Decouple XsltInjection.qll to reuse the taint tracking configuration

2026-04-30 11:15:13 +02:00 · 2021-07-19 13:16:11 +02:00
parent fc58ada92e
commit 6967b06dee
5 changed files with 43 additions and 54 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -110,6 +110,7 @@ private module Frameworks {
  private import semmle.code.java.security.MvelInjection
  private import semmle.code.java.security.OgnlInjection
  private import semmle.code.java.security.XPath
+  private import semmle.code.java.security.XsltInjectionSinkModels
  private import semmle.code.java.frameworks.android.Android
  private import semmle.code.java.frameworks.android.SQLite
  private import semmle.code.java.frameworks.Jdbc
--- a/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
@@ -11,29 +11,9 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.XsltInjection
+import semmle.code.java.security.XsltInjectionQuery
 import DataFlow::PathGraph

-/**
- * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
- */
-class XsltInjectionFlowConfig extends TaintTracking::Configuration {
-  XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, XsltInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "XSLT transformation might include stylesheet from $@.",
--- a/java/ql/src/semmle/code/java/security/XsltInjectionQuery.qll
+++ b/java/ql/src/semmle/code/java/security/XsltInjectionQuery.qll
@@ -1,7 +1,7 @@
 /** Provides classes to reason about XSLT injection vulnerabilities. */

 import java
-import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.XmlParsers
 import semmle.code.java.dataflow.DataFlow

@@ -11,20 +11,6 @@ import semmle.code.java.dataflow.DataFlow
 */
 abstract class XsltInjectionSink extends DataFlow::Node { }

-private class DefaultXsltInjectionSinkModel extends SinkModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
-        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt"
-      ]
-  }
-}
-
 /** A default sink representing methods susceptible to XSLT Injection attacks. */
 private class DefaultXsltInjectionSink extends XsltInjectionSink {
  DefaultXsltInjectionSink() { sinkNode(this, "xslt") }
@@ -59,6 +45,25 @@ private class DefaultXsltInjectionAdditionalTaintStep extends XsltInjectionAddit
  }
 }

+/**
+ * A taint-tracking configuration for unvalidated user input that is used in XSLT transformation.
+ */
+class XsltInjectionFlowConfig extends TaintTracking::Configuration {
+  XsltInjectionFlowConfig() { this = "XsltInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
 /**
 * Holds if `n1` to `n2` is a dataflow step that converts between `InputStream` or `Reader` and
 * `XMLStreamReader`, i.e. `XMLInputFactory.createXMLStreamReader(tainted)`.
--- a/java/ql/src/semmle/code/java/security/XsltInjectionSinkModels.qll
+++ b/java/ql/src/semmle/code/java/security/XsltInjectionSinkModels.qll
@@ -0,0 +1,17 @@
+/** Provides sink models relating to XSLT injection vulnerabilities. */
+
+import semmle.code.java.dataflow.ExternalFlow
+
+private class DefaultXsltInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.transform;Transformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;XsltTransformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;transform;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;applyTemplates;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callFunction;;;Argument[-1];xslt",
+        "net.sf.saxon.s9api;Xslt30Transformer;false;callTemplate;;;Argument[-1];xslt"
+      ]
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql
@@ -1,25 +1,9 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.XsltInjection
+import semmle.code.java.security.XsltInjectionQuery
 import TestUtilities.InlineExpectationsTest

-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "test:cwe:xslt-injection" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XsltInjectionSink }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(XsltInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 class HasXsltInjectionTest extends InlineExpectationsTest {
  HasXsltInjectionTest() { this = "HasXsltInjectionTest" }

@@ -27,7 +11,9 @@ class HasXsltInjectionTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasXsltInjection" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, XsltInjectionFlowConfig conf |
+      conf.hasFlow(src, sink)
+    |
      sink.getLocation() = location and
      element = sink.toString() and
      value = ""