Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources.

Originally authored by @haby0, squashed to clean up a tangled commit history.
2026-04-28 10:15:14 +02:00 · 2021-09-10 13:49:31 +01:00
parent db78e3a7da
commit 2d03840fde
15 changed files with 702 additions and 1 deletions
--- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.expected
@@ -0,0 +1,33 @@
+edges
+| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream |
+| XXE.java:29:23:29:41 | getReader(...) : BufferedReader | XXE.java:32:17:32:18 | br : BufferedReader |
+| XXE.java:32:17:32:18 | br : BufferedReader | XXE.java:32:17:32:29 | readLine(...) : String |
+| XXE.java:32:17:32:29 | readLine(...) : String | XXE.java:35:48:35:68 | toString(...) |
+| XXE.java:40:43:40:66 | getInputStream(...) : ServletInputStream | XXE.java:44:42:44:59 | servletInputStream : ServletInputStream |
+| XXE.java:44:25:44:60 | new StreamSource(...) : StreamSource | XXE.java:45:22:45:27 | source |
+| XXE.java:44:42:44:59 | servletInputStream : ServletInputStream | XXE.java:44:25:44:60 | new StreamSource(...) : StreamSource |
+| XXE.java:50:43:50:66 | getInputStream(...) : ServletInputStream | XXE.java:51:42:51:59 | servletInputStream : ServletInputStream |
+| XXE.java:51:27:51:60 | new XMLDecoder(...) : XMLDecoder | XXE.java:52:3:52:12 | xmlDecoder |
+| XXE.java:51:42:51:59 | servletInputStream : ServletInputStream | XXE.java:51:27:51:60 | new XMLDecoder(...) : XMLDecoder |
+nodes
+| XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XXE.java:24:18:24:35 | servletInputStream | semmle.label | servletInputStream |
+| XXE.java:29:23:29:41 | getReader(...) : BufferedReader | semmle.label | getReader(...) : BufferedReader |
+| XXE.java:32:17:32:18 | br : BufferedReader | semmle.label | br : BufferedReader |
+| XXE.java:32:17:32:29 | readLine(...) : String | semmle.label | readLine(...) : String |
+| XXE.java:35:48:35:68 | toString(...) | semmle.label | toString(...) |
+| XXE.java:40:43:40:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XXE.java:44:25:44:60 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
+| XXE.java:44:42:44:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
+| XXE.java:45:22:45:27 | source | semmle.label | source |
+| XXE.java:50:43:50:66 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XXE.java:51:27:51:60 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
+| XXE.java:51:42:51:59 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
+| XXE.java:52:3:52:12 | xmlDecoder | semmle.label | xmlDecoder |
+| XXE.java:57:49:57:72 | getInputStream(...) | semmle.label | getInputStream(...) |
+#select
+| XXE.java:24:18:24:35 | servletInputStream | XXE.java:22:43:22:66 | getInputStream(...) : ServletInputStream | XXE.java:24:18:24:35 | servletInputStream | Unsafe parsing of XML file from $@. | XXE.java:22:43:22:66 | getInputStream(...) | user input |
+| XXE.java:35:48:35:68 | toString(...) | XXE.java:29:23:29:41 | getReader(...) : BufferedReader | XXE.java:35:48:35:68 | toString(...) | Unsafe parsing of XML file from $@. | XXE.java:29:23:29:41 | getReader(...) | user input |
+| XXE.java:45:22:45:27 | source | XXE.java:40:43:40:66 | getInputStream(...) : ServletInputStream | XXE.java:45:22:45:27 | source | Unsafe parsing of XML file from $@. | XXE.java:40:43:40:66 | getInputStream(...) | user input |
+| XXE.java:52:3:52:12 | xmlDecoder | XXE.java:50:43:50:66 | getInputStream(...) : ServletInputStream | XXE.java:52:3:52:12 | xmlDecoder | Unsafe parsing of XML file from $@. | XXE.java:50:43:50:66 | getInputStream(...) | user input |
+| XXE.java:57:49:57:72 | getInputStream(...) | XXE.java:57:49:57:72 | getInputStream(...) | XXE.java:57:49:57:72 | getInputStream(...) | Unsafe parsing of XML file from $@. | XXE.java:57:49:57:72 | getInputStream(...) | user input |
--- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.java
@@ -0,0 +1,91 @@
+import java.beans.XMLDecoder;
+import java.io.BufferedReader;
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+import org.rundeck.api.parser.ParserHelper;
+import org.apache.commons.digester3.Digester;
+import org.dom4j.Document;
+import org.dom4j.DocumentHelper;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.PostMapping;
+
+@Controller
+public class XXE {
+
+	@PostMapping(value = "bad1")
+	public void bad1(HttpServletRequest request, HttpServletResponse response) throws Exception {
+		ServletInputStream servletInputStream = request.getInputStream();
+		Digester digester = new Digester();
+		digester.parse(servletInputStream); //bad
+	}
+
+	@PostMapping(value = "bad2")
+	public void bad2(HttpServletRequest request) throws Exception {
+		BufferedReader br = request.getReader();
+		String str = "";
+		StringBuilder listString = new StringBuilder();
+		while ((str = br.readLine()) != null) {
+			listString.append(str).append("\n");
+		}
+		Document document = DocumentHelper.parseText(listString.toString()); //bad
+	}
+
+	@PostMapping(value = "bad3")
+	public void bad3(HttpServletRequest request) throws Exception {
+		ServletInputStream servletInputStream = request.getInputStream();
+		SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
+		Schema schema = factory.newSchema();
+		Validator validator = schema.newValidator();
+		StreamSource source = new StreamSource(servletInputStream);
+		validator.validate(source); //bad
+	}
+
+	@PostMapping(value = "bad4")
+	public void bad4(HttpServletRequest request) throws Exception {
+		ServletInputStream servletInputStream = request.getInputStream();
+		XMLDecoder xmlDecoder = new XMLDecoder(servletInputStream);
+		xmlDecoder.readObject(); //bad
+	}
+
+	@PostMapping(value = "bad5")
+	public void bad5(HttpServletRequest request) throws Exception {
+		Document document = ParserHelper.loadDocument(request.getInputStream()); //bad
+	}
+
+	@PostMapping(value = "good1")
+	public void good1(HttpServletRequest request, HttpServletResponse response) throws Exception {
+		BufferedReader br = request.getReader();
+		String str = "";
+		StringBuilder listString = new StringBuilder();
+		while ((str = br.readLine()) != null) {
+			listString.append(str);
+		}
+		Digester digester = new Digester();
+		digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		digester.parse(listString.toString());
+	}
+
+	@PostMapping(value = "good2")
+	public void good2(HttpServletRequest request, HttpServletResponse response) throws Exception {
+		BufferedReader br = request.getReader();
+		String str = "";
+		StringBuilder listString = new StringBuilder();
+		while ((str = br.readLine()) != null) {
+			listString.append(str).append("\n");
+		}
+		SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
+		Schema schema = factory.newSchema();
+		Validator validator = schema.newValidator();
+		validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalDTD", "");
+		validator.setProperty("http://javax.xml.XMLConstants/property/accessExternalSchema", "");
+		StreamSource source = new StreamSource(listString.toString());
+		validator.validate(source);
+	}
+}
--- a/java/ql/test/experimental/query-tests/security/CWE-611/XXE.qlref
+++ b/java/ql/test/experimental/query-tests/security/CWE-611/XXE.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-611/XXE.ql
--- a/java/ql/test/experimental/query-tests/security/CWE-611/options
+++ b/java/ql/test/experimental/query-tests/security/CWE-611/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4/:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../../stubs/jaxen-1.2.0/:${testdir}/../../../../stubs/rundeck-api-java-client-13.2
--- a/java/ql/test/stubs/apache-commons-digester3-3.2/org/apache/commons/digester3/Digester.java
+++ b/java/ql/test/stubs/apache-commons-digester3-3.2/org/apache/commons/digester3/Digester.java
@@ -0,0 +1,50 @@
+package org.apache.commons.digester3;
+
+import java.io.File;
+import org.xml.sax.InputSource;
+import java.io.Reader;
+import java.net.URL;
+import java.io.InputStream;
+import java.io.IOException;
+import org.xml.sax.SAXException;
+import javax.xml.parsers.SAXParser;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.DefaultHandler;
+import javax.xml.parsers.ParserConfigurationException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+
+public class Digester extends DefaultHandler {
+
+	public Digester() { }
+
+    public Digester(SAXParser parser) { }
+
+    public Digester(XMLReader reader) { }
+
+    public <T> T parse(InputStream input) throws IOException, SAXException {
+        return null;
+    }
+
+    public <T> T parse(File file) throws IOException, SAXException {
+        return null;
+    }
+
+    public <T> T parse(InputSource input) throws IOException, SAXException {
+        return null;
+    }
+
+    public <T> T parse(Reader reader) throws IOException, SAXException {
+        return null;
+    }
+
+    public <T> T parse(String uri) throws IOException, SAXException {
+        return null;
+    }
+
+    public <T> T parse(URL url) throws IOException, SAXException {
+        return null;
+    }
+
+    public void setFeature(String feature, boolean value) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException { }
+}
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentException.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentException.java
@@ -0,0 +1,24 @@
+package org.dom4j;
+
+public class DocumentException extends Exception {
+    public DocumentException() {
+    }
+
+    public DocumentException(String message) {
+        super(message);
+    }
+
+    public DocumentException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public DocumentException(Throwable cause) {
+        super(cause);
+    }
+
+    /** @deprecated */
+    @Deprecated
+    public Throwable getNestedException() {
+        return null;
+    }
+}
--- a/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
+++ b/java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentHelper.java
@@ -69,6 +69,9 @@ public final class DocumentHelper {
    return null;
  }

+  public static Document parseText(String text) throws DocumentException {
+    return null;
+  }
 }

 /*
--- a/java/ql/test/stubs/rundeck-api-java-client-13.2/org/rundeck/api/parser/ParserHelper.java
+++ b/java/ql/test/stubs/rundeck-api-java-client-13.2/org/rundeck/api/parser/ParserHelper.java
@@ -0,0 +1,13 @@
+package org.rundeck.api.parser;
+
+import java.io.InputStream;
+import org.dom4j.Document;
+
+public class ParserHelper {
+    public ParserHelper() {
+    }
+
+    public static Document loadDocument(InputStream inputStream) {
+        return null;
+    }
+}
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/servlet-api-2.4/:${testdir}/../../../../stubs/springframework-5.3.8/:${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../../stubs/jaxen-1.2.0/:${testdir}/../../../../stubs/rundeck-api-java-client-13.2`