mirror of
https://github.com/github/codeql.git
synced 2026-04-29 10:45:15 +02:00
C++: Add support for SAXParser in the query.
This commit is contained in:
Geoffrey White
@@ -57,42 +57,51 @@ class XercesDOMParserClass extends Class {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a valid flow state for `XercesDOMParser` flow.
|
||||
* The `SAXParser` class.
|
||||
*/
|
||||
class SAXParser extends Class {
|
||||
SAXParser() { this.hasName("SAXParser") }
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a valid flow state for `AbstractDOMParser` or `SAXParser` flow.
|
||||
*
|
||||
* These flow states take the form `XercesDOM-A-B`, where:
|
||||
* These flow states take the form `Xerces-A-B`, where:
|
||||
* - A is 1 if `setDisableDefaultEntityResolution` is `true`, 0 otherwise.
|
||||
* - B is 1 if `setCreateEntityReferenceNodes` is `true`, 0 otherwise.
|
||||
*/
|
||||
predicate encodeXercesDOMFlowState(
|
||||
predicate encodeXercesFlowState(
|
||||
string flowstate, int disabledDefaultEntityResolution, int createEntityReferenceNodes
|
||||
) {
|
||||
flowstate = "XercesDOM-0-0" and
|
||||
flowstate = "Xerces-0-0" and
|
||||
disabledDefaultEntityResolution = 0 and
|
||||
createEntityReferenceNodes = 0
|
||||
or
|
||||
flowstate = "XercesDOM-0-1" and
|
||||
flowstate = "Xerces-0-1" and
|
||||
disabledDefaultEntityResolution = 0 and
|
||||
createEntityReferenceNodes = 1
|
||||
or
|
||||
flowstate = "XercesDOM-1-0" and
|
||||
flowstate = "Xerces-1-0" and
|
||||
disabledDefaultEntityResolution = 1 and
|
||||
createEntityReferenceNodes = 0
|
||||
or
|
||||
flowstate = "XercesDOM-1-1" and
|
||||
flowstate = "Xerces-1-1" and
|
||||
disabledDefaultEntityResolution = 1 and
|
||||
createEntityReferenceNodes = 1
|
||||
}
|
||||
|
||||
/**
|
||||
* A flow state representing the configuration of a `XercesDOMParser` object.
|
||||
* A flow state representing the configuration of a `AbstractDOMParser` or
|
||||
* `SAXParser` object.
|
||||
*/
|
||||
class XercesDOMParserFlowState extends XXEFlowState {
|
||||
XercesDOMParserFlowState() { encodeXercesDOMFlowState(this, _, _) }
|
||||
class XercesFlowState extends XXEFlowState {
|
||||
XercesFlowState() { encodeXercesFlowState(this, _, _) }
|
||||
}
|
||||
|
||||
/**
|
||||
* A flow state transformer for a call to
|
||||
* `AbstractDOMParser.setDisableDefaultEntityResolution`. Transforms the flow
|
||||
* `AbstractDOMParser.setDisableDefaultEntityResolution` or
|
||||
* `SAXParser.setDisableDefaultEntityResolution`. Transforms the flow
|
||||
* state through the qualifier according to the setting in the parameter.
|
||||
*/
|
||||
class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
|
||||
@@ -101,7 +110,10 @@ class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
|
||||
DisableDefaultEntityResolutionTranformer() {
|
||||
exists(Call call, Function f |
|
||||
call.getTarget() = f and
|
||||
f.getDeclaringType() instanceof AbstractDOMParserClass and
|
||||
(
|
||||
f.getDeclaringType() instanceof AbstractDOMParserClass or
|
||||
f.getDeclaringType() instanceof SAXParser
|
||||
) and
|
||||
f.hasName("setDisableDefaultEntityResolution") and
|
||||
this = call.getQualifier() and
|
||||
newValue = call.getArgument(0)
|
||||
@@ -110,13 +122,13 @@ class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
|
||||
|
||||
final override XXEFlowState transform(XXEFlowState flowstate) {
|
||||
exists(int createEntityReferenceNodes |
|
||||
encodeXercesDOMFlowState(flowstate, _, createEntityReferenceNodes) and
|
||||
encodeXercesFlowState(flowstate, _, createEntityReferenceNodes) and
|
||||
(
|
||||
newValue.getValue().toInt() = 1 and // true
|
||||
encodeXercesDOMFlowState(result, 1, createEntityReferenceNodes)
|
||||
encodeXercesFlowState(result, 1, createEntityReferenceNodes)
|
||||
or
|
||||
not newValue.getValue().toInt() = 1 and // false or unknown
|
||||
encodeXercesDOMFlowState(result, 0, createEntityReferenceNodes)
|
||||
encodeXercesFlowState(result, 0, createEntityReferenceNodes)
|
||||
)
|
||||
)
|
||||
}
|
||||
@@ -142,27 +154,31 @@ class CreateEntityReferenceNodesTranformer extends XXEFlowStateTranformer {
|
||||
|
||||
final override XXEFlowState transform(XXEFlowState flowstate) {
|
||||
exists(int disabledDefaultEntityResolution |
|
||||
encodeXercesDOMFlowState(flowstate, disabledDefaultEntityResolution, _) and
|
||||
encodeXercesFlowState(flowstate, disabledDefaultEntityResolution, _) and
|
||||
(
|
||||
newValue.getValue().toInt() = 1 and // true
|
||||
encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 1)
|
||||
encodeXercesFlowState(result, disabledDefaultEntityResolution, 1)
|
||||
or
|
||||
not newValue.getValue().toInt() = 1 and // false or unknown
|
||||
encodeXercesDOMFlowState(result, disabledDefaultEntityResolution, 0)
|
||||
encodeXercesFlowState(result, disabledDefaultEntityResolution, 0)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The `AbstractDOMParser.parse` method.
|
||||
* The `AbstractDOMParser.parse` or `SAXParser.parse` method.
|
||||
*/
|
||||
class ParseFunction extends Function {
|
||||
ParseFunction() { this.getClassAndName("parse") instanceof AbstractDOMParserClass }
|
||||
ParseFunction() {
|
||||
this.getClassAndName("parse") instanceof AbstractDOMParserClass or
|
||||
this.getClassAndName("parse") instanceof SAXParser
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The `createLSParser` function that returns a newly created `LSParser` object.
|
||||
* The `createLSParser` function that returns a newly created `DOMLSParser`
|
||||
* object.
|
||||
*/
|
||||
class CreateLSParser extends Function {
|
||||
CreateLSParser() {
|
||||
@@ -184,14 +200,23 @@ class XXEConfiguration extends DataFlow::Configuration {
|
||||
call.getStaticCallTarget() = any(XercesDOMParserClass c).getAConstructor() and
|
||||
node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
|
||||
call.getThisArgument() and
|
||||
encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
|
||||
encodeXercesFlowState(flowstate, 0, 1) // default configuration
|
||||
)
|
||||
or
|
||||
// source is the result of a call to `createLSParser`.
|
||||
exists(Call call |
|
||||
call.getTarget() instanceof CreateLSParser and
|
||||
call = node.asExpr() and
|
||||
encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
|
||||
encodeXercesFlowState(flowstate, 0, 1) // default configuration
|
||||
)
|
||||
or
|
||||
// source is the write on `this` of a call to the `SAXParser`
|
||||
// constructor.
|
||||
exists(CallInstruction call |
|
||||
node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
|
||||
call.getThisArgument() and
|
||||
call.getStaticCallTarget().(Constructor).getDeclaringType() instanceof SAXParser and
|
||||
encodeXercesFlowState(flowstate, 0, 1) // default configuration
|
||||
)
|
||||
}
|
||||
|
||||
@@ -201,8 +226,8 @@ class XXEConfiguration extends DataFlow::Configuration {
|
||||
call.getTarget() instanceof ParseFunction and
|
||||
call.getQualifier() = node.asConvertedExpr()
|
||||
) and
|
||||
flowstate instanceof XercesDOMParserFlowState and
|
||||
not encodeXercesDOMFlowState(flowstate, 1, 1) // safe configuration
|
||||
flowstate instanceof XercesFlowState and
|
||||
not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
|
||||
}
|
||||
|
||||
override predicate isAdditionalFlowStep(
|
||||
|
||||
@@ -1,4 +1,7 @@
|
||||
edges
|
||||
| tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p |
|
||||
| tests2.cpp:33:17:33:31 | SAXParser output argument | tests2.cpp:37:2:37:2 | p |
|
||||
| tests2.cpp:41:17:41:31 | SAXParser output argument | tests2.cpp:45:2:45:2 | p |
|
||||
| tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p |
|
||||
| tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p |
|
||||
| tests.cpp:53:19:53:19 | VariableAddress [post update] | tests.cpp:55:2:55:2 | p |
|
||||
@@ -27,6 +30,12 @@ edges
|
||||
| tests.cpp:146:18:146:18 | q | tests.cpp:134:39:134:39 | p |
|
||||
| tests.cpp:150:19:150:32 | call to createLSParser | tests.cpp:152:2:152:2 | p |
|
||||
nodes
|
||||
| tests2.cpp:20:17:20:31 | SAXParser output argument | semmle.label | SAXParser output argument |
|
||||
| tests2.cpp:22:2:22:2 | p | semmle.label | p |
|
||||
| tests2.cpp:33:17:33:31 | SAXParser output argument | semmle.label | SAXParser output argument |
|
||||
| tests2.cpp:37:2:37:2 | p | semmle.label | p |
|
||||
| tests2.cpp:41:17:41:31 | SAXParser output argument | semmle.label | SAXParser output argument |
|
||||
| tests2.cpp:45:2:45:2 | p | semmle.label | p |
|
||||
| tests.cpp:33:23:33:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
|
||||
| tests.cpp:35:2:35:2 | p | semmle.label | p |
|
||||
| tests.cpp:46:23:46:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
|
||||
@@ -66,6 +75,9 @@ nodes
|
||||
| tests.cpp:152:2:152:2 | p | semmle.label | p |
|
||||
subpaths
|
||||
#select
|
||||
| tests2.cpp:22:2:22:2 | p | tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | SAXParser output argument | XML parser |
|
||||
| tests2.cpp:37:2:37:2 | p | tests2.cpp:33:17:33:31 | SAXParser output argument | tests2.cpp:37:2:37:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | SAXParser output argument | XML parser |
|
||||
| tests2.cpp:45:2:45:2 | p | tests2.cpp:41:17:41:31 | SAXParser output argument | tests2.cpp:45:2:45:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:41:17:41:31 | SAXParser output argument | XML parser |
|
||||
| tests.cpp:35:2:35:2 | p | tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:33:23:33:43 | XercesDOMParser output argument | XML parser |
|
||||
| tests.cpp:49:2:49:2 | p | tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:46:23:46:43 | XercesDOMParser output argument | XML parser |
|
||||
| tests.cpp:57:2:57:2 | p | tests.cpp:53:23:53:43 | XercesDOMParser output argument | tests.cpp:57:2:57:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:53:23:53:43 | XercesDOMParser output argument | XML parser |
|
||||
|
||||
@@ -19,7 +19,7 @@ public:
|
||||
void test2_1(InputSource &data) {
|
||||
SAXParser *p = new SAXParser();
|
||||
|
||||
p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
|
||||
p->parse(data); // BAD (parser not correctly configured)
|
||||
}
|
||||
|
||||
void test2_2(InputSource &data) {
|
||||
@@ -34,7 +34,7 @@ void test2_3(InputSource &data) {
|
||||
bool v = false;
|
||||
|
||||
p->setDisableDefaultEntityResolution(v);
|
||||
p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
|
||||
p->parse(data); // BAD (parser not correctly configured)
|
||||
}
|
||||
|
||||
void test2_4(InputSource &data) {
|
||||
@@ -42,5 +42,5 @@ void test2_4(InputSource &data) {
|
||||
bool v = true;
|
||||
|
||||
p->setDisableDefaultEntityResolution(v);
|
||||
p->parse(data); // GOOD
|
||||
p->parse(data); // GOOD [FALSE POSITIVE]
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user