Merge pull request #7915 from yoff/python/promote-xpath-injection

Python: promote XPath injection query

python/ql/lib/semmle/python/Concepts.qll

@@ -334,6 +334,7 @@ module CodeExecution {
 
 /**
  * A data-flow node that constructs an SQL statement.
+ *
  * Often, it is worthy of an alert if an SQL statement is constructed such that
  * executing it would be a security risk.
  *
@@ -355,11 +356,14 @@ class SqlConstruction extends DataFlow::Node {
 module SqlConstruction {
   /**
    * A data-flow node that constructs an SQL statement.
+   *
    * Often, it is worthy of an alert if an SQL statement is constructed such that
    * executing it would be a security risk.
    *
+   * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
+   *
    * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `SqlExecution` instead.
+   * extend `SqlConstruction` instead.
    */
   abstract class Range extends DataFlow::Node {
     /** Gets the argument that specifies the SQL statements to be constructed. */
@@ -449,6 +453,105 @@ module RegexExecution {
   }
 }
 
+/** Provides classes for modeling XML-related APIs. */
+module XML {
+  /**
+   * A data-flow node that constructs an XPath expression.
+   *
+   * Often, it is worthy of an alert if an XPath expression is constructed such that
+   * executing it would be a security risk.
+   *
+   * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathConstruction::Range` instead.
+   */
+  class XPathConstruction extends DataFlow::Node {
+    XPathConstruction::Range range;
+
+    XPathConstruction() { this = range }
+
+    /** Gets the argument that specifies the XPath expressions to be constructed. */
+    DataFlow::Node getXPath() { result = range.getXPath() }
+
+    /**
+     * Gets the name of this XPath expression construction, typically the name of an executing method.
+     * This is used for nice alert messages and should include the module if possible.
+     */
+    string getName() { result = range.getName() }
+  }
+
+  /** Provides a class for modeling new XPath construction APIs. */
+  module XPathConstruction {
+    /**
+     * A data-flow node that constructs an XPath expression.
+     *
+     * Often, it is worthy of an alert if an XPath expression is constructed such that
+     * executing it would be a security risk.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathConstruction` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the argument that specifies the XPath expressions to be constructed. */
+      abstract DataFlow::Node getXPath();
+
+      /**
+       * Gets the name of this XPath expression construction, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
+  }
+
+  /**
+   * A data-flow node that executes a xpath expression.
+   *
+   * If the context of interest is such that merely constructing an XPath expression
+   * would be valuabe to report, then consider using `XPathConstruction`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathExecution::Range` instead.
+   */
+  class XPathExecution extends DataFlow::Node {
+    XPathExecution::Range range;
+
+    XPathExecution() { this = range }
+
+    /** Gets the data flow node for the XPath expression being executed by this node. */
+    DataFlow::Node getXPath() { result = range.getXPath() }
+
+    /**
+     * Gets the name of this XPath expression execution, typically the name of an executing method.
+     * This is used for nice alert messages and should include the module if possible.
+     */
+    string getName() { result = range.getName() }
+  }
+
+  /** Provides classes for modeling new regular-expression execution APIs. */
+  module XPathExecution {
+    /**
+     * A data-flow node that executes a XPath expression.
+     *
+     * If the context of interest is such that merely constructing an XPath expression
+     * would be valuabe to report, then consider using `XPathConstruction`.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathExecution` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the data flow node for the XPath expression being executed by this node. */
+      abstract DataFlow::Node getXPath();
+
+      /**
+       * Gets the name of this xpath expression execution, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
+  }
+}
+
 /** Provides classes for modeling LDAP-related APIs. */
 module LDAP {
   /**

python/ql/lib/semmle/python/Frameworks.qll

@@ -24,6 +24,8 @@ private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.Ldap
 private import semmle.python.frameworks.Ldap3
+private import semmle.python.frameworks.Libxml2
+private import semmle.python.frameworks.Lxml
 private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql

python/ql/lib/semmle/python/frameworks/Libxml2.qll

@@ -0,0 +1,45 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `libxml2` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/libxml2-python3/
+ * - http://xmlsoft.org/python.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides classes modeling security-relevant aspects of the `libxml2` PyPI package
+ *
+ * See
+ * - https://pypi.org/project/libxml2-python3/
+ * - http://xmlsoft.org/python.html
+ */
+private module Libxml2 {
+  /**
+   * A call to the `xpathEval` method of a parsed document.
+   *
+   *    import libxml2
+   *    tree = libxml2.parseFile("file.xml")
+   *    r = tree.xpathEval('`sink`')
+   *
+   * See http://xmlsoft.org/python.html
+   */
+  class XpathEvalCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XpathEvalCall() {
+      this =
+        API::moduleImport("libxml2")
+            .getMember("parseFile")
+            .getReturn()
+            .getMember("xpathEval")
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArg(0) }
+
+    override string getName() { result = "libxml2" }
+  }
+}

python/ql/lib/semmle/python/frameworks/Lxml.qll

@@ -0,0 +1,88 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+private module Lxml {
+  /**
+   * A class constructor compiling an XPath expression.
+   *
+   *    from lxml import etree
+   *    find_text = etree.XPath("`sink`")
+   *    find_text = etree.ETXPath("`sink`")
+   *
+   * See
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XPath
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.ETXPath
+   */
+  private class XPathClassCall extends XML::XPathConstruction::Range, DataFlow::CallCfgNode {
+    XPathClassCall() {
+      this = API::moduleImport("lxml").getMember("etree").getMember(["XPath", "ETXPath"]).getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("path")] }
+
+    override string getName() { result = "lxml.etree" }
+  }
+
+  /**
+   * A call to the `xpath` method of a parsed document.
+   *
+   *    from lxml import etree
+   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
+   *    find_text = root.xpath("`sink`")
+   *
+   * See https://lxml.de/apidoc/lxml.etree.html#lxml.etree._ElementTree.xpath
+   * as well as
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.parse
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstring
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstringlist
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.HTML
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XML
+   */
+  class XPathCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XPathCall() {
+      this =
+        API::moduleImport("lxml")
+            .getMember("etree")
+            .getMember(["parse", "fromstring", "fromstringlist", "HTML", "XML"])
+            .getReturn()
+            .getMember("xpath")
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("_path")] }
+
+    override string getName() { result = "lxml.etree" }
+  }
+
+  class XPathEvaluatorCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XPathEvaluatorCall() {
+      this =
+        API::moduleImport("lxml")
+            .getMember("etree")
+            .getMember("XPathEvaluator")
+            .getReturn()
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArg(0) }
+
+    override string getName() { result = "lxml.etree" }
+  }
+}

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2836,6 +2836,70 @@ private module StdlibPrivate {
     override string getKind() { result = Escaping::getRegexKind() }
   }
 
+  // ---------------------------------------------------------------------------
+  // xml.etree.ElementTree
+  // ---------------------------------------------------------------------------
+  /**
+   * An instance of `xml.etree.ElementTree.ElementTree`.
+   *
+   * See https://docs.python.org/3.10/library/xml.etree.elementtree.html#xml.etree.ElementTree.ElementTree
+   */
+  private API::Node elementTreeInstance() {
+    //parse to a tree
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember("parse")
+          .getReturn()
+    or
+    // construct a tree without parsing
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember("ElementTree")
+          .getReturn()
+  }
+
+  /**
+   * An instance of `xml.etree.ElementTree.Element`.
+   *
+   * See https://docs.python.org/3.10/library/xml.etree.elementtree.html#xml.etree.ElementTree.Element
+   */
+  private API::Node elementInstance() {
+    // parse or go to the root of a tree
+    result = elementTreeInstance().getMember(["parse", "getroot"]).getReturn()
+    or
+    // parse directly to an element
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember(["fromstring", "fromstringlist", "XML"])
+          .getReturn()
+  }
+
+  /**
+   * A call to a find method on a tree or an element will execute an XPath expression.
+   */
+  private class ElementTreeFindCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    string methodName;
+
+    ElementTreeFindCall() {
+      methodName in ["find", "findall", "findtext"] and
+      (
+        this = elementTreeInstance().getMember(methodName).getACall()
+        or
+        this = elementInstance().getMember(methodName).getACall()
+      )
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("match")] }
+
+    override string getName() { result = "xml.etree" }
+  }
+
   // ---------------------------------------------------------------------------
   // urllib
   // ---------------------------------------------------------------------------

python/ql/lib/semmle/python/security/dataflow/XpathInjectionCustomizations.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides class and predicates to track external data that
+ * may represent malicious xpath query objects.
+ *
+ * This module is intended to be imported into a taint-tracking query.
+ */
+
+private import python
+private import semmle.python.dataflow.new.TaintTracking
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.dataflow.new.BarrierGuards
+
+/** Models Xpath Injection related classes and functions */
+module XpathInjection {
+  /**
+   * A data flow source for "XPath injection" vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for "XPath injection" vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for "XPath injection" vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A sanitizer guard for "XPath injection" vulnerabilities.
+   */
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
+
+  /**
+   * A source of remote user input, considered as a flow source.
+   */
+  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
+
+  /**
+   * A construction of an XPath expression, considered as a sink.
+   */
+  class XPathConstructionArg extends Sink {
+    XPathConstructionArg() { this = any(XML::XPathConstruction c).getXPath() }
+  }
+
+  /**
+   * An execution of an XPath expression, considered as a sink.
+   */
+  class XPathExecutionArg extends Sink {
+    XPathExecutionArg() { this = any(XML::XPathExecution e).getXPath() }
+  }
+}

python/ql/src/Security/CWE-643/XpathInjection.qhelp

@@ -0,0 +1,24 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+        If an XPath expression is built using string concatenation, and the components of the concatenation
+        include user input, it makes it very easy for a user to create a malicious XPath expression.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+        If user input must be included in an XPath expression, either sanitize the data or use variable
+        references to safely embed it without altering the structure of the expression.
+        </p>
+    </recommendation>
+    <example>
+        <p>In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.</p>
+        <sample src="xpathBad.py" />
+        <p> This can be fixed by using a parameterized query as shown below.</p>
+        <sample src="xpathGood.py" />
+    </example>
+    <references>
+        <li>OWASP XPath injection : <a href="https://owasp.org/www-community/attacks/XPATH_Injection"></a>/>> </li>
+    </references>
+</qhelp>

python/ql/src/Security/CWE-643/XpathInjection.ql

@@ -0,0 +1,20 @@
+/**
+ * @name XPath query built from user-controlled sources
+ * @description Building a XPath query from user-controlled sources is vulnerable to insertion of
+ *              malicious Xpath code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.8
+ * @precision high
+ * @id py/xpath-injection
+ * @tags security
+ *       external/cwe/cwe-643
+ */
+
+import python
+import semmle.python.security.dataflow.XpathInjection
+import DataFlow::PathGraph
+
+from XpathInjection::Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"

python/ql/src/change-notes/2022-02-09-promote-xpath-injection.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query "XPath query built from user-controlled sources" (`py/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @porcupineyhairs](https://github.com/github/codeql/pull/6331).

python/ql/src/experimental/Security/CWE-643/XpathInjection.qhelp

@@ -1,30 +0,0 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p>
-        Using user-supplied information to construct an XPath query for XML data can
-        result in an XPath injection flaw. By sending intentionally malformed information,
-        an attacker can access data that he may not normally have access to.
-        He/She may even be able to elevate his privileges on the web site if the XML data
-        is being used for authentication (such as an XML based user file).
-        </p>
-    </overview>
-    <recommendation>
-        <p>
-        XPath injection can be prevented using parameterized XPath interface or escaping the user input to make it safe to include in a dynamically constructed query.
-        If you are using quotes to terminate untrusted input in a dynamically constructed XPath query, then you need to escape that quote in the untrusted input to ensure the untrusted data can’t try to break out of that quoted context.
-        </p>
-        <p>
-        Another better mitigation option is to use a precompiled XPath query. Precompiled XPath queries are already preset before the program executes, rather than created on the fly after the user’s input has been added to the string. This is a better route because you don’t have to worry about missing a character that should have been escaped.
-        </p>
-    </recommendation>
-    <example>
-        <p>In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.</p>
-        <sample src="xpathBad.py" />
-        <p> This can be fixed by using a parameterized query as shown below.</p>
-        <sample src="xpathGood.py" />
-    </example>
-    <references>
-        <li>OWASP XPath injection : <a href="https://owasp.org/www-community/attacks/XPATH_Injection"></a>/>> </li>
-    </references>
-</qhelp>

python/ql/src/experimental/Security/CWE-643/XpathInjection.ql

@@ -1,33 +0,0 @@
-/**
- * @name XPath query built from user-controlled sources
- * @description Building a XPath query from user-controlled sources is vulnerable to insertion of
- *              malicious Xpath code by the user.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id py/xpath-injection
- * @tags security
- *       external/cwe/cwe-643
- */
-
-private import python
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.Concepts
-private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-import XpathInjection::XpathInjection
-import DataFlow::PathGraph
-
-class XpathInjectionConfiguration extends TaintTracking::Configuration {
-  XpathInjectionConfiguration() { this = "PathNotNormalizedConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-}
-
-from XpathInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"

python/ql/src/experimental/Security/CWE-643/XpathInjectionCustomizations.qll

@@ -1,105 +0,0 @@
-/**
- * Provides class and predicates to track external data that
- * may represent malicious xpath query objects.
- *
- * This module is intended to be imported into a taint-tracking query.
- */
-
-private import python
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.Concepts
-private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-
-/** Models Xpath Injection related classes and functions */
-module XpathInjection {
-  /**
-   * A data flow source for "XPath injection" vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for "XPath injection" vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for "XPath injection" vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * A sanitizer guard for "XPath injection" vulnerabilities.
-   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
-
-  /**
-   * A source of remote user input, considered as a flow source.
-   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
-
-  /** Returns an API node referring to `lxml.etree` */
-  API::Node etree() { result = API::moduleImport("lxml").getMember("etree") }
-
-  /** Returns an API node referring to `lxml.etree` */
-  API::Node etreeFromString() { result = etree().getMember("fromstring") }
-
-  /** Returns an API node referring to `lxml.etree.parse` */
-  API::Node etreeParse() { result = etree().getMember("parse") }
-
-  /** Returns an API node referring to `lxml.etree.parse` */
-  API::Node libxml2parseFile() { result = API::moduleImport("libxml2").getMember("parseFile") }
-
-  /**
-   * A Sink representing an argument to `etree.XPath` or `etree.ETXPath` call.
-   *
-   *    from lxml import etree
-   *    root = etree.XML("<xmlContent>")
-   *    find_text = etree.XPath("`sink`")
-   *    find_text = etree.ETXPath("`sink`")
-   */
-  private class EtreeXpathArgument extends Sink {
-    EtreeXpathArgument() { this = etree().getMember(["XPath", "ETXPath"]).getACall().getArg(0) }
-  }
-
-  /**
-   * A Sink representing an argument to the `etree.XPath` call.
-   *
-   *    from lxml import etree
-   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
-   *    find_text = root.xpath("`sink`")
-   */
-  private class EtreeFromstringXpathArgument extends Sink {
-    EtreeFromstringXpathArgument() {
-      this = etreeFromString().getReturn().getMember("xpath").getACall().getArg(0)
-    }
-  }
-
-  /**
-   * A Sink representing an argument to the `xpath` call to a parsed xml document.
-   *
-   *    from lxml import etree
-   *    from io import StringIO
-   *    f = StringIO('<foo><bar></bar></foo>')
-   *    tree = etree.parse(f)
-   *    r = tree.xpath('`sink`')
-   */
-  private class ParseXpathArgument extends Sink {
-    ParseXpathArgument() { this = etreeParse().getReturn().getMember("xpath").getACall().getArg(0) }
-  }
-
-  /**
-   * A Sink representing an argument to the `xpathEval` call to a parsed libxml2 document.
-   *
-   *    import libxml2
-   *    tree = libxml2.parseFile("file.xml")
-   *    r = tree.xpathEval('`sink`')
-   */
-  private class ParseFileXpathEvalArgument extends Sink {
-    ParseFileXpathEvalArgument() {
-      this = libxml2parseFile().getReturn().getMember("xpathEval").getACall().getArg(0)
-    }
-  }
-}

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -164,6 +164,42 @@ class SqlExecutionTest extends InlineExpectationsTest {
   }
 }
 
+class XPathConstructionTest extends InlineExpectationsTest {
+  XPathConstructionTest() { this = "XPathConstructionTest" }
+
+  override string getARelevantTag() { result = "constructedXPath" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(XML::XPathConstruction e, DataFlow::Node xpath |
+      exists(location.getFile().getRelativePath()) and
+      xpath = e.getXPath() and
+      location = e.getLocation() and
+      element = xpath.toString() and
+      value = prettyNodeForInlineTest(xpath) and
+      tag = "constructedXPath"
+    )
+  }
+}
+
+class XPathExecutionTest extends InlineExpectationsTest {
+  XPathExecutionTest() { this = "XPathExecutionTest" }
+
+  override string getARelevantTag() { result = "getXPath" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(XML::XPathExecution e, DataFlow::Node xpath |
+      exists(location.getFile().getRelativePath()) and
+      xpath = e.getXPath() and
+      location = e.getLocation() and
+      element = xpath.toString() and
+      value = prettyNodeForInlineTest(xpath) and
+      tag = "getXPath"
+    )
+  }
+}
+
 class EscapingTest extends InlineExpectationsTest {
   EscapingTest() { this = "EscapingTest" }
 

python/ql/test/experimental/query-tests/Security/CWE-643/XpathInjection.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE-643/XpathInjection.ql

python/ql/test/library-tests/frameworks/lxml/ConceptsTest.ql

@@ -0,0 +1,2 @@
+import python
+import experimental.meta.ConceptsTest

python/ql/test/library-tests/frameworks/lxml/test.py

@@ -0,0 +1,21 @@
+from lxml import etree
+from io import StringIO
+
+def test_parse():
+    tree = etree.parse(StringIO('<foo><bar></bar></foo>'))
+    r = tree.xpath('/foo/bar')  # $ getXPath='/foo/bar'
+
+def test_XPath_class():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.XPath("path")  # $ constructedXPath="path"
+    text = find_text(root)[0]
+
+def test_ETXpath_class():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    find_text = etree.ETXPath("path")  # $ constructedXPath="path"
+    text = find_text(root)[0]
+
+def test_XPathEvaluator_class():
+    root = etree.XML("<root><a>TEXT</a></root>")
+    search_root = etree.XPathEvaluator(root)
+    text = search_root("path")[0]  # $ getXPath="path"

python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py

@@ -0,0 +1,17 @@
+match = "dc:title"
+ns = {'dc': 'http://purl.org/dc/elements/1.1/'}
+
+import xml.etree.ElementTree as ET
+tree = ET.parse('country_data.xml')
+root = tree.getroot()
+
+root.find(match, namespaces=ns)  # $ getXPath=match
+root.findall(match, namespaces=ns)  # $ getXPath=match
+root.findtext(match, default=None, namespaces=ns)  # $ getXPath=match
+
+tree = ET.ElementTree()
+tree.parse("index.xhtml")
+
+tree.find(match, namespaces=ns)  # $ getXPath=match
+tree.findall(match, namespaces=ns)  # $ getXPath=match
+tree.findtext(match, default=None, namespaces=ns)  # $ getXPath=match

python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.expected

@@ -1,68 +1,36 @@
 edges
 | xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute |
-| xpathBad.py:9:7:9:13 | ControlFlowNode for request | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute |
-| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript |
 | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript |
 | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr |
-| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr |
-| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:11:18:11:24 | ControlFlowNode for request | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:20:18:20:24 | ControlFlowNode for request | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:30:18:30:24 | ControlFlowNode for request | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:39:18:39:24 | ControlFlowNode for request | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute |
 | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery |
-| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery |
 | xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute |
-| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute |
-| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery |
 | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery |
 nodes
 | xpathBad.py:9:7:9:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathBad.py:9:7:9:13 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathBad.py:10:13:10:23 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| xpathBad.py:10:13:10:32 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
-| xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | xpathBad.py:13:20:13:43 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | xpathFlow.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathFlow.py:11:18:11:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathFlow.py:11:18:11:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
-| xpathFlow.py:14:20:14:29 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
-| xpathFlow.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | xpathFlow.py:20:18:20:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:20:18:20:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 | xpathFlow.py:23:29:23:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 | xpathFlow.py:30:18:30:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathFlow.py:30:18:30:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathFlow.py:30:18:30:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
 | xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
-| xpathFlow.py:32:29:32:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
-| xpathFlow.py:39:18:39:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | xpathFlow.py:39:18:39:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:39:18:39:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 | xpathFlow.py:41:31:41:40 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 | xpathFlow.py:47:18:47:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
-| xpathFlow.py:47:18:47:24 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
 | xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:47:18:47:29 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
-| xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 | xpathFlow.py:49:29:49:38 | ControlFlowNode for xpathQuery | semmle.label | ControlFlowNode for xpathQuery |
 subpaths
 #select

python/ql/test/query-tests/Security/CWE-643-XPathInjection/XpathInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-643/XpathInjection.ql