:52:87 | ...+... | XPath expression depends on a $@. | tst.go:46:14:46:19 | selection of Form | user-provided value |
| tst.go:55:33:55:91 | ...+... | tst.go:46:14:46:19 | selection of Form | tst.go:55:33:55:91 | ...+... | XPath expression depends on a $@. | tst.go:46:14:46:19 | selection of Form | user-provided value |
| tst.go:58:30:58:88 | ...+... | tst.go:46:14:46:19 | selection of Form | tst.go:58:30:58:88 | ...+... | XPath expression depends on a $@. | tst.go:46:14:46:19 | selection of Form | user-provided value |
| tst.go:66:25:66:83 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:66:25:66:83 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:69:28:69:86 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:69:28:69:86 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:72:25:72:83 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:72:25:72:83 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:75:34:75:92 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:75:34:75:92 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:78:32:78:90 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:78:32:78:90 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:81:29:81:87 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:81:29:81:87 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:84:23:84:85 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:84:23:84:85 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:87:22:87:84 | ...+... | tst.go:63:14:63:19 | selection of Form | tst.go:87:22:87:84 | ...+... | XPath expression depends on a $@. | tst.go:63:14:63:19 | selection of Form | user-provided value |
| tst.go:95:26:95:84 | ...+... | tst.go:92:14:92:19 | selection of Form | tst.go:95:26:95:84 | ...+... | XPath expression depends on a $@. | tst.go:92:14:92:19 | selection of Form | user-provided value |
| tst.go:98:29:98:87 | ...+... | tst.go:92:14:92:19 | selection of Form | tst.go:98:29:98:87 | ...+... | XPath expression depends on a $@. | tst.go:92:14:92:19 | selection of Form | user-provided value |
| tst.go:101:33:101:91 | ...+... | tst.go:92:14:92:19 | selection of Form | tst.go:101:33:101:91 | ...+... | XPath expression depends on a $@. | tst.go:92:14:92:19 | selection of Form | user-provided value |
| tst.go:104:30:104:88 | ...+... | tst.go:92:14:92:19 | selection of Form | tst.go:104:30:104:88 | ...+... | XPath expression depends on a $@. | tst.go:92:14:92:19 | selection of Form | user-provided value |
| tst.go:112:25:112:87 | ...+... | tst.go:109:14:109:19 | selection of Form | tst.go:112:25:112:87 | ...+... | XPath expression depends on a $@. | tst.go:109:14:109:19 | selection of Form | user-provided value |
| tst.go:115:26:115:88 | ...+... | tst.go:109:14:109:19 | selection of Form | tst.go:115:26:115:88 | ...+... | XPath expression depends on a $@. | tst.go:109:14:109:19 | selection of Form | user-provided value |
| tst.go:124:23:124:126 | ...+... | tst.go:120:14:120:19 | selection of Form | tst.go:124:23:124:126 | ...+... | XPath expression depends on a $@. | tst.go:120:14:120:19 | selection of Form | user-provided value |
| tst.go:124:23:124:126 | ...+... | tst.go:121:14:121:19 | selection of Form | tst.go:124:23:124:126 | ...+... | XPath expression depends on a $@. | tst.go:121:14:121:19 | selection of Form | user-provided value |
| tst.go:127:24:127:127 | ...+... | tst.go:120:14:120:19 | selection of Form | tst.go:127:24:127:127 | ...+... | XPath expression depends on a $@. | tst.go:120:14:120:19 | selection of Form | user-provided value |
| tst.go:127:24:127:127 | ...+... | tst.go:121:14:121:19 | selection of Form | tst.go:127:24:127:127 | ...+... | XPath expression depends on a $@. | tst.go:121:14:121:19 | selection of Form | user-provided value |
| tst.go:130:27:130:122 | ...+... | tst.go:120:14:120:19 | selection of Form | tst.go:130:27:130:122 | ...+... | XPath expression depends on a $@. | tst.go:120:14:120:19 | selection of Form | user-provided value |
| tst.go:130:27:130:122 | ...+... | tst.go:121:14:121:19 | selection of Form | tst.go:130:27:130:122 | ...+... | XPath expression depends on a $@. | tst.go:121:14:121:19 | selection of Form | user-provided value |
| tst.go:141:27:141:89 | ...+... | tst.go:138:14:138:19 | selection of Form | tst.go:141:27:141:89 | ...+... | XPath expression depends on a $@. | tst.go:138:14:138:19 | selection of Form | user-provided value |
| tst.go:144:28:144:90 | ...+... | tst.go:138:14:138:19 | selection of Form | tst.go:144:28:144:90 | ...+... | XPath expression depends on a $@. | tst.go:138:14:138:19 | selection of Form | user-provided value |
| tst.go:153:33:153:136 | ...+... | tst.go:149:14:149:19 | selection of Form | tst.go:153:33:153:136 | ...+... | XPath expression depends on a $@. | tst.go:149:14:149:19 | selection of Form | user-provided value |
| tst.go:153:33:153:136 | ...+... | tst.go:150:14:150:19 | selection of Form | tst.go:153:33:153:136 | ...+... | XPath expression depends on a $@. | tst.go:150:14:150:19 | selection of Form | user-provided value |
| tst.go:156:18:156:121 | ...+... | tst.go:149:14:149:19 | selection of Form | tst.go:156:18:156:121 | ...+... | XPath expression depends on a $@. | tst.go:149:14:149:19 | selection of Form | user-provided value |
| tst.go:156:18:156:121 | ...+... | tst.go:150:14:150:19 | selection of Form | tst.go:156:18:156:121 | ...+... | XPath expression depends on a $@. | tst.go:150:14:150:19 | selection of Form | user-provided value |
| tst.go:162:31:162:126 | ...+... | tst.go:149:14:149:19 | selection of Form | tst.go:162:31:162:126 | ...+... | XPath expression depends on a $@. | tst.go:149:14:149:19 | selection of Form | user-provided value |
| tst.go:162:31:162:126 | ...+... | tst.go:150:14:150:19 | selection of Form | tst.go:162:31:162:126 | ...+... | XPath expression depends on a $@. | tst.go:150:14:150:19 | selection of Form | user-provided value |
| tst.go:171:21:171:116 | ...+... | tst.go:149:14:149:19 | selection of Form | tst.go:171:21:171:116 | ...+... | XPath expression depends on a $@. | tst.go:149:14:149:19 | selection of Form | user-provided value |
| tst.go:171:21:171:116 | ...+... | tst.go:150:14:150:19 | selection of Form | tst.go:171:21:171:116 | ...+... | XPath expression depends on a $@. | tst.go:150:14:150:19 | selection of Form | user-provided value |
| tst.go:180:27:180:122 | ...+... | tst.go:149:14:149:19 | selection of Form | tst.go:180:27:180:122 | ...+... | XPath expression depends on a $@. | tst.go:149:14:149:19 | selection of Form | user-provided value |
| tst.go:180:27:180:122 | ...+... | tst.go:150:14:150:19 | selection of Form | tst.go:180:27:180:122 | ...+... | XPath expression depends on a $@. | tst.go:150:14:150:19 | selection of Form | user-provided value |
| tst.go:37:23:37:85 | ...+... | tst.go:34:14:34:19 | selection of Form | tst.go:37:23:37:85 | ...+... | XPath expression depends on a $@. | tst.go:34:14:34:19 | selection of Form | user-provided value |
| tst.go:40:24:40:86 | ...+... | tst.go:34:14:34:19 | selection of Form | tst.go:40:24:40:86 | ...+... | XPath expression depends on a $@. | tst.go:34:14:34:19 | selection of Form | user-provided value |
| tst.go:43:24:43:82 | ...+... | tst.go:34:14:34:19 | selection of Form | tst.go:43:24:43:82 | ...+... | XPath expression depends on a $@. | tst.go:34:14:34:19 | selection of Form | user-provided value |
| tst.go:51:26:51:84 | ...+... | tst.go:48:14:48:19 | selection of Form | tst.go:51:26:51:84 | ...+... | XPath expression depends on a $@. | tst.go:48:14:48:19 | selection of Form | user-provided value |
| tst.go:54:29:54:87 | ...+... | tst.go:48:14:48:19 | selection of Form | tst.go:54:29:54:87 | ...+... | XPath expression depends on a $@. | tst.go:48:14:48:19 | selection of Form | user-provided value |
| tst.go:57:33:57:91 | ...+... | tst.go:48:14:48:19 | selection of Form | tst.go:57:33:57:91 | ...+... | XPath expression depends on a $@. | tst.go:48:14:48:19 | selection of Form | user-provided value |
| tst.go:60:30:60:88 | ...+... | tst.go:48:14:48:19 | selection of Form | tst.go:60:30:60:88 | ...+... | XPath expression depends on a $@. | tst.go:48:14:48:19 | selection of Form | user-provided value |
| tst.go:68:25:68:83 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:68:25:68:83 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:71:28:71:86 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:71:28:71:86 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:74:25:74:83 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:74:25:74:83 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:77:34:77:92 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:77:34:77:92 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:80:32:80:90 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:80:32:80:90 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:83:29:83:87 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:83:29:83:87 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:86:23:86:85 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:86:23:86:85 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:89:22:89:84 | ...+... | tst.go:65:14:65:19 | selection of Form | tst.go:89:22:89:84 | ...+... | XPath expression depends on a $@. | tst.go:65:14:65:19 | selection of Form | user-provided value |
| tst.go:97:26:97:84 | ...+... | tst.go:94:14:94:19 | selection of Form | tst.go:97:26:97:84 | ...+... | XPath expression depends on a $@. | tst.go:94:14:94:19 | selection of Form | user-provided value |
| tst.go:100:29:100:87 | ...+... | tst.go:94:14:94:19 | selection of Form | tst.go:100:29:100:87 | ...+... | XPath expression depends on a $@. | tst.go:94:14:94:19 | selection of Form | user-provided value |
| tst.go:103:33:103:91 | ...+... | tst.go:94:14:94:19 | selection of Form | tst.go:103:33:103:91 | ...+... | XPath expression depends on a $@. | tst.go:94:14:94:19 | selection of Form | user-provided value |
| tst.go:106:30:106:88 | ...+... | tst.go:94:14:94:19 | selection of Form | tst.go:106:30:106:88 | ...+... | XPath expression depends on a $@. | tst.go:94:14:94:19 | selection of Form | user-provided value |
| tst.go:114:25:114:87 | ...+... | tst.go:111:14:111:19 | selection of Form | tst.go:114:25:114:87 | ...+... | XPath expression depends on a $@. | tst.go:111:14:111:19 | selection of Form | user-provided value |
| tst.go:117:26:117:88 | ...+... | tst.go:111:14:111:19 | selection of Form | tst.go:117:26:117:88 | ...+... | XPath expression depends on a $@. | tst.go:111:14:111:19 | selection of Form | user-provided value |
| tst.go:126:23:126:126 | ...+... | tst.go:122:14:122:19 | selection of Form | tst.go:126:23:126:126 | ...+... | XPath expression depends on a $@. | tst.go:122:14:122:19 | selection of Form | user-provided value |
| tst.go:126:23:126:126 | ...+... | tst.go:123:14:123:19 | selection of Form | tst.go:126:23:126:126 | ...+... | XPath expression depends on a $@. | tst.go:123:14:123:19 | selection of Form | user-provided value |
| tst.go:129:24:129:127 | ...+... | tst.go:122:14:122:19 | selection of Form | tst.go:129:24:129:127 | ...+... | XPath expression depends on a $@. | tst.go:122:14:122:19 | selection of Form | user-provided value |
| tst.go:129:24:129:127 | ...+... | tst.go:123:14:123:19 | selection of Form | tst.go:129:24:129:127 | ...+... | XPath expression depends on a $@. | tst.go:123:14:123:19 | selection of Form | user-provided value |
| tst.go:132:27:132:122 | ...+... | tst.go:122:14:122:19 | selection of Form | tst.go:132:27:132:122 | ...+... | XPath expression depends on a $@. | tst.go:122:14:122:19 | selection of Form | user-provided value |
| tst.go:132:27:132:122 | ...+... | tst.go:123:14:123:19 | selection of Form | tst.go:132:27:132:122 | ...+... | XPath expression depends on a $@. | tst.go:123:14:123:19 | selection of Form | user-provided value |
| tst.go:143:27:143:89 | ...+... | tst.go:140:14:140:19 | selection of Form | tst.go:143:27:143:89 | ...+... | XPath expression depends on a $@. | tst.go:140:14:140:19 | selection of Form | user-provided value |
| tst.go:146:28:146:90 | ...+... | tst.go:140:14:140:19 | selection of Form | tst.go:146:28:146:90 | ...+... | XPath expression depends on a $@. | tst.go:140:14:140:19 | selection of Form | user-provided value |
| tst.go:155:33:155:136 | ...+... | tst.go:151:14:151:19 | selection of Form | tst.go:155:33:155:136 | ...+... | XPath expression depends on a $@. | tst.go:151:14:151:19 | selection of Form | user-provided value |
| tst.go:155:33:155:136 | ...+... | tst.go:152:14:152:19 | selection of Form | tst.go:155:33:155:136 | ...+... | XPath expression depends on a $@. | tst.go:152:14:152:19 | selection of Form | user-provided value |
| tst.go:158:18:158:121 | ...+... | tst.go:151:14:151:19 | selection of Form | tst.go:158:18:158:121 | ...+... | XPath expression depends on a $@. | tst.go:151:14:151:19 | selection of Form | user-provided value |
| tst.go:158:18:158:121 | ...+... | tst.go:152:14:152:19 | selection of Form | tst.go:158:18:158:121 | ...+... | XPath expression depends on a $@. | tst.go:152:14:152:19 | selection of Form | user-provided value |
| tst.go:164:31:164:126 | ...+... | tst.go:151:14:151:19 | selection of Form | tst.go:164:31:164:126 | ...+... | XPath expression depends on a $@. | tst.go:151:14:151:19 | selection of Form | user-provided value |
| tst.go:164:31:164:126 | ...+... | tst.go:152:14:152:19 | selection of Form | tst.go:164:31:164:126 | ...+... | XPath expression depends on a $@. | tst.go:152:14:152:19 | selection of Form | user-provided value |
| tst.go:173:21:173:116 | ...+... | tst.go:151:14:151:19 | selection of Form | tst.go:173:21:173:116 | ...+... | XPath expression depends on a $@. | tst.go:151:14:151:19 | selection of Form | user-provided value |
| tst.go:173:21:173:116 | ...+... | tst.go:152:14:152:19 | selection of Form | tst.go:173:21:173:116 | ...+... | XPath expression depends on a $@. | tst.go:152:14:152:19 | selection of Form | user-provided value |
| tst.go:182:27:182:122 | ...+... | tst.go:151:14:151:19 | selection of Form | tst.go:182:27:182:122 | ...+... | XPath expression depends on a $@. | tst.go:151:14:151:19 | selection of Form | user-provided value |
| tst.go:182:27:182:122 | ...+... | tst.go:152:14:152:19 | selection of Form | tst.go:182:27:182:122 | ...+... | XPath expression depends on a $@. | tst.go:152:14:152:19 | selection of Form | user-provided value |
| tst.go:198:23:198:85 | ...+... | tst.go:193:14:193:19 | selection of Form | tst.go:198:23:198:85 | ...+... | XPath expression depends on a $@. | tst.go:193:14:193:19 | selection of Form | user-provided value |

16
go/ql/test/query-tests/Security/CWE-643/go.mod
View File

@@ -1,6 +1,6 @@
module main
go 1.14
go 1.21
require (
github.com/ChrisTrenkamp/goxpath v0.0.0-20190607011252-c5096ec8773d
@@ -10,5 +10,19 @@ require (
github.com/antchfx/xpath v1.1.5
github.com/go-xmlpath/xmlpath v0.0.0-20150820204837-860cbeca3ebc
github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
github.com/santhosh-tekuri/xpathparser v1.0.0
)
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/stretchr/testify v1.8.4 // indirect
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 // indirect
gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
launchpad.net/gocheck v0.0.0-20140225173054-000000000087 // indirect
launchpad.net/xmlpath v0.0.0-20130614043138-000000000004 // indirect
)

12
go/ql/test/query-tests/Security/CWE-643/tst.go
View File

@@ -10,6 +10,7 @@ package main
//go:generate depstubber -vendor github.com/jbowtie/gokogiri/xml Node
//go:generate depstubber -vendor github.com/jbowtie/gokogiri/xpath "" Compile
//go:generate depstubber -vendor github.com/santhosh-tekuri/xpathparser "" Parse,MustParse
//go:generate depstubber -vendor github.com/lestrrat-go/libxml2/parser Parser New,XMLParseNoEnt
import (
"net/http"
@@ -22,6 +23,7 @@ import (
"github.com/go-xmlpath/xmlpath"
gokogiriXml "github.com/jbowtie/gokogiri/xml"
gokogiriXpath "github.com/jbowtie/gokogiri/xpath"
"github.com/lestrrat-go/libxml2/parser"
"github.com/santhosh-tekuri/xpathparser"
)
@@ -185,3 +187,13 @@ func testJbowtieGokogiri(r *http.Request, n gokogiriXml.Node) {
// OK: This is not flagged, since the creation of `xpath` is already flagged.
_ = n.EvalXPathAsBoolean(xpath, nil)
}
func testLestratGoLibxml2(r *http.Request) {
r.ParseForm()
username := r.Form.Get("username")
p := parser.New(parser.XMLParseNoEnt)
// BAD: User input used directly in an XPath expression
_, _ = p.ParseString("//users/user[login/text()='" + username + "']/home_dir/text()")
}

42
go/ql/test/query-tests/Security/CWE-643/vendor/github.com/lestrrat-go/libxml2/parser/stub.go generated vendored Normal file
View File

@@ -0,0 +1,42 @@
// Code generated by depstubber. DO NOT EDIT.
// This is a simple stub for github.com/lestrrat-go/libxml2/parser, strictly for use in testing.
// See the LICENSE file for information about the licensing of the original library.
// Source: github.com/lestrrat-go/libxml2/parser (exports: Parser; functions: New,XMLParseNoEnt)
// Package parser is a stub of github.com/lestrrat-go/libxml2/parser, generated by depstubber.
package parser
import (
io "io"
)
func New(_ ...Option) *Parser {
return nil
}
type Option int
func (_ Option) String() string {
return ""
}
func (_ *Option) Set(_ ...Option) {}
type Parser struct {
Options Option
}
func (_ *Parser) Parse(_ []byte) (interface{}, error) {
return nil, nil
}
func (_ *Parser) ParseReader(_ io.Reader) (interface{}, error) {
return nil, nil
}
func (_ *Parser) ParseString(_ string) (interface{}, error) {
return nil, nil
}
var XMLParseNoEnt Option = 0

33
go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt vendored
View File

@@ -19,6 +19,39 @@ github.com/go-xmlpath/xmlpath
# github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
## explicit
github.com/jbowtie/gokogiri
# github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
## explicit
github.com/lestrrat-go/libxml2
# github.com/santhosh-tekuri/xpathparser v1.0.0
## explicit
github.com/santhosh-tekuri/xpathparser
# github.com/davecgh/go-spew v1.1.1
## explicit
github.com/davecgh/go-spew
# github.com/pkg/errors v0.9.1
## explicit
github.com/pkg/errors
# github.com/pmezard/go-difflib v1.0.0
## explicit
github.com/pmezard/go-difflib
# github.com/stretchr/objx v0.5.0
## explicit
github.com/stretchr/objx
# github.com/stretchr/testify v1.8.4
## explicit
github.com/stretchr/testify
# gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
## explicit
gopkg.in/check.v1
# gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7
## explicit
gopkg.in/xmlpath.v1
# gopkg.in/yaml.v3 v3.0.1
## explicit
gopkg.in/yaml.v3
# launchpad.net/gocheck v0.0.0-20140225173054-000000000087
## explicit
launchpad.net/gocheck
# launchpad.net/xmlpath v0.0.0-20130614043138-000000000004
## explicit
launchpad.net/xmlpath