hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add local version of the XXE query

Browse Source
This commit is contained in:
Tony Torralba
2023-02-09 17:07:14 +01:00
parent d55e9d5dac
commit 5555b5cd19
4 changed files with 85 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
java/ql/src/Security/CWE/CWE-611/XXE.ql
View File

@@ -14,41 +14,9 @@
*/
import java
import semmle.code.java.security.XmlParsers
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking2
import semmle.code.java.security.XxeQuery
import DataFlow::PathGraph
class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
override predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(XmlParserCall parse).getSink()
}
override int fieldFlowBranchLimit() { result = 0 }
}
class UnsafeXxeSink extends DataFlow::ExprNode {
UnsafeXxeSink() {
not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
exists(XmlParserCall parse |
parse.getSink() = this.getExpr() and
not parse.isSafe()
)
}
}
class XxeConfig extends TaintTracking::Configuration {
XxeConfig() { this = "XXE.ql::XxeConfig" }
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink,

5
java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp Normal file
View File

@@ -0,0 +1,5 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<include src="XXE.qhelp" /></qhelp>

24
java/ql/src/Security/CWE/CWE-611/XXELocal.ql Normal file
View File

@@ -0,0 +1,24 @@
/**
* @name Resolving XML external entity in user-controlled data from local source
* @description Parsing user-controlled XML documents and allowing expansion of external entity
* references may lead to disclosure of confidential data or denial of service.
* @kind path-problem
* @problem.severity recommendation
* @security-severity 9.1
* @precision medium
* @id java/xxe-local
* @tags security
* external/cwe/cwe-611
* external/cwe/cwe-776
* external/cwe/cwe-827
*/
import java
import semmle.code.java.security.XxeQuery
import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeLocalConfig conf
where conf.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"XML parsing depends on a $@ without guarding against external entity expansion.",
source.getNode(), "user-provided value"