Merge pull request #6097 from atorralba/atorralba/promote-xslt-injection

Java: Promote XSLT Injection from experimental
2025-12-21 19:26:31 +01:00 · 2021-09-27 13:14:57 +02:00
parent e027d514f1 78c12dc505
commit cfa0d46b73
31 changed files with 409 additions and 455 deletions
--- a/java/ql/src/Security/CWE/CWE-074/XsltInjection.java
+++ b/java/ql/src/Security/CWE/CWE-074/XsltInjection.java
@@ -0,0 +1,18 @@
+import javax.xml.XMLConstants;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
+
+public void transform(Socket socket, String inputXml) throws Exception {
+  StreamSource xslt = new StreamSource(socket.getInputStream());
+  StreamSource xml = new StreamSource(new StringReader(inputXml));
+  StringWriter result = new StringWriter();
+  TransformerFactory factory = TransformerFactory.newInstance();
+
+  // BAD: User provided XSLT stylesheet is processed
+  factory.newTransformer(xslt).transform(xml, new StreamResult(result));
+
+  // GOOD: The secure processing mode is enabled
+  factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+  factory.newTransformer(xslt).transform(xml, new StreamResult(result));
+}  
--- a/java/ql/src/Security/CWE/CWE-074/XsltInjection.qhelp
+++ b/java/ql/src/Security/CWE/CWE-074/XsltInjection.qhelp
@@ -0,0 +1,32 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML
+documents into other XML documents or other formats. Processing unvalidated XSLT stylesheets can
+allow attackers to read arbitrary files from the filesystem or to execute arbitrary code.</p>
+</overview>
+
+<recommendation>
+<p>The general recommendation is to not process untrusted XSLT stylesheets. If user-provided
+stylesheets must be processed, enable the secure processing mode.</p>
+</recommendation>
+
+<example>
+<p>In the following examples, the code accepts an XSLT stylesheet from the user and processes it.
+</p>
+
+<p>In the first example, the user-provided XSLT stylesheet is parsed and processed.</p>
+
+<p>In the second example, secure processing mode is enabled.</p>
+
+<sample src="XsltInjection.java" />
+</example>
+
+<references>
+<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/XSLT">XSLT</a>.</li>
+<li>The Java Tutorials: <a href="https://docs.oracle.com/javase/tutorial/jaxp/xslt/transformingXML.html">Transforming XML Data with XSLT</a>.</li>
+<li><a href="https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/">XSLT Injection Basics</a>.</li>
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
@@ -0,0 +1,20 @@
+/**
+ * @name XSLT transformation with user-controlled stylesheet
+ * @description Performing an XSLT transformation with user-controlled stylesheets can lead to
+ *              information disclosure or execution of arbitrary code.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/xslt-injection
+ * @tags security
+ *       external/cwe/cwe-074
+ */
+
+import java
+import semmle.code.java.security.XsltInjectionQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, XsltInjectionFlowConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "XSLT transformation might include stylesheet from $@.",
+  source.getNode(), "this user input"