python: move query

and update reference in query test
2026-04-30 11:15:13 +02:00 · 2022-02-08 11:24:09 +01:00
parent e51ba6f421
commit 88efcff818
7 changed files with 1 additions and 1 deletions
--- a/python/ql/src/experimental/Security/CWE-643/XpathInjection.qhelp
+++ b/python/ql/src/experimental/Security/CWE-643/XpathInjection.qhelp
@@ -1,30 +0,0 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p>
-        Using user-supplied information to construct an XPath query for XML data can
-        result in an XPath injection flaw. By sending intentionally malformed information,
-        an attacker can access data that he may not normally have access to.
-        He/She may even be able to elevate his privileges on the web site if the XML data
-        is being used for authentication (such as an XML based user file).
-        </p>
-    </overview>
-    <recommendation>
-        <p>
-        XPath injection can be prevented using parameterized XPath interface or escaping the user input to make it safe to include in a dynamically constructed query.
-        If you are using quotes to terminate untrusted input in a dynamically constructed XPath query, then you need to escape that quote in the untrusted input to ensure the untrusted data can’t try to break out of that quoted context.
-        </p>
-        <p>
-        Another better mitigation option is to use a precompiled XPath query. Precompiled XPath queries are already preset before the program executes, rather than created on the fly after the user’s input has been added to the string. This is a better route because you don’t have to worry about missing a character that should have been escaped.
-        </p>
-    </recommendation>
-    <example>
-        <p>In the example below, the xpath query is controlled by the user and hence leads to a vulnerability.</p>
-        <sample src="xpathBad.py" />
-        <p> This can be fixed by using a parameterized query as shown below.</p>
-        <sample src="xpathGood.py" />
-    </example>
-    <references>
-        <li>OWASP XPath injection : <a href="https://owasp.org/www-community/attacks/XPATH_Injection"></a>/>> </li>
-    </references>
-</qhelp>
--- a/python/ql/src/experimental/Security/CWE-643/XpathInjection.ql
+++ b/python/ql/src/experimental/Security/CWE-643/XpathInjection.ql
@@ -1,33 +0,0 @@
-/**
- * @name XPath query built from user-controlled sources
- * @description Building a XPath query from user-controlled sources is vulnerable to insertion of
- *              malicious Xpath code by the user.
- * @kind path-problem
- * @problem.severity error
- * @precision high
- * @id py/xpath-injection
- * @tags security
- *       external/cwe/cwe-643
- */
-
-private import python
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.Concepts
-private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-import XpathInjection::XpathInjection
-import DataFlow::PathGraph
-
-class XpathInjectionConfiguration extends TaintTracking::Configuration {
-  XpathInjectionConfiguration() { this = "PathNotNormalizedConfiguration" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-}
-
-from XpathInjectionConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink, source, sink, "This Xpath query depends on $@.", source, "a user-provided value"
--- a/python/ql/src/experimental/Security/CWE-643/XpathInjection.qll
+++ b/python/ql/src/experimental/Security/CWE-643/XpathInjection.qll
@@ -1,35 +0,0 @@
-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- *
- * Note, for performance reasons: only import this file if
- * `XpathInjection::Configuration` is needed, otherwise
- * `XpathInjectionCustomizations` should be imported instead.
- */
-
-private import python
-import semmle.python.dataflow.new.DataFlow
-import semmle.python.dataflow.new.TaintTracking
-
-/**
- * Provides a taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
- */
-module XpathInjection {
-  import XpathInjectionCustomizations::XpathInjection
-
-  /**
-   * A taint-tracking configuration for detecting "Xpath Injection" vulnerabilities.
-   */
-  class Configuration extends TaintTracking::Configuration {
-    Configuration() { this = "Xpath Injection" }
-
-    override predicate isSource(DataFlow::Node source) { source instanceof Source }
-
-    override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
-
-    override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
-
-    override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof SanitizerGuard
-    }
-  }
-}
--- a/python/ql/src/experimental/Security/CWE-643/XpathInjectionCustomizations.qll
+++ b/python/ql/src/experimental/Security/CWE-643/XpathInjectionCustomizations.qll
@@ -1,105 +0,0 @@
-/**
- * Provides class and predicates to track external data that
- * may represent malicious xpath query objects.
- *
- * This module is intended to be imported into a taint-tracking query.
- */
-
-private import python
-private import semmle.python.Concepts
-private import semmle.python.dataflow.new.TaintTracking
-private import semmle.python.Concepts
-private import semmle.python.ApiGraphs
-private import semmle.python.dataflow.new.RemoteFlowSources
-private import semmle.python.dataflow.new.BarrierGuards
-
-/** Models Xpath Injection related classes and functions */
-module XpathInjection {
-  /**
-   * A data flow source for "XPath injection" vulnerabilities.
-   */
-  abstract class Source extends DataFlow::Node { }
-
-  /**
-   * A data flow sink for "XPath injection" vulnerabilities.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for "XPath injection" vulnerabilities.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
-
-  /**
-   * A sanitizer guard for "XPath injection" vulnerabilities.
-   */
-  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
-
-  /**
-   * A source of remote user input, considered as a flow source.
-   */
-  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
-
-  /** Returns an API node referring to `lxml.etree` */
-  API::Node etree() { result = API::moduleImport("lxml").getMember("etree") }
-
-  /** Returns an API node referring to `lxml.etree` */
-  API::Node etreeFromString() { result = etree().getMember("fromstring") }
-
-  /** Returns an API node referring to `lxml.etree.parse` */
-  API::Node etreeParse() { result = etree().getMember("parse") }
-
-  /** Returns an API node referring to `lxml.etree.parse` */
-  API::Node libxml2parseFile() { result = API::moduleImport("libxml2").getMember("parseFile") }
-
-  /**
-   * A Sink representing an argument to `etree.XPath` or `etree.ETXPath` call.
-   *
-   *    from lxml import etree
-   *    root = etree.XML("<xmlContent>")
-   *    find_text = etree.XPath("`sink`")
-   *    find_text = etree.ETXPath("`sink`")
-   */
-  private class EtreeXpathArgument extends Sink {
-    EtreeXpathArgument() { this = etree().getMember(["XPath", "ETXPath"]).getACall().getArg(0) }
-  }
-
-  /**
-   * A Sink representing an argument to the `etree.XPath` call.
-   *
-   *    from lxml import etree
-   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
-   *    find_text = root.xpath("`sink`")
-   */
-  private class EtreeFromstringXpathArgument extends Sink {
-    EtreeFromstringXpathArgument() {
-      this = etreeFromString().getReturn().getMember("xpath").getACall().getArg(0)
-    }
-  }
-
-  /**
-   * A Sink representing an argument to the `xpath` call to a parsed xml document.
-   *
-   *    from lxml import etree
-   *    from io import StringIO
-   *    f = StringIO('<foo><bar></bar></foo>')
-   *    tree = etree.parse(f)
-   *    r = tree.xpath('`sink`')
-   */
-  private class ParseXpathArgument extends Sink {
-    ParseXpathArgument() { this = etreeParse().getReturn().getMember("xpath").getACall().getArg(0) }
-  }
-
-  /**
-   * A Sink representing an argument to the `xpathEval` call to a parsed libxml2 document.
-   *
-   *    import libxml2
-   *    tree = libxml2.parseFile("file.xml")
-   *    r = tree.xpathEval('`sink`')
-   */
-  private class ParseFileXpathEvalArgument extends Sink {
-    ParseFileXpathEvalArgument() {
-      this = libxml2parseFile().getReturn().getMember("xpathEval").getACall().getArg(0)
-    }
-  }
-}
--- a/python/ql/src/experimental/Security/CWE-643/xpathBad.py
+++ b/python/ql/src/experimental/Security/CWE-643/xpathBad.py
@@ -1,18 +0,0 @@
-from lxml import etree
-from io import StringIO
-
-from django.urls import path
-from django.http import HttpResponse
-from django.template import Template, Context, Engine, engines
-
-
-def a(request):
-    value = request.GET['xpath']
-    f = StringIO('<foo><bar></bar></foo>')
-    tree = etree.parse(f)
-    r = tree.xpath("/tag[@id='%s']" % value)
-
-
-urlpatterns = [
-    path('a', a)
-]
--- a/python/ql/src/experimental/Security/CWE-643/xpathGood.py
+++ b/python/ql/src/experimental/Security/CWE-643/xpathGood.py
@@ -1,18 +0,0 @@
-from lxml import etree
-from io import StringIO
-
-from django.urls import path
-from django.http import HttpResponse
-from django.template import Template, Context, Engine, engines
-
-
-def a(request):
-    value = request.GET['xpath']
-    f = StringIO('<foo><bar></bar></foo>')
-    tree = etree.parse(f)
-    r = tree.xpath("/tag[@id=$tagid]", tagid=value)
-
-
-urlpatterns = [
-    path('a', a)
-]