Java: Add XXE sinks for MDHT

2026-03-04 22:56:47 +01:00 · 2023-07-19 13:06:39 +02:00
parent 41f1315da9
commit 2cbb7ed296
271 changed files with 8984 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/mdht/MdhtXml.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/mdht/MdhtXml.qll
@@ -0,0 +1,22 @@
+/** Provides definitions related to XML parsing in Model-Driven Health Tools. */
+
+import java
+private import semmle.code.java.security.XmlParsers
+
+/** A call to `CDAUtil.load` or `CDAUtil.loadAs`. */
+private class CdaUtilLoad extends XmlParserCall {
+  CdaUtilLoad() {
+    this.getMethod()
+        .hasQualifiedName("org.openhealthtools.mdht.uml.cda.util", "CDAUtil", ["load", "loadAs"])
+  }
+
+  override Expr getSink() {
+    result = this.getAnArgument() and
+    exists(RefType t | result.getType().(RefType).getASourceSupertype*() = t |
+      t instanceof TypeInputStream or
+      t instanceof InputSource
+    )
+  }
+
+  override predicate isSafe() { none() }
+}
--- a/java/ql/lib/semmle/code/java/security/XmlParsers.qll
+++ b/java/ql/lib/semmle/code/java/security/XmlParsers.qll
@@ -9,6 +9,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.apache.CommonsXml
  private import semmle.code.java.frameworks.javaee.Xml
  private import semmle.code.java.frameworks.javase.Beans
+  private import semmle.code.java.frameworks.mdht.MdhtXml
  private import semmle.code.java.frameworks.rundeck.RundeckXml
 }