mirror of
https://github.com/github/codeql.git
synced 2026-05-02 12:15:17 +02:00
Add local version of the XXE query
This commit is contained in:
Tony Torralba
55
java/ql/lib/semmle/code/java/security/XxeQuery.qll
Normal file
55
java/ql/lib/semmle/code/java/security/XxeQuery.qll
Normal file
@@ -0,0 +1,55 @@
|
||||
/** Provides taint tracking configurations to be used in XXE queries. */
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.TaintTracking2
|
||||
import semmle.code.java.security.XmlParsers
|
||||
import DataFlow::PathGraph
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
|
||||
*/
|
||||
class XxeConfig extends TaintTracking::Configuration {
|
||||
XxeConfig() { this = "XxeConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
|
||||
*/
|
||||
class XxeLocalConfig extends TaintTracking::Configuration {
|
||||
XxeLocalConfig() { this = "XxeLocalConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
private class UnsafeXxeSink extends DataFlow::ExprNode {
|
||||
UnsafeXxeSink() {
|
||||
not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
|
||||
exists(XmlParserCall parse |
|
||||
parse.getSink() = this.getExpr() and
|
||||
not parse.isSafe()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for safe XML readers used to parse XML documents.
|
||||
*/
|
||||
private class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
|
||||
SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(XmlParserCall parse).getSink()
|
||||
}
|
||||
|
||||
override int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
@@ -14,41 +14,9 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.XmlParsers
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import semmle.code.java.dataflow.TaintTracking2
|
||||
import semmle.code.java.security.XxeQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
|
||||
SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr() = any(XmlParserCall parse).getSink()
|
||||
}
|
||||
|
||||
override int fieldFlowBranchLimit() { result = 0 }
|
||||
}
|
||||
|
||||
class UnsafeXxeSink extends DataFlow::ExprNode {
|
||||
UnsafeXxeSink() {
|
||||
not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
|
||||
exists(XmlParserCall parse |
|
||||
parse.getSink() = this.getExpr() and
|
||||
not parse.isSafe()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
class XxeConfig extends TaintTracking::Configuration {
|
||||
XxeConfig() { this = "XXE.ql::XxeConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
|
||||
5
java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
Normal file
5
java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp
Normal file
@@ -0,0 +1,5 @@
|
||||
<!DOCTYPE qhelp PUBLIC
|
||||
"-//Semmle//qhelp//EN"
|
||||
"qhelp.dtd">
|
||||
<qhelp>
|
||||
<include src="XXE.qhelp" /></qhelp>
|
||||
24
java/ql/src/Security/CWE/CWE-611/XXELocal.ql
Normal file
24
java/ql/src/Security/CWE/CWE-611/XXELocal.ql
Normal file
@@ -0,0 +1,24 @@
|
||||
/**
|
||||
* @name Resolving XML external entity in user-controlled data from local source
|
||||
* @description Parsing user-controlled XML documents and allowing expansion of external entity
|
||||
* references may lead to disclosure of confidential data or denial of service.
|
||||
* @kind path-problem
|
||||
* @problem.severity recommendation
|
||||
* @security-severity 9.1
|
||||
* @precision medium
|
||||
* @id java/xxe-local
|
||||
* @tags security
|
||||
* external/cwe/cwe-611
|
||||
* external/cwe/cwe-776
|
||||
* external/cwe/cwe-827
|
||||
*/
|
||||
|
||||
import java
|
||||
import semmle.code.java.security.XxeQuery
|
||||
import DataFlow::PathGraph
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeLocalConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"XML parsing depends on a $@ without guarding against external entity expansion.",
|
||||
source.getNode(), "user-provided value"
|
||||
Reference in New Issue
Block a user