XmlInjection -> XmlEntityInjection

2025-12-24 04:36:35 +01:00 · 2022-02-09 13:28:56 +01:00
parent b00051e4ab
commit 85b5ef36ae
8 changed files with 18 additions and 16 deletions
--- a/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.py
+++ b/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.py
--- a/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.qhelp
@@ -26,7 +26,7 @@ to prevent any potentially malicious operation.
 The following example calls <code>xml.etree.ElementTree.fromstring</code> using a parser (<code>lxml.etree.XMLParser</code>)
 that is not safely configured on untrusted data, and is therefore inherently unsafe.
 </p>
-<sample src="XmlInjection.py"/>
+<sample src="XmlEntityInjection.py"/>
 <p>
 Providing an input (<code>xml_content</code>) like the following XML content against /bad, the request response would contain the contents of
 <code>/etc/passwd</code>.
--- a/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.ql
@@ -1,9 +1,9 @@
 /**
- * @name XML injection
- * @description User input should not be parsed without security options enabled.
+ * @name XML Entity injection
+ * @description User input should not be parsed allowing the injection of entities.
 * @kind path-problem
 * @problem.severity error
- * @id py/xml-injection
+ * @id py/xml-entity-injection
 * @tags security
 *       external/cwe/cwe-611
 *       external/cwe/cwe-776
@@ -12,11 +12,11 @@

 // determine precision above
 import python
-import experimental.semmle.python.security.dataflow.XmlInjection
+import experimental.semmle.python.security.dataflow.XmlEntityInjection
 import DataFlow::PathGraph

 from DataFlow::PathNode source, DataFlow::PathNode sink, string kind
-where XmlInjection::xmlInjectionVulnerable(source, sink, kind)
+where XmlEntityInjection::xmlEntityInjectionVulnerable(source, sink, kind)
 select sink.getNode(), source, sink,
  "$@ XML input is constructed from a $@ and is vulnerable to " + kind + ".", sink.getNode(),
  "This", source.getNode(), "user-provided value"
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjection.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjection.qll
@@ -5,11 +5,11 @@ import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.BarrierGuards

-module XmlInjection {
-  import XmlInjectionCustomizations::XmlInjection
+module XmlEntityInjection {
+  import XmlEntityInjectionCustomizations::XmlEntityInjection

-  class XMLInjectionConfiguration extends TaintTracking::Configuration {
-    XMLInjectionConfiguration() { this = "XMLInjectionConfiguration" }
+  class XmlEntityInjectionConfiguration extends TaintTracking::Configuration {
+    XmlEntityInjectionConfiguration() { this = "XmlEntityInjectionConfiguration" }

    override predicate isSource(DataFlow::Node source) {
      source instanceof RemoteFlowSourceAsSource
@@ -29,13 +29,15 @@ module XmlInjection {
  private import DataFlow::PathGraph

  /** Holds if there is an XML injection from `source` to `sink` */
-  predicate xmlInjection(DataFlow::PathNode source, DataFlow::PathNode sink) {
-    any(XMLInjectionConfiguration xmlInjectionConfig).hasFlowPath(source, sink)
+  predicate xmlEntityInjection(DataFlow::PathNode source, DataFlow::PathNode sink) {
+    any(XmlEntityInjectionConfiguration x).hasFlowPath(source, sink)
  }

  /** Holds if there is an XML injection from `source` to `sink` vulnerable to `kind` */
-  predicate xmlInjectionVulnerable(DataFlow::PathNode source, DataFlow::PathNode sink, string kind) {
-    xmlInjection(source, sink) and
+  predicate xmlEntityInjectionVulnerable(
+    DataFlow::PathNode source, DataFlow::PathNode sink, string kind
+  ) {
+    xmlEntityInjection(source, sink) and
    (
      xmlParsingInputAsVulnerableSink(sink.getNode(), kind) or
      xmlParserInputAsVulnerableSink(sink.getNode(), kind)
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlEntityInjectionCustomizations.qll
@@ -15,7 +15,7 @@ private import semmle.python.ApiGraphs
 * Provides default sources, sinks and sanitizers for detecting "xml injection"
 * vulnerabilities, as well as extension points for adding your own.
 */
-module XmlInjection {
+module XmlEntityInjection {
  /**
   * A data flow source for "xml injection" vulnerabilities.
   */
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.expected
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.expected
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/XmlEntityInjection.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE-611/XmlEntityInjection.ql
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/XmlInjection.qlref
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/XmlInjection.qlref
@@ -1 +0,0 @@
-experimental/Security/CWE-611/XmlInjection.ql
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE-611/XmlEntityInjection.ql`
				`@@ -1 +0,0 @@`
				`experimental/Security/CWE-611/XmlInjection.ql`