Upload main structure and initial tests

2026-02-23 18:33:42 +01:00 · 2021-06-22 16:41:08 +02:00
parent 0e61558644
commit 78deec84fc
8 changed files with 220 additions and 0 deletions
--- a/python/ql/src/experimental/semmle/python/Concepts.qll
+++ b/python/ql/src/experimental/semmle/python/Concepts.qll
@@ -13,3 +13,46 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
+
+/** Provides classes for modeling XML parsing APIs. */
+module XMLParsing {
+  /**
+   * A data-flow node that collects functions parsing XML.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XMLParsing` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /**
+     * Gets the argument containing the content to parse.
+     */
+    abstract DataFlow::Node getAnInput();
+
+    /**
+     * Holds if the parser may be parsing the input dangerously.
+     */
+    abstract predicate mayBeDangerous();
+  }
+}
+
+/**
+ * A data-flow node that collects functions setting HTTP Headers' content.
+ *
+ * Extend this class to model new APIs. If you want to refine existing API models,
+ * extend `XMLParsing` instead.
+ */
+class XMLParsing extends DataFlow::Node {
+  XMLParsing::Range range;
+
+  XMLParsing() { this = range }
+
+  /**
+   * Gets the argument containing the content to parse.
+   */
+  DataFlow::Node getAnInput() { result = range.getAnInput() }
+
+  /**
+   * Holds if the parser may be parsing the input dangerously.
+   */
+  predicate mayBeDangerous() { range.mayBeDangerous() }
+}
--- a/python/ql/src/experimental/semmle/python/Frameworks.qll
+++ b/python/ql/src/experimental/semmle/python/Frameworks.qll
@@ -3,3 +3,4 @@
 */

 private import experimental.semmle.python.frameworks.Stdlib
+private import experimental.semmle.python.frameworks.XML
--- a/python/ql/src/experimental/semmle/python/security/XXE.qll
+++ b/python/ql/src/experimental/semmle/python/security/XXE.qll
@@ -0,0 +1,26 @@
+import python
+import experimental.semmle.python.Concepts
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import semmle.python.dataflow.new.RemoteFlowSources
+import semmle.python.dataflow.new.BarrierGuards
+
+/**
+ * A taint-tracking configuration for detecting XML External entities abuse.
+ *
+ * This configuration uses `RemoteFlowSource` as a source because there's no
+ * risk at parsing not user-supplied input without security options enabled.
+ */
+class XXEFlowConfig extends TaintTracking::Configuration {
+  XXEFlowConfig() { this = "XXEFlowConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(XMLParsing xmlParsing | xmlParsing.mayBeDangerous() and sink = xmlParsing.getAnInput())
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof StringConstCompare
+  }
+}