Merge pull request #5883 from zbazztian/consider-boxed-booleans-to-avoid-xxe-fps

Consider boxed booleans to avoid false positives for XXE.ql
2025-12-16 16:53:25 +01:00 · 2021-05-12 12:51:22 +02:00
parent 8f152b7380 b05512a958
commit 7974e3ad38
2 changed files with 10 additions and 2 deletions
--- a/java/change-notes/2021-05-12-xxe-fp-fix.md
+++ b/java/change-notes/2021-05-12-xxe-fp-fix.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.
--- a/java/ql/src/semmle/code/java/security/XmlParsers.qll
+++ b/java/ql/src/semmle/code/java/security/XmlParsers.qll
@@ -36,7 +36,10 @@ abstract class ParserConfig extends MethodAccess {
   */
  predicate disables(Expr e) {
    this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = false
+    (
      this.getArgument(1).(BooleanLiteral).getBooleanValue() = false or
      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "FALSE")
    )
  }
  /**
@@ -44,7 +47,10 @@ abstract class ParserConfig extends MethodAccess {
   */
  predicate enables(Expr e) {
    this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = true
+    (
      this.getArgument(1).(BooleanLiteral).getBooleanValue() = true or
      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "TRUE")
    )
  }
 }
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.