hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Python: Promote XMLParsing concept

Browse Source
This commit is contained in:
Rasmus Wriedt Larsen
2022-03-29 15:50:24 +02:00
committed by Rasmus Wriedt Larsen
parent 9caf4be21b
commit e005a5c0ab
6 changed files with 70 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -550,6 +550,68 @@ module XML {
abstract string getName(); abstract string getName();
} }
} }
/**
* A kind of XML vulnerability.
*
* See overview of kinds at https://pypi.org/project/defusedxml/#python-xml-libraries
*/
class XMLVulnerabilityKind extends string {
XMLVulnerabilityKind() {
this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
}
/** Holds for Billion Laughs vulnerability kind. */
predicate isBillionLaughs() { this = "Billion Laughs" }
/** Holds for Quadratic Blowup vulnerability kind. */
predicate isQuadraticBlowup() { this = "Quadratic Blowup" }
/** Holds for XXE vulnerability kind. */
predicate isXxe() { this = "XXE" }
/** Holds for DTD retrieval vulnerability kind. */
predicate isDtdRetrieval() { this = "DTD retrieval" }
}
/**
* A data-flow node that parses XML.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `XMLParsing` instead.
*/
class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
/**
* Gets the argument containing the content to parse.
*/
DataFlow::Node getAnInput() { result = super.getAnInput() }
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
}
/** Provides classes for modeling XML parsing APIs. */
module XMLParsing {
/**
* A data-flow node that parses XML.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `XMLParsing` instead.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets the argument containing the content to parse.
*/
abstract DataFlow::Node getAnInput();
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
}
}
} }
/** Provides classes for modeling LDAP-related APIs. */ /** Provides classes for modeling LDAP-related APIs. */

68
python/ql/src/experimental/semmle/python/Concepts.qll
View File

@@ -14,74 +14,6 @@ private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.TaintTracking private import semmle.python.dataflow.new.TaintTracking
private import experimental.semmle.python.Frameworks private import experimental.semmle.python.Frameworks
/**
* Since there is both XML module in normal and experimental Concepts,
* we have to rename the experimental module as this.
*/
module ExperimentalXML {
/**
* A kind of XML vulnerability.
*
* See https://pypi.org/project/defusedxml/#python-xml-libraries
*/
class XMLVulnerabilityKind extends string {
XMLVulnerabilityKind() {
this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
}
/** Holds for Billion Laughs vulnerability kind. */
predicate isBillionLaughs() { this = "Billion Laughs" }
/** Holds for Quadratic Blowup vulnerability kind. */
predicate isQuadraticBlowup() { this = "Quadratic Blowup" }
/** Holds for XXE vulnerability kind. */
predicate isXxe() { this = "XXE" }
/** Holds for DTD retrieval vulnerability kind. */
predicate isDtdRetrieval() { this = "DTD retrieval" }
}
/**
* A data-flow node that parses XML.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `XMLParsing` instead.
*/
class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
/**
* Gets the argument containing the content to parse.
*/
DataFlow::Node getAnInput() { result = super.getAnInput() }
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
}
/** Provides classes for modeling XML parsing APIs. */
module XMLParsing {
/**
* A data-flow node that parses XML.
*
* Extend this class to model new APIs. If you want to refine existing API models,
* extend `XMLParsing` instead.
*/
abstract class Range extends DataFlow::Node {
/**
* Gets the argument containing the content to parse.
*/
abstract DataFlow::Node getAnInput();
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
}
}
}
/** Provides classes for modeling LDAP query execution-related APIs. */ /** Provides classes for modeling LDAP query execution-related APIs. */
module LdapQuery { module LdapQuery {
/** /**

4
python/ql/src/experimental/semmle/python/frameworks/Xml.qll
View File

@@ -5,11 +5,9 @@
private import python private import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import experimental.semmle.python.Concepts private import semmle.python.Concepts
private import semmle.python.ApiGraphs private import semmle.python.ApiGraphs
module XML = ExperimentalXML;
private module XmlEtree { private module XmlEtree {
/** /**
* Provides models for `xml.etree` parsers * Provides models for `xml.etree` parsers

5
python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll
View File

@@ -6,7 +6,8 @@
private import python private import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import experimental.semmle.python.Concepts private import semmle.python.Concepts
import experimental.semmle.python.frameworks.Xml // needed until modeling have been promoted
private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.RemoteFlowSources
/** /**
@@ -40,7 +41,7 @@ module XmlBomb {
*/ */
class XmlParsingWithEntityResolution extends Sink { class XmlParsingWithEntityResolution extends Sink {
XmlParsingWithEntityResolution() { XmlParsingWithEntityResolution() {
exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind | exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
parsing.vulnerableTo(kind) and parsing.vulnerableTo(kind) and
this = parsing.getAnInput() this = parsing.getAnInput()

5
python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll
View File

@@ -6,7 +6,8 @@
private import python private import python
private import semmle.python.dataflow.new.DataFlow private import semmle.python.dataflow.new.DataFlow
private import experimental.semmle.python.Concepts private import semmle.python.Concepts
import experimental.semmle.python.frameworks.Xml // needed until modeling have been promoted
private import semmle.python.dataflow.new.RemoteFlowSources private import semmle.python.dataflow.new.RemoteFlowSources
/** /**
@@ -40,7 +41,7 @@ module Xxe {
*/ */
class XmlParsingWithExternalEntityResolution extends Sink { class XmlParsingWithExternalEntityResolution extends Sink {
XmlParsingWithExternalEntityResolution() { XmlParsingWithExternalEntityResolution() {
exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind | exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
kind.isXxe() and kind.isXxe() and
parsing.vulnerableTo(kind) and parsing.vulnerableTo(kind) and
this = parsing.getAnInput() this = parsing.getAnInput()

2
python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql
View File

@@ -1,5 +1,5 @@
import python import python
import experimental.semmle.python.Concepts import semmle.python.Concepts
import experimental.semmle.python.frameworks.Xml import experimental.semmle.python.frameworks.Xml
import semmle.python.dataflow.new.DataFlow import semmle.python.dataflow.new.DataFlow
import TestUtilities.InlineExpectationsTest import TestUtilities.InlineExpectationsTest