hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: Properly model xml.etree

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-03-03 15:06:55 +01:00
parent 703e3e8a0f
commit 61291936bf
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
python/ql/src/experimental/semmle/python/frameworks/Xml.qll
View File

@@ -24,7 +24,9 @@ private module Xml {
override DataFlow::Node getAnInput() { none() }
override predicate vulnerable(XML::XMLVulnerabilityKind kind) { none() }
override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
kind.isBillionLaughs() or kind.isQuadraticBlowup()
}
}
/**
@@ -58,6 +60,9 @@ private module Xml {
override DataFlow::Node getAnInput() { result = this.getArg(0) }
override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
not exists(this.getArgByName("parser")) and
(kind.isBillionLaughs() or kind.isQuadraticBlowup())
or
exists(XML::XMLParser xmlParser |
xmlParser = this.getArgByName("parser").getALocalSource() and xmlParser.vulnerable(kind)
)

5
python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.expected
View File

@@ -242,6 +242,11 @@ subpaths
| xml_dom.py:21:40:21:50 | ControlFlowNode for xml_content | xml_dom.py:19:19:19:25 | ControlFlowNode for request | xml_dom.py:21:40:21:50 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_dom.py:21:40:21:50 | ControlFlowNode for xml_content | This | xml_dom.py:19:19:19:25 | ControlFlowNode for request | user-provided value |
| xml_dom.py:27:34:27:54 | ControlFlowNode for StringIO() | xml_dom.py:25:19:25:25 | ControlFlowNode for request | xml_dom.py:27:34:27:54 | ControlFlowNode for StringIO() | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_dom.py:27:34:27:54 | ControlFlowNode for StringIO() | This | xml_dom.py:25:19:25:25 | ControlFlowNode for request | user-provided value |
| xml_dom.py:33:40:33:50 | ControlFlowNode for xml_content | xml_dom.py:31:19:31:25 | ControlFlowNode for request | xml_dom.py:33:40:33:50 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_dom.py:33:40:33:50 | ControlFlowNode for xml_content | This | xml_dom.py:31:19:31:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:15:45:15:55 | ControlFlowNode for xml_content | xml_etree.py:13:19:13:25 | ControlFlowNode for request | xml_etree.py:15:45:15:55 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_etree.py:15:45:15:55 | ControlFlowNode for xml_content | This | xml_etree.py:13:19:13:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:21:49:21:59 | ControlFlowNode for xml_content | xml_etree.py:19:19:19:25 | ControlFlowNode for request | xml_etree.py:21:49:21:59 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_etree.py:21:49:21:59 | ControlFlowNode for xml_content | This | xml_etree.py:19:19:19:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:27:38:27:48 | ControlFlowNode for xml_content | xml_etree.py:25:19:25:25 | ControlFlowNode for request | xml_etree.py:27:38:27:48 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_etree.py:27:38:27:48 | ControlFlowNode for xml_content | This | xml_etree.py:25:19:25:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:33:40:33:60 | ControlFlowNode for StringIO() | xml_etree.py:31:19:31:25 | ControlFlowNode for request | xml_etree.py:33:40:33:60 | ControlFlowNode for StringIO() | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_etree.py:33:40:33:60 | ControlFlowNode for StringIO() | This | xml_etree.py:31:19:31:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:42:45:42:55 | ControlFlowNode for xml_content | xml_etree.py:39:19:39:25 | ControlFlowNode for request | xml_etree.py:42:45:42:55 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_etree.py:42:45:42:55 | ControlFlowNode for xml_content | This | xml_etree.py:39:19:39:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:49:45:49:55 | ControlFlowNode for xml_content | xml_etree.py:46:19:46:25 | ControlFlowNode for request | xml_etree.py:49:45:49:55 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: XXE. | xml_etree.py:49:45:49:55 | ControlFlowNode for xml_content | This | xml_etree.py:46:19:46:25 | ControlFlowNode for request | user-provided value |
| xml_etree.py:56:45:56:55 | ControlFlowNode for xml_content | xml_etree.py:53:19:53:25 | ControlFlowNode for request | xml_etree.py:56:45:56:55 | ControlFlowNode for xml_content | $@ XML input is constructed from a $@ and is vulnerable to: XXE. | xml_etree.py:56:45:56:55 | ControlFlowNode for xml_content | This | xml_etree.py:53:19:53:25 | ControlFlowNode for request | user-provided value |
| xml_sax_make_parser.py:36:18:36:38 | ControlFlowNode for StringIO() | xml_sax_make_parser.py:31:19:31:25 | ControlFlowNode for request | xml_sax_make_parser.py:36:18:36:38 | ControlFlowNode for StringIO() | $@ XML input is constructed from a $@ and is vulnerable to: Billion Laughs, Quadratic Blowup. | xml_sax_make_parser.py:36:18:36:38 | ControlFlowNode for StringIO() | This | xml_sax_make_parser.py:31:19:31:25 | ControlFlowNode for request | user-provided value |