mirror of
https://github.com/github/codeql.git
synced 2025-12-22 19:56:32 +01:00
Python: Rename to XmlParsingVulnerabilityKind
To keep up with style guide
This commit is contained in:
Rasmus Wriedt Larsen
@@ -558,8 +558,8 @@ module XML {
|
||||
*
|
||||
* See PoC at `python/PoCs/XmlParsing/PoC.py` for some tests of vulnerable XML parsing.
|
||||
*/
|
||||
class XMLParsingVulnerabilityKind extends string {
|
||||
XMLParsingVulnerabilityKind() {
|
||||
class XmlParsingVulnerabilityKind extends string {
|
||||
XmlParsingVulnerabilityKind() {
|
||||
this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
|
||||
}
|
||||
|
||||
@@ -586,7 +586,7 @@ module XML {
|
||||
/**
|
||||
* Holds if this XML parsing is vulnerable to `kind`.
|
||||
*/
|
||||
predicate vulnerableTo(XMLParsingVulnerabilityKind kind) { super.vulnerableTo(kind) }
|
||||
predicate vulnerableTo(XmlParsingVulnerabilityKind kind) { super.vulnerableTo(kind) }
|
||||
}
|
||||
|
||||
/** Provides classes for modeling XML parsing APIs. */
|
||||
@@ -601,7 +601,7 @@ module XML {
|
||||
/**
|
||||
* Holds if this XML parsing is vulnerable to `kind`.
|
||||
*/
|
||||
abstract predicate vulnerableTo(XMLParsingVulnerabilityKind kind);
|
||||
abstract predicate vulnerableTo(XmlParsingVulnerabilityKind kind);
|
||||
|
||||
override string getFormat() { result = "XML" }
|
||||
}
|
||||
|
||||
@@ -121,7 +121,7 @@ private module Lxml {
|
||||
*/
|
||||
abstract class InstanceSource extends DataFlow::LocalSourceNode {
|
||||
/** Holds if this instance is vulnerable to `kind`. */
|
||||
abstract predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind);
|
||||
abstract predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -135,7 +135,7 @@ private module Lxml {
|
||||
}
|
||||
|
||||
// NOTE: it's not possible to change settings of a parser after constructing it
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
kind.isXxe() and
|
||||
(
|
||||
// resolve_entities has default True
|
||||
@@ -165,7 +165,7 @@ private module Lxml {
|
||||
API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()
|
||||
}
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
// as highlighted by
|
||||
// https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
|
||||
// by default XXE is allow. so as long as the default parser has not been
|
||||
@@ -189,7 +189,7 @@ private module Lxml {
|
||||
}
|
||||
|
||||
/** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
|
||||
DataFlow::Node instanceVulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
DataFlow::Node instanceVulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
exists(InstanceSource origin | result = instance(origin) and origin.vulnerableTo(kind))
|
||||
}
|
||||
|
||||
@@ -201,7 +201,7 @@ private module Lxml {
|
||||
|
||||
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
this.calls(instanceVulnerableTo(kind), "feed")
|
||||
}
|
||||
|
||||
@@ -256,7 +256,7 @@ private module Lxml {
|
||||
|
||||
DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
this.getParserArg() = XMLParser::instanceVulnerableTo(kind)
|
||||
or
|
||||
kind.isXxe() and
|
||||
@@ -313,7 +313,7 @@ private module Lxml {
|
||||
|
||||
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
// note that there is no `resolve_entities` argument, so it's not possible to turn off XXE :O
|
||||
kind.isXxe()
|
||||
or
|
||||
|
||||
@@ -3241,7 +3241,7 @@ private module StdlibPrivate {
|
||||
|
||||
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
kind.isBillionLaughs() or kind.isQuadraticBlowup()
|
||||
}
|
||||
|
||||
@@ -3298,7 +3298,7 @@ private module StdlibPrivate {
|
||||
]
|
||||
}
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
// note: it does not matter what `xml.etree` parser you are using, you cannot
|
||||
// change the security features anyway :|
|
||||
kind.isBillionLaughs() or kind.isQuadraticBlowup()
|
||||
@@ -3459,7 +3459,7 @@ private module StdlibPrivate {
|
||||
|
||||
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
// always vuln to these
|
||||
(kind.isBillionLaughs() or kind.isQuadraticBlowup())
|
||||
or
|
||||
@@ -3512,7 +3512,7 @@ private module StdlibPrivate {
|
||||
]
|
||||
}
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
// always vuln to these
|
||||
(kind.isBillionLaughs() or kind.isQuadraticBlowup())
|
||||
}
|
||||
@@ -3586,7 +3586,7 @@ private module StdlibPrivate {
|
||||
|
||||
DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and
|
||||
(kind.isXxe() or kind.isDtdRetrieval())
|
||||
or
|
||||
|
||||
@@ -27,7 +27,7 @@ private module Xmltodict {
|
||||
result in [this.getArg(0), this.getArgByName("xml_input")]
|
||||
}
|
||||
|
||||
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
|
||||
override predicate vulnerableTo(XML::XmlParsingVulnerabilityKind kind) {
|
||||
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
|
||||
this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
|
||||
}
|
||||
|
||||
@@ -17,7 +17,7 @@ from DataFlow::CallCfgNode call, string kinds
|
||||
where
|
||||
call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and
|
||||
kinds =
|
||||
strictconcat(XML::XMLParsingVulnerabilityKind kind |
|
||||
strictconcat(XML::XmlParsingVulnerabilityKind kind |
|
||||
kind.isBillionLaughs() or kind.isQuadraticBlowup()
|
||||
|
|
||||
kind, ", "
|
||||
|
||||
@@ -40,7 +40,7 @@ module XmlBomb {
|
||||
*/
|
||||
class XmlParsingWithEntityResolution extends Sink {
|
||||
XmlParsingWithEntityResolution() {
|
||||
exists(XML::XmlParsing parsing, XML::XMLParsingVulnerabilityKind kind |
|
||||
exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
|
||||
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
|
||||
parsing.vulnerableTo(kind) and
|
||||
this = parsing.getAnInput()
|
||||
|
||||
@@ -40,7 +40,7 @@ module Xxe {
|
||||
*/
|
||||
class XmlParsingWithExternalEntityResolution extends Sink {
|
||||
XmlParsingWithExternalEntityResolution() {
|
||||
exists(XML::XmlParsing parsing, XML::XMLParsingVulnerabilityKind kind |
|
||||
exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
|
||||
kind.isXxe() and
|
||||
parsing.vulnerableTo(kind) and
|
||||
this = parsing.getAnInput()
|
||||
|
||||
@@ -547,7 +547,7 @@ class XmlParsingTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
exists(location.getFile().getRelativePath()) and
|
||||
exists(XML::XmlParsing parsing, XML::XMLParsingVulnerabilityKind kind |
|
||||
exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
|
||||
parsing.vulnerableTo(kind) and
|
||||
location = parsing.getLocation() and
|
||||
element = parsing.toString() and
|
||||
|
||||
Reference in New Issue
Block a user