XXE query

ql/test/query-tests/security/cwe-611/LibXmlRuby.rb

@@ -0,0 +1,16 @@
+class LibXmlRubyXXE < ApplicationController
+
+    content = params[:xml]
+    LibXML::XML::Document.string(content, { options: 2, encoding: 'utf-8' })
+    LibXML::XML::Document.file(content, { options: LibXML::XML::Options::NOENT })
+    LibXML::XML::Document.io(content, { options: XML::Options::NOENT })
+    LibXML::XML::Parser.string(content, { options: 2 })
+    LibXML::XML::Parser.file(content, { options: 3 })
+    LibXML::XML::Parser.io(content, { options: 2 })
+
+    XML::Document.string(content, { options: 2 })
+    XML::Parser.string(content, { options: 2 })
+
+    LibXML::XML::Parser.file(content, { options: 1 }) # OK
+
+end

ql/test/query-tests/security/cwe-611/Nokogiri.rb

@@ -0,0 +1,22 @@
+class NokogiriXXE < ApplicationController
+
+    content = params[:xml]
+
+    Nokogiri::XML::parse(content, nil, nil, 2)
+    Nokogiri::XML::parse(content, nil, nil, 1 | 2)
+    Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions::NOENT)
+    Nokogiri::XML::parse(content, nil, nil, Nokogiri::XML::ParseOptions.new 2)
+    options = Nokogiri::XML::ParseOptions.new 0
+    options.noent
+    Nokogiri::XML::parse(content, nil, nil, options)
+    Nokogiri::XML::parse(content, nil, nil, (Nokogiri::XML::ParseOptions.new 0).noent)
+
+    Nokogiri::XML::parse(content) { |x| x.noent }
+
+    Nokogiri::XML::parse(content) { |x| x.nonet.noent.dtdload }
+
+    Nokogiri::XML::parse(content, nil, nil, 1) # OK
+    Nokogiri::XML::parse(content, nil, nil, 3)
+    Nokogiri::XML::parse(content) { |x| x.nonet.dtdload } # OK
+
+end

ql/test/query-tests/security/cwe-611/Xxe.expected

@@ -0,0 +1,57 @@
+edges
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:4:34:4:40 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:5:32:5:38 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:6:30:6:36 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:7:32:7:38 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:8:30:8:36 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:9:28:9:34 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:11:26:11:32 | content |
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:12:24:12:30 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:5:26:5:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:6:26:6:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:7:26:7:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:8:26:8:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:11:26:11:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:12:26:12:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:14:26:14:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:16:26:16:32 | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:19:26:19:32 | content |
+nodes
+| LibXmlRuby.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
+| LibXmlRuby.rb:4:34:4:40 | content | semmle.label | content |
+| LibXmlRuby.rb:5:32:5:38 | content | semmle.label | content |
+| LibXmlRuby.rb:6:30:6:36 | content | semmle.label | content |
+| LibXmlRuby.rb:7:32:7:38 | content | semmle.label | content |
+| LibXmlRuby.rb:8:30:8:36 | content | semmle.label | content |
+| LibXmlRuby.rb:9:28:9:34 | content | semmle.label | content |
+| LibXmlRuby.rb:11:26:11:32 | content | semmle.label | content |
+| LibXmlRuby.rb:12:24:12:30 | content | semmle.label | content |
+| Nokogiri.rb:3:15:3:20 | call to params :  | semmle.label | call to params :  |
+| Nokogiri.rb:5:26:5:32 | content | semmle.label | content |
+| Nokogiri.rb:6:26:6:32 | content | semmle.label | content |
+| Nokogiri.rb:7:26:7:32 | content | semmle.label | content |
+| Nokogiri.rb:8:26:8:32 | content | semmle.label | content |
+| Nokogiri.rb:11:26:11:32 | content | semmle.label | content |
+| Nokogiri.rb:12:26:12:32 | content | semmle.label | content |
+| Nokogiri.rb:14:26:14:32 | content | semmle.label | content |
+| Nokogiri.rb:16:26:16:32 | content | semmle.label | content |
+| Nokogiri.rb:19:26:19:32 | content | semmle.label | content |
+subpaths
+#select
+| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:4:34:4:40 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:5:32:5:38 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:6:30:6:36 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:7:32:7:38 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:8:30:8:36 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:9:28:9:34 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:11:26:11:32 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params :  | LibXmlRuby.rb:12:24:12:30 | content | Unsafe parsing of XML file from $@. | LibXmlRuby.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:5:26:5:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:6:26:6:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:7:26:7:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:8:26:8:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:11:26:11:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:12:26:12:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:14:26:14:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:14:26:14:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:16:26:16:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |
+| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params :  | Nokogiri.rb:19:26:19:32 | content | Unsafe parsing of XML file from $@. | Nokogiri.rb:3:15:3:20 | call to params | user input |

ql/test/query-tests/security/cwe-611/Xxe.qlref

@@ -0,0 +1 @@
+queries/security/cwe-611/Xxe.ql