hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

include sugestions from review

Browse Source
This commit is contained in:
Porcupiney Hairs
2020-06-08 02:52:11 +05:30
parent 8c5a97170d
commit 424e88d318
13 changed files with 115 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
python/ql/src/experimental/CWE-643/xpath.qhelp
View File

@@ -1,32 +1,30 @@
<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
<qhelp>
<overview>
Using user-supplied information to construct an XPath query for XML data can
<p>
Using user-supplied information to construct an XPath query for XML data can
result in an XPath injection flaw. By sending intentionally malformed information,
an attacker can access data that he may not normally have access to.
He/She may even be able to elevate his privileges on the web site if the XML data
an attacker can access data that he may not normally have access to.
He/She may even be able to elevate his privileges on the web site if the XML data
is being used for authentication (such as an XML based user file).
</p>
</overview>
<recommendation>
<p>
XPath injection can be prevented using parameterized XPath interface or escaping the user input to make it safe to include in a dynamically constructed query.
If you are using quotes to terminate untrusted input in a dynamically constructed XPath query, then you need to escape that quote in the untrusted input to ensure the untrusted data cant try to break out of that quoted context.
XPath injection can be prevented using parameterized XPath interface or escaping the user input to make it safe to include in a dynamically constructed query.
If you are using quotes to terminate untrusted input in a dynamically constructed XPath query, then you need to escape that quote in the untrusted input to ensure the untrusted data cant try to break out of that quoted context.
</p>
<p>
Another better mitigation option is to use a precompiled XPath query. Precompiled XPath queries are already preset before the program executes, rather than created on the fly after the users input has been added to the string. This is a better route because you dont have to worry about missing a character that should have been escaped.
</p>
<example>
<p>In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.</p>
<sample src="xpath.py" />
</example>
<references>
<li>OWASP XPath injection : <a href="https://owasp.org/www-community/attacks/XPATH_Injection"></a>/>> </li>
</references>
</recommendation>
<example>
<p>In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.</p>
<sample src="xpathBad.py" />
</example>
<p> This can be fixed by using a parameterized query as shown below.</p>
<sample src="xpathGood.py" />
<references>
<li>OWASP XPath injection : <a href="https://owasp.org/www-community/attacks/XPATH_Injection"></a>/>> </li>
</references>
</qhelp>

4
python/ql/src/experimental/CWE-643/xpath.py → python/ql/src/experimental/CWE-643/xpathBad.py
View File

@@ -7,10 +7,10 @@ from django.template import Template, Context, Engine, engines
def a(request):
xpathQuery = request.GET['xpath']
value = request.GET['xpath']
f = StringIO('<foo><bar></bar></foo>')
tree = etree.parse(f)
r = tree.xpath(xpathQuery)
r = tree.xpath("/tag[@id='%s']" % value)
urlpatterns = [

18
python/ql/src/experimental/CWE-643/xpathGood.py Normal file
View File

@@ -0,0 +1,18 @@
from lxml import etree
from io import StringIO
from django.urls import path
from django.http import HttpResponse
from django.template import Template, Context, Engine, engines
def a(request):
value = request.GET['xpath']
f = StringIO('<foo><bar></bar></foo>')
tree = etree.parse(f)
r = tree.xpath("/tag[@id=$tagid]", tagid=value)
urlpatterns = [
path('a', a)
]

34
python/ql/src/experimental/semmle/python/security/injection/Xpath.qll
View File

@@ -7,7 +7,7 @@
*/
import python
import semmle.python.security.TaintTracking
import semmle.python.dataflow.TaintTracking
import semmle.python.web.HttpRequest
/** Models Xpath Injection related classes and functions */
@@ -29,11 +29,7 @@ module XpathInjection {
override string toString() { result = "lxml.etree.Xpath" }
EtreeXpathArgument() {
exists(CallNode call, AttrNode atr |
atr = etree().getAReference().getASuccessor() and
atr.getName() = "XPath" and
atr = call.getFunction()
|
exists(CallNode call | call.getFunction().(AttrNode).getObject("XPath").pointsTo(etree()) |
call.getArg(0) = this
)
}
@@ -52,11 +48,7 @@ module XpathInjection {
override string toString() { result = "lxml.etree.ETXpath" }
EtreeETXpathArgument() {
exists(CallNode call, AttrNode atr |
atr = etree().getAReference().getASuccessor() and
atr.getName() = "ETXPath" and
atr = call.getFunction()
|
exists(CallNode call | call.getFunction().(AttrNode).getObject("ETXPath").pointsTo(etree()) |
call.getArg(0) = this
)
}
@@ -77,17 +69,15 @@ module XpathInjection {
override string toString() { result = "lxml.etree.parse.xpath" }
ParseXpathArgument() {
exists(CallNode parseCall, AttrNode parse, string s |
parse = etree().getAReference().getASuccessor() and
parse.getName() = "parse" and
parse = parseCall.getFunction() and
exists(CallNode xpathCall, AttrNode xpath |
xpath = parseCall.getASuccessor*() and
xpath.getName() = "xpath" and
xpath = xpathCall.getFunction() and
s = xpath.getName() and
this = xpathCall.getArg(0)
)
exists(
CallNode parseCall, CallNode xpathCall, ControlFlowNode obj, Variable var, AssignStmt assign
|
parseCall.getFunction().(AttrNode).getObject("parse").pointsTo(etree()) and
assign.getValue().(Call).getAFlowNode() = parseCall and
xpathCall.getFunction().(AttrNode).getObject("xpath") = obj and
var.getAUse() = obj and
assign.getATarget() = var.getAStore() and
xpathCall.getArg(0) = this
)
}