Python: Handle more functions and kw-args

2026-04-30 19:26:02 +02:00 · 2022-03-03 21:05:44 +01:00
parent 2451123c67
commit 3278793972
6 changed files with 114 additions and 16 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -53,11 +53,21 @@ private module Xml {
        API::moduleImport("xml")
            .getMember("etree")
            .getMember("ElementTree")
-            .getMember(["fromstring", "fromstringlist", "XML", "parse"])
+            .getMember(["fromstring", "fromstringlist", "XML", "XMLID", "parse", "iterparse"])
            .getACall()
    }

-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+    override DataFlow::Node getAnInput() {
+      result in [
+          this.getArg(0),
+          // fromstring / XML / XMLID
+          this.getArgByName("text"),
+          // fromstringlist
+          this.getArgByName("sequence"),
+          // parse / iterparse
+          this.getArgByName("source"),
+        ]
+    }

    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
      not exists(this.getArgByName("parser")) and
@@ -163,8 +173,8 @@ private module Xml {
   * parsed_xml = BadHandler._result
   * ```
   */
-  private class XMLSaxParsing extends DataFlow::MethodCallNode, XML::XMLParsing::Range {
-    XMLSaxParsing() {
+  private class XMLSaxInstanceParsing extends DataFlow::MethodCallNode, XML::XMLParsing::Range {
+    XMLSaxInstanceParsing() {
      this =
        API::moduleImport("xml")
            .getMember("sax")
@@ -174,7 +184,40 @@ private module Xml {
            .getACall()
    }

-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
+
+    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      // always vuln to these
+      (kind.isBillionLaughs() or kind.isQuadraticBlowup())
+      or
+      // can be vuln to other things if features has been turned on
+      this.getObject() = saxParserWithFeatureExternalGesTurnedOn() and
+      (kind.isXxe() or kind.isDtdRetrieval())
+    }
+  }
+
+  /**
+   * A call to either `parse` or `parseString` from `xml.sax` module.
+   *
+   * See:
+   * - https://docs.python.org/3.10/library/xml.sax.html#xml.sax.parse
+   * - https://docs.python.org/3.10/library/xml.sax.html#xml.sax.parseString
+   */
+  private class XMLSaxParsing extends DataFlow::MethodCallNode, XML::XMLParsing::Range {
+    XMLSaxParsing() {
+      this =
+        API::moduleImport("xml").getMember("sax").getMember(["parse", "parseString"]).getACall()
+    }
+
+    override DataFlow::Node getAnInput() {
+      result in [
+          this.getArg(0),
+          // parseString
+          this.getArgByName("string"),
+          // parse
+          this.getArgByName("source"),
+        ]
+    }

    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
      // always vuln to these
@@ -262,11 +305,21 @@ private module Xml {
      this =
        API::moduleImport("lxml")
            .getMember("etree")
-            .getMember(["fromstring", "fromstringlist", "XML", "parse"])
+            .getMember(["fromstring", "fromstringlist", "XML", "parse", "parseid"])
            .getACall()
    }

-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+    override DataFlow::Node getAnInput() {
+      result in [
+          this.getArg(0),
+          // fromstring / XML
+          this.getArgByName("text"),
+          // fromstringlist
+          this.getArgByName("strings"),
+          // parse / parseid
+          this.getArgByName("source"),
+        ]
+    }

    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
      exists(XML::XMLParser xmlParser |
@@ -293,7 +346,9 @@ private module Xml {
  private class XMLtoDictParsing extends DataFlow::CallCfgNode, XML::XMLParsing::Range {
    XMLtoDictParsing() { this = API::moduleImport("xmltodict").getMember("parse").getACall() }

-    override DataFlow::Node getAnInput() { result = this.getArg(0) }
+    override DataFlow::Node getAnInput() {
+      result in [this.getArg(0), this.getArgByName("xml_input")]
+    }

    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
      (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
@@ -317,7 +372,15 @@ private module Xml {
    }

    override DataFlow::Node getAnInput() {
-      result in [this.getArg(0), this.getArgByName("string"), this.getArgByName("file")]
+      result in [
+          this.getArg(0),
+          // parseString
+          this.getArgByName("string"),
+          // minidom.parse
+          this.getArgByName("file"),
+          // pulldom.parse
+          this.getArgByName("stream_or_string"),
+        ]
    }

    DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
--- a/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py
@@ -5,12 +5,19 @@ x = "some xml"

 # different parsing methods
 lxml.etree.fromstring(x) # $ input=x vuln='XXE'
+lxml.etree.fromstring(text=x) # $ input=x vuln='XXE'

 lxml.etree.fromstringlist([x]) # $ input=List vuln='XXE'
+lxml.etree.fromstringlist(strings=[x]) # $ input=List vuln='XXE'

 lxml.etree.XML(x) # $ input=x vuln='XXE'
+lxml.etree.XML(text=x) # $ input=x vuln='XXE'

-lxml.etree.parse(StringIO(x)).getroot() # $ input=StringIO(..) vuln='XXE'
+lxml.etree.parse(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
+lxml.etree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'
+
+lxml.etree.parseid(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
+lxml.etree.parseid(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'

 # With default parsers (nothing changed)
 parser = lxml.etree.XMLParser()
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py
@@ -7,13 +7,25 @@ x = "some xml"

 # minidom
 xml.dom.minidom.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.minidom.parse(file=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+
 xml.dom.minidom.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.minidom.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+

 # pulldom
 xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.pulldom.parse(stream_or_string=StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+
 xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.pulldom.parseString(string=x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+

 # These are based on SAX parses, and you can specify your own, so you can expose yourself to XXE (yay/)
 parser = xml.sax.make_parser()
 parser.setFeature(xml.sax.handler.feature_external_ges, True)
+xml.dom.minidom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
 xml.dom.minidom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+
+xml.dom.pulldom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+xml.dom.pulldom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
@@ -5,9 +5,23 @@ x = "some xml"

 # Parsing in different ways
 xml.etree.ElementTree.fromstring(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.fromstringlist(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstring(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+xml.etree.ElementTree.fromstringlist([x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstringlist(sequence=[x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
+
 xml.etree.ElementTree.XML(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XML(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+xml.etree.ElementTree.XMLID(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XMLID(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
 xml.etree.ElementTree.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+xml.etree.ElementTree.iterparse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+

 # With parsers (no options available to disable/enable security features)
 parser = xml.etree.ElementTree.XMLParser()
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xml_sax.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xml_sax.py
@@ -10,14 +10,15 @@ class MainHandler(xml.sax.ContentHandler):
    def characters(self, data):
        self._result.append(data)

-    def parse(self, f):
-        xml.sax.parse(f, self) # $ MISSING: input=f vuln='Billion Laughs' vuln='Quadratic Blowup'
-        self._result
+xml.sax.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.sax.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'

-MainHandler().parse(StringIO(x))
+xml.sax.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.sax.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'

 parser = xml.sax.make_parser()
 parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'

 # You can make it vuln to both XXE and DTD retrieval by setting this flag
 # see https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
@@ -30,7 +31,6 @@ parser.setFeature(xml.sax.handler.feature_external_ges, False)
 parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'

 # Forward Type Tracking test
-
 def func(cond):
    parser = xml.sax.make_parser()
    if cond:
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xmltodict.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xmltodict.py
@@ -3,4 +3,6 @@ import xmltodict
 x = "some xml"

 xmltodict.parse(x) # $ input=x
+xmltodict.parse(xml_input=x) # $ input=x
+
 xmltodict.parse(x, disable_entities=False) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'