Python: Support feed method of lxml/xml.etree Parsers

2026-04-30 19:26:02 +02:00 · 2022-03-03 21:26:06 +01:00
parent f72f673e7e
commit 33ebcdf437
3 changed files with 62 additions and 0 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -79,6 +79,28 @@ private module Xml {
    }
  }

+  /**
+   * A call to the `feed` method of an `xml.etree` parser.
+   */
+  private class XMLEtreeParserFeedCall extends DataFlow::CallCfgNode, XML::XMLParsing::Range {
+    XMLEtreeParserFeedCall() {
+      this =
+        API::moduleImport("xml")
+            .getMember("etree")
+            .getMember("ElementTree")
+            .getMember("XMLParser")
+            .getReturn()
+            .getMember("feed")
+            .getACall()
+    }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+
+    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      kind.isBillionLaughs() or kind.isQuadraticBlowup()
+    }
+  }
+
  /**
   * A call to the `setFeature` method on a XML sax parser.
   *
@@ -322,6 +344,7 @@ private module Xml {
    }

    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      // TODO: This should be done with type-tracking
      exists(XML::XMLParser xmlParser |
        xmlParser = this.getArgByName("parser").getALocalSource() and xmlParser.vulnerable(kind)
      )
@@ -330,6 +353,33 @@ private module Xml {
    }
  }

+  /**
+   * A call to the `feed` method of an `lxml.etree` parser.
+   */
+  private class LXMLEtreeParserFeedCall extends DataFlow::MethodCallNode, XML::XMLParsing::Range {
+    LXMLEtreeParserFeedCall() {
+      exists(API::Node parserInstance |
+        parserInstance =
+          API::moduleImport("lxml").getMember("etree").getMember("XMLParser").getReturn()
+        or
+        parserInstance =
+          API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getReturn()
+      |
+        this = parserInstance.getMember("feed").getACall()
+      )
+    }
+
+    override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
+
+    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
+      // TODO: This should be done with type-tracking
+      exists(XML::XMLParser xmlParser |
+        xmlParser = this.getObject().getALocalSource() and
+        xmlParser.vulnerable(kind)
+      )
+    }
+  }
+
  /**
   * Gets a call to `xmltodict.parse`.
   *