Add XPathInjectionQuery

2026-04-30 11:15:13 +02:00 · 2023-04-20 17:14:43 -04:00
parent c15ce27957
commit c2b6a3f4e0
4 changed files with 23 additions and 24 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -2,4 +2,5 @@
 category: minorAnalysis
 ---
 * Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
+* Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
 * Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
--- a/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/XPathInjectionQuery.qll
@@ -0,0 +1,19 @@
+/** Provides taint-tracking flow to reason about XPath injection queries. */
+
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.XPath
+
+/**
+ * A taint-tracking configuration for reasoning about XPath injection vulnerabilities.
+ */
+module XPathInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
+/**
+ * Taint-tracking flow for XPath injection vulnerabilities.
+ */
+module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -12,18 +12,7 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XPath
-
-module XPathInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
-
-module XPathInjectionFlow = TaintTracking::Global<XPathInjectionConfig>;
-
+import semmle.code.java.security.XPathInjectionQuery
 import XPathInjectionFlow::PathGraph

 from XPathInjectionFlow::PathNode source, XPathInjectionFlow::PathNode sink
--- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
+++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql
@@ -1,17 +1,7 @@
 import java
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.XPath
+import semmle.code.java.security.XPathInjectionQuery
 import TestUtilities.InlineExpectationsTest

-module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
-}
-
-module Flow = TaintTracking::Global<Config>;
-
 class HasXPathInjectionTest extends InlineExpectationsTest {
  HasXPathInjectionTest() { this = "HasXPathInjectionTest" }

@@ -19,7 +9,7 @@ class HasXPathInjectionTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "hasXPathInjection" and
-    exists(DataFlow::Node sink | Flow::flowTo(sink) |
+    exists(DataFlow::Node sink | XPathInjectionFlow::flowTo(sink) |
      sink.getLocation() = location and
      element = sink.toString() and
      value = ""