Python: Move last XXE/XML bomb out of experimental

2026-05-05 05:35:13 +02:00 · 2022-04-07 15:36:04 +02:00
parent 405480c410
commit 8191be9d75
6 changed files with 2 additions and 2 deletions
--- a/python/ql/lib/semmle/python/security/dataflow/XmlBombCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XmlBombCustomizations.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "XML bomb"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting "XML bomb"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module XmlBomb {
+  /**
+   * A data flow source for XML-bomb vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XML-bomb vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for XML-bomb vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for XML bomb vulnerabilities. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * A call to an XML parser that is vulnerable to XML bombs.
+   */
+  class XmlParsingVulnerableToXmlBomb extends Sink {
+    XmlParsingVulnerableToXmlBomb() {
+      exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
+        kind.isXmlBomb() and
+        parsing.vulnerableTo(kind) and
+        this = parsing.getAnInput()
+      )
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XmlBombQuery.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides a taint-tracking configuration for detecting "XML bomb" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `Configuration` is needed, otherwise
+ * `XmlBombCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import XmlBombCustomizations::XmlBomb
+
+/**
+ * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "XmlBomb" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
@@ -0,0 +1,49 @@
+/**
+ * Provides default sources, sinks and sanitizers for detecting
+ * "XML External Entity (XXE)"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+/**
+ * Provides default sources, sinks and sanitizers for detecting "XML External Entity (XXE)"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
+module Xxe {
+  /**
+   * A data flow source for XXE vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for XXE vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for XXE vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of remote user input, considered as a flow source for XXE vulnerabilities. */
+  class RemoteFlowSourceAsSource extends Source {
+    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  }
+
+  /**
+   * A call to an XML parser that is vulnerable to XXE.
+   */
+  class XmlParsingVulnerableToXxe extends Sink {
+    XmlParsingVulnerableToXxe() {
+      exists(XML::XmlParsing parsing, XML::XmlParsingVulnerabilityKind kind |
+        kind.isXxe() and
+        parsing.vulnerableTo(kind) and
+        this = parsing.getAnInput()
+      )
+    }
+  }
+}
--- a/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XxeQuery.qll
@@ -0,0 +1,28 @@
+/**
+ * Provides a taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
+ *
+ * Note, for performance reasons: only import this file if
+ * `Configuration` is needed, otherwise
+ * `XxeCustomizations` should be imported instead.
+ */
+
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
+import XxeCustomizations::Xxe
+
+/**
+ * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
+ */
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "Xxe" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    super.isSanitizer(node) or
+    node instanceof Sanitizer
+  }
+}