Add markupsafe as XXE sanitizer

Co-authored-by: Kevin Stubbings <Kwstubbs@users.noreply.github.com>
2026-01-05 18:50:23 +01:00 · 2023-07-05 20:23:20 +02:00
parent c10a66809d
commit c82ab2b2ab
5 changed files with 46 additions and 24 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -680,6 +680,9 @@ module Escaping {
  /** Gets the escape-kind for escaping a string so it can safely be included in HTML. */
  string getHtmlKind() { result = "html" }

+  /** Gets the escape-kind for escaping a string so it can safely be included in XML. */
+  string getXmlKind() { result = "xml" }
+
  /** Gets the escape-kind for escaping a string so it can safely be included in a regular expression. */
  string getRegexKind() { result = "regex" }

@@ -710,6 +713,15 @@ class HtmlEscaping extends Escaping {
  HtmlEscaping() { super.getKind() = Escaping::getHtmlKind() }
 }

+/**
+ * An escape of a string so it can be safely included in
+ * the body of an XML element, for example, replacing `&` and `<>` in
+ * `<foo>&xxe;<foo>`.
+ */
+class XmlEscaping extends Escaping {
+  XmlEscaping() { super.getKind() = Escaping::getXmlKind() }
+}
+
 /**
 * An escape of a string so it can be safely included in
 * the body of a regex.
--- a/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll
+++ b/python/ql/lib/semmle/python/frameworks/MarkupSafe.qll
@@ -83,7 +83,7 @@ private module MarkupSafeModel {
    }

    /** Taint propagation for `markupsafe.Markup`. */
-    private class AddtionalTaintStep extends TaintTracking::AdditionalTaintStep {
+    private class AdditionalTaintStep extends TaintTracking::AdditionalTaintStep {
      override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
        nodeTo.(ClassInstantiation).getArg(0) = nodeFrom
      }
@@ -92,11 +92,7 @@ private module MarkupSafeModel {

  /** Any escaping performed via the `markupsafe` package. */
  abstract private class MarkupSafeEscape extends Escaping::Range {
-    override string getKind() {
-      // TODO: this package claims to escape for both HTML and XML, but for now we don't
-      // model XML.
-      result = Escaping::getHtmlKind()
-    }
+    override string getKind() { result in [Escaping::getHtmlKind(), Escaping::getXmlKind()] }
  }

  /** A call to any of the escaping functions in `markupsafe` */
--- a/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
+++ b/python/ql/lib/semmle/python/security/dataflow/XxeCustomizations.qll
@@ -44,4 +44,11 @@ module Xxe {
      )
    }
  }
+
+  /**
+   * An XML escaping, considered as a sanitizer.
+   */
+  class XmlEscapingAsSanitizer extends Sanitizer {
+    XmlEscapingAsSanitizer() { this = any(XmlEscaping esc).getOutput() }
+  }
 }