Python: Promote XMLParsing concept

2026-05-03 12:45:27 +02:00 · 2022-03-29 15:50:24 +02:00
parent 9caf4be21b
commit e005a5c0ab
6 changed files with 70 additions and 76 deletions
--- a/python/ql/lib/semmle/python/Concepts.qll
+++ b/python/ql/lib/semmle/python/Concepts.qll
@@ -550,6 +550,68 @@ module XML {
      abstract string getName();
    }
  }
+
+  /**
+   * A kind of XML vulnerability.
+   *
+   * See overview of kinds at https://pypi.org/project/defusedxml/#python-xml-libraries
+   */
+  class XMLVulnerabilityKind extends string {
+    XMLVulnerabilityKind() {
+      this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
+    }
+
+    /** Holds for Billion Laughs vulnerability kind. */
+    predicate isBillionLaughs() { this = "Billion Laughs" }
+
+    /** Holds for Quadratic Blowup vulnerability kind. */
+    predicate isQuadraticBlowup() { this = "Quadratic Blowup" }
+
+    /** Holds for XXE vulnerability kind. */
+    predicate isXxe() { this = "XXE" }
+
+    /** Holds for DTD retrieval vulnerability kind. */
+    predicate isDtdRetrieval() { this = "DTD retrieval" }
+  }
+
+  /**
+   * A data-flow node that parses XML.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XMLParsing` instead.
+   */
+  class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
+    /**
+     * Gets the argument containing the content to parse.
+     */
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
+
+    /**
+     * Holds if this XML parsing is vulnerable to `kind`.
+     */
+    predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
+  }
+
+  /** Provides classes for modeling XML parsing APIs. */
+  module XMLParsing {
+    /**
+     * A data-flow node that parses XML.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XMLParsing` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /**
+       * Gets the argument containing the content to parse.
+       */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Holds if this XML parsing is vulnerable to `kind`.
+       */
+      abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
+    }
+  }
 }

 /** Provides classes for modeling LDAP-related APIs. */