hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Removed lxml.etree.XMLParser from xml bomb sinks

Browse Source
This commit is contained in:
Napalys Klicius
2025-07-15 09:54:55 +02:00
parent 887d80f49f
commit 638f6498f0
3 changed files with 4 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/lib/semmle/python/frameworks/Lxml.qll
View File

@@ -129,11 +129,6 @@ module Lxml {
any(True t)
)
or
kind.isXmlBomb() and
this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t) and
not this.getKeywordParameter("resolve_entities").getAValueReachingSink().asExpr() =
any(False t)
or
kind.isDtdRetrieval() and
this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)
@@ -305,9 +300,8 @@ module Lxml {
// note that there is no `resolve_entities` argument, so it's not possible to turn off XXE :O
kind.isXxe()
or
kind.isXmlBomb() and
this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t)
or
// libxml2 has built-in protection against XML bombs via entity reference loop detection,
// so lxml is not vulnerable to XML bomb attacks.
kind.isDtdRetrieval() and
this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)