hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Python: => XMLParsingVulnerabilityKind

Browse Source 
Since there are other XML vulnerabilities that are not about parsing,
this is more correct.
This commit is contained in:
Rasmus Wriedt Larsen
2022-03-29 15:51:27 +02:00
committed by Rasmus Wriedt Larsen
parent e005a5c0ab
commit e45288e812
6 changed files with 20 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
python/ql/lib/semmle/python/Concepts.qll
View File

@@ -556,8 +556,8 @@ module XML {
*
* See overview of kinds at https://pypi.org/project/defusedxml/#python-xml-libraries
*/
class XMLVulnerabilityKind extends string {
XMLVulnerabilityKind() {
class XMLParsingVulnerabilityKind extends string {
XMLParsingVulnerabilityKind() {
this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
}
@@ -589,7 +589,7 @@ module XML {
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
predicate vulnerableTo(XMLParsingVulnerabilityKind kind) { super.vulnerableTo(kind) }
}
/** Provides classes for modeling XML parsing APIs. */
@@ -609,7 +609,7 @@ module XML {
/**
* Holds if this XML parsing is vulnerable to `kind`.
*/
abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
abstract predicate vulnerableTo(XMLParsingVulnerabilityKind kind);
}
}
}

2
python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql
View File

@@ -17,7 +17,7 @@ from DataFlow::CallCfgNode call, string kinds
where
call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and
kinds =
strictconcat(ExperimentalXML::XMLVulnerabilityKind kind |
strictconcat(ExperimentalXML::XMLParsingVulnerabilityKind kind |
kind.isBillionLaughs() or kind.isQuadraticBlowup()
|
kind, ", "

24
python/ql/src/experimental/semmle/python/frameworks/Xml.qll
View File

@@ -66,7 +66,7 @@ private module XmlEtree {
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
kind.isBillionLaughs() or kind.isQuadraticBlowup()
}
}
@@ -103,7 +103,7 @@ private module XmlEtree {
]
}
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
// note: it does not matter what `xml.etree` parser you are using, you cannot
// change the security features anyway :|
kind.isBillionLaughs() or kind.isQuadraticBlowup()
@@ -218,7 +218,7 @@ private module SaxBasedParsing {
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
// always vuln to these
(kind.isBillionLaughs() or kind.isQuadraticBlowup())
or
@@ -251,7 +251,7 @@ private module SaxBasedParsing {
]
}
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
// always vuln to these
(kind.isBillionLaughs() or kind.isQuadraticBlowup())
or
@@ -290,7 +290,7 @@ private module SaxBasedParsing {
DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and
(kind.isXxe() or kind.isDtdRetrieval())
or
@@ -317,7 +317,7 @@ private module Lxml {
*/
abstract class InstanceSource extends DataFlow::LocalSourceNode {
/** Holds if this instance is vulnerable to `kind`. */
abstract predicate vulnerableTo(XML::XMLVulnerabilityKind kind);
abstract predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind);
}
/**
@@ -331,7 +331,7 @@ private module Lxml {
}
// NOTE: it's not possible to change settings of a parser after constructing it
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
kind.isXxe() and
(
// resolve_entities has default True
@@ -361,7 +361,7 @@ private module Lxml {
API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()
}
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
// as highlighted by
// https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
// by default XXE is allow. so as long as the default parser has not been
@@ -385,7 +385,7 @@ private module Lxml {
}
/** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
DataFlow::Node instanceVulnerableTo(XML::XMLVulnerabilityKind kind) {
DataFlow::Node instanceVulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
exists(InstanceSource origin | result = instance(origin) and origin.vulnerableTo(kind))
}
@@ -397,7 +397,7 @@ private module Lxml {
override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
this.calls(instanceVulnerableTo(kind), "feed")
}
}
@@ -436,7 +436,7 @@ private module Lxml {
DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
this.getParserArg() = XMLParser::instanceVulnerableTo(kind)
or
kind.isXxe() and
@@ -456,7 +456,7 @@ private module Xmltodict {
result in [this.getArg(0), this.getArgByName("xml_input")]
}
override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
}

2
python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll
View File

@@ -41,7 +41,7 @@ module XmlBomb {
*/
class XmlParsingWithEntityResolution extends Sink {
XmlParsingWithEntityResolution() {
exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
exists(XML::XMLParsing parsing, XML::XMLParsingVulnerabilityKind kind |
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
parsing.vulnerableTo(kind) and
this = parsing.getAnInput()

2
python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll
View File

@@ -41,7 +41,7 @@ module Xxe {
*/
class XmlParsingWithExternalEntityResolution extends Sink {
XmlParsingWithExternalEntityResolution() {
exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
exists(XML::XMLParsing parsing, XML::XMLParsingVulnerabilityKind kind |
kind.isXxe() and
parsing.vulnerableTo(kind) and
this = parsing.getAnInput()

2
python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql
View File

@@ -21,7 +21,7 @@ class XmlParsingTest extends InlineExpectationsTest {
tag = "input"
)
or
exists(XML::XMLVulnerabilityKind kind |
exists(XML::XMLParsingVulnerabilityKind kind |
parsing.vulnerableTo(kind) and
location = parsing.getLocation() and
element = parsing.toString() and