diff --git a/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql b/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql index 01e518b6df7..f706ea6e909 100644 --- a/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql +++ b/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql @@ -6,14 +6,14 @@ * @problem.severity error * @security-severity 9.1 * @precision high - * @id js/xxe + * @id py/xxe * @tags security * external/cwe/cwe-611 * external/cwe/cwe-827 */ -import javascript -import semmle.javascript.security.dataflow.XxeQuery +import python +import experimental.semmle.python.security.dataflow.XxeQuery import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql b/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql index c340eee68cc..2a1ea5916c4 100644 --- a/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql +++ b/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql @@ -6,14 +6,14 @@ * @problem.severity warning * @security-severity 7.5 * @precision high - * @id js/xml-bomb + * @id py/xml-bomb * @tags security * external/cwe/cwe-776 * external/cwe/cwe-400 */ -import javascript -import semmle.javascript.security.dataflow.XmlBombQuery +import python +import experimental.semmle.python.security.dataflow.XmlBombQuery import DataFlow::PathGraph from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll index 1d159b057ad..66a16a4494a 100644 --- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll +++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll @@ -1,12 +1,18 @@ /** - * Provides default sources, sinks and sanitizers for reasoning about - * XML-bomb vulnerabilities, as well as extension points for adding - * your own. + * Provides default sources, sinks and sanitizers for detecting + * "XML bomb" + * vulnerabilities, as well as extension points for adding your own. */ -import javascript -import semmle.javascript.security.dataflow.DOM +private import python +private import semmle.python.dataflow.new.DataFlow +private import experimental.semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +/** + * Provides default sources, sinks and sanitizers for detecting "XML bomb" + * vulnerabilities, as well as extension points for adding your own. + */ module XmlBomb { /** * A data flow source for XML-bomb vulnerabilities. @@ -28,21 +34,16 @@ module XmlBomb { RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource } } - /** - * An access to `document.location`, considered as a flow source for XML bomb vulnerabilities. - */ - class LocationAsSource extends Source, DataFlow::ValueNode { - LocationAsSource() { isLocation(astNode) } - } - /** * A call to an XML parser that performs internal entity expansion, viewed * as a data flow sink for XML-bomb vulnerabilities. */ - class XmlParsingWithEntityResolution extends Sink, DataFlow::ValueNode { + class XmlParsingWithEntityResolution extends Sink { XmlParsingWithEntityResolution() { - exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() | - parse.resolvesEntities(XML::InternalEntity()) + exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind | + (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and + parsing.vulnerableTo(kind) and + this = parsing.getAnInput() ) } } diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll index 951b927f86e..d0c0b85d84f 100644 --- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll +++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll @@ -1,17 +1,18 @@ /** - * Provides a taint tracking configuration for reasoning about - * XML-bomb vulnerabilities. + * Provides a taint-tracking configuration for detecting "XML bomb" vulnerabilities. * * Note, for performance reasons: only import this file if - * `XmlBomb::Configuration` is needed, otherwise + * `Configuration` is needed, otherwise * `XmlBombCustomizations` should be imported instead. */ -import javascript +import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking import XmlBombCustomizations::XmlBomb /** - * A taint-tracking configuration for reasoning about XML-bomb vulnerabilities. + * A taint-tracking configuration for detecting "XML bomb" vulnerabilities. */ class Configuration extends TaintTracking::Configuration { Configuration() { this = "XmlBomb" } diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll index 4e7bb5e730c..b2992dd335f 100644 --- a/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll +++ b/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll @@ -1,12 +1,18 @@ /** - * Provides default sources, sinks and sanitizers for reasoning about - * XML External Entity (XXE) vulnerabilities, as well as extension - * points for adding your own. + * Provides default sources, sinks and sanitizers for detecting + * "XML External Entity (XXE)" + * vulnerabilities, as well as extension points for adding your own. */ -import javascript -import semmle.javascript.security.dataflow.DOM +private import python +private import semmle.python.dataflow.new.DataFlow +private import experimental.semmle.python.Concepts +private import semmle.python.dataflow.new.RemoteFlowSources +/** + * Provides default sources, sinks and sanitizers for detecting "XML External Entity (XXE)" + * vulnerabilities, as well as extension points for adding your own. + */ module Xxe { /** * A data flow source for XXE vulnerabilities. @@ -28,24 +34,16 @@ module Xxe { RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource } } - /** - * An access to `document.location`, considered as a flow source for XXE vulnerabilities. - */ - class LocationAsSource extends Source, DataFlow::ValueNode { - LocationAsSource() { isLocation(astNode) } - } - /** * A call to an XML parser that performs external entity expansion, viewed * as a data flow sink for XXE vulnerabilities. */ - class XmlParsingWithExternalEntityResolution extends Sink, DataFlow::ValueNode { + class XmlParsingWithExternalEntityResolution extends Sink { XmlParsingWithExternalEntityResolution() { - exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() | - parse.resolvesEntities(XML::ExternalEntity(_)) - or - parse.resolvesEntities(XML::ParameterEntity(true)) and - parse.resolvesEntities(XML::InternalEntity()) + exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind | + kind.isXxe() and + parsing.vulnerableTo(kind) and + this = parsing.getAnInput() ) } } diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll index 82d3fb4f6cc..dd2409f2a3c 100644 --- a/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll +++ b/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll @@ -1,17 +1,18 @@ /** - * Provides a taint tracking configuration for reasoning about XML - * External Entity (XXE) vulnerabilities. + * Provides a taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities. * * Note, for performance reasons: only import this file if - * `Xxe::Configuration` is needed, otherwise `XxeCustomizations` - * should be imported instead. + * `Configuration` is needed, otherwise + * `XxeCustomizations` should be imported instead. */ -import javascript +import python +import semmle.python.dataflow.new.DataFlow +import semmle.python.dataflow.new.TaintTracking import XxeCustomizations::Xxe /** - * A taint-tracking configuration for reasoning about XXE vulnerabilities. + * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities. */ class Configuration extends TaintTracking::Configuration { Configuration() { this = "Xxe" }