Python: Add separate query for SimpleXMLRPCServer

This was a rough quick-n-dirty query, and should get some qhelp as well at some point.
2026-05-01 19:55:15 +02:00 · 2022-03-03 19:35:33 +01:00
parent 9406a972cd
commit 7cda901da2
5 changed files with 34 additions and 33 deletions
--- a/python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql
+++ b/python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql
@@ -0,0 +1,27 @@
+/**
+ * @name SimpleXMLRPCServer DoS vulnerability
+ * @description SimpleXMLRPCServer is vulnerable to DoS attacks from untrusted user input
+ * @kind path-problem
+ * @problem.severity warning
+ * @precision high
+ * @id py/simple-xml-rpc-server
+ * @tags security
+ *       external/cwe/cwe-776
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+from DataFlow::CallCfgNode call, string kinds
+where
+  call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and
+  kinds =
+    strictconcat(XML::XMLVulnerabilityKind kind |
+      kind.isBillionLaughs() or kind.isQuadraticBlowup()
+    |
+      kind, ", "
+    )
+select call, "SimpleXMLRPCServer is vulnerable to: " + kinds + "."
--- a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -329,34 +329,4 @@ private module Xml {
      (kind.isBillionLaughs() or kind.isQuadraticBlowup())
    }
  }
-
-  /**
-   * Gets a call to `xmlrpc.server.SimpleXMLRPCServer`.
-   *
-   * Given the following example:
-   *
-   * ```py
-   * server = SimpleXMLRPCServer(("127.0.0.1", 8000))
-   * server.register_function(foo, "foo")
-   * server.serve_forever()
-   * ```
-   *
-   * * `this` would be `SimpleXMLRPCServer(("127.0.0.1", 8000))`.
-   * * `getAnInput()`'s result would be `foo`.
-   * * `vulnerable(kind)`'s `kind` would be `Billion Laughs` and `Quadratic Blowup`.
-   */
-  private class XMLRPCServer extends DataFlow::CallCfgNode, XML::XMLParser::Range {
-    XMLRPCServer() {
-      this =
-        API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall()
-    }
-
-    override DataFlow::Node getAnInput() {
-      result = this.getAMethodCall("register_function").getArg(0)
-    }
-
-    override predicate vulnerable(XML::XMLVulnerabilityKind kind) {
-      kind.isBillionLaughs() or kind.isQuadraticBlowup()
-    }
-  }
 }