JS: split Xxe.qll

2026-05-01 03:35:13 +02:00 · 2019-07-04 09:36:48 +02:00
parent 9d670f7d39
commit 6f6887993c
2 changed files with 59 additions and 44 deletions
--- a/javascript/ql/src/semmle/javascript/security/dataflow/Xxe.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/Xxe.qll
@@ -1,26 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about XML External Entity (XXE)
- * vulnerabilities.
+ * Provides a taint tracking configuration for reasoning about XML
+ * External Entity (XXE) vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `Xxe::Configuration` is needed, otherwise `XxeCustomizations`
+ * should be imported instead.
 */

 import javascript
-import semmle.javascript.security.dataflow.DOM

 module Xxe {
-  /**
-   * A data flow source for XXE vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for XXE vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for XXE vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import XxeCustomizations::Xxe

  /**
   * A taint-tracking configuration for reasoning about XXE vulnerabilities.
@@ -37,31 +27,4 @@ module Xxe {
      node instanceof Sanitizer
    }
  }
-
-  /** A source of remote user input, considered as a flow source for XXE vulnerabilities. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
-
-  /**
-   * An access to `document.location`, considered as a flow source for XXE vulnerabilities.
-   */
-  class LocationAsSource extends Source, DataFlow::ValueNode {
-    LocationAsSource() { isLocation(astNode) }
-  }
-
-  /**
-   * A call to an XML parser that performs external entity expansion, viewed
-   * as a data flow sink for XXE vulnerabilities.
-   */
-  class XmlParsingWithExternalEntityResolution extends Sink, DataFlow::ValueNode {
-    XmlParsingWithExternalEntityResolution() {
-      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
-        parse.resolvesEntities(XML::ExternalEntity(_))
-        or
-        parse.resolvesEntities(XML::ParameterEntity(true)) and
-        parse.resolvesEntities(XML::InternalEntity())
-      )
-    }
-  }
 }
--- a/javascript/ql/src/semmle/javascript/security/dataflow/XxeCustomizations.qll
+++ b/javascript/ql/src/semmle/javascript/security/dataflow/XxeCustomizations.qll
@@ -0,0 +1,52 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * XML External Entity (XXE) vulnerabilities, as well as extension
+ * points for adding your own.
+ */
+
+import javascript
+import semmle.javascript.security.dataflow.DOM
+
+module Xxe {
+  /**
+   * A data flow source for XXE vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XXE vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for XXE vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for XXE vulnerabilities. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * An access to `document.location`, considered as a flow source for XXE vulnerabilities.
+   */
+  class LocationAsSource extends Source, DataFlow::ValueNode {
+    LocationAsSource() { isLocation(astNode) }
+  }
+
+  /**
+   * A call to an XML parser that performs external entity expansion, viewed
+   * as a data flow sink for XXE vulnerabilities.
+   */
+  class XmlParsingWithExternalEntityResolution extends Sink, DataFlow::ValueNode {
+    XmlParsingWithExternalEntityResolution() {
+      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
+        parse.resolvesEntities(XML::ExternalEntity(_))
+        or
+        parse.resolvesEntities(XML::ParameterEntity(true)) and
+        parse.resolvesEntities(XML::InternalEntity())
+      )
+    }
+  }
+}