hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 20:58:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20048 from Napalys/js/xml_bomb_sinks

Browse Source 
JS: Exclude patched libraries from `xml-bomb` sink
This commit is contained in:
Napalys Klicius
2025-08-29 08:10:55 +02:00
committed by GitHub
parent 0cc9ff8320 ea93b392f7
commit bafe22c50c
11 changed files with 23 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
python/ql/lib/semmle/python/frameworks/Lxml.qll
View File

@@ -129,11 +129,6 @@ module Lxml {
any(True t)
)
or
kind.isXmlBomb() and
this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t) and
not this.getKeywordParameter("resolve_entities").getAValueReachingSink().asExpr() =
any(False t)
or
kind.isDtdRetrieval() and
this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)
@@ -305,9 +300,8 @@ module Lxml {
// note that there is no `resolve_entities` argument, so it's not possible to turn off XXE :O
kind.isXxe()
or
kind.isXmlBomb() and
this.getKeywordParameter("huge_tree").getAValueReachingSink().asExpr() = any(True t)
or
// libxml2 has built-in protection against XML bombs via entity reference loop detection,
// so lxml is not vulnerable to XML bomb attacks.
kind.isDtdRetrieval() and
this.getKeywordParameter("load_dtd").getAValueReachingSink().asExpr() = any(True t) and
this.getKeywordParameter("no_network").getAValueReachingSink().asExpr() = any(False t)