Python: Adjust Xxe/XmlBomb for Python

I changed a few QLdocs so they fit the style we have used in Python... although I surely do regret having introduced a new style for how these QLDocs look :D
2025-12-23 04:06:37 +01:00 · 2022-03-24 14:15:54 +01:00
parent 65907c9762
commit e45f9d69cc
6 changed files with 51 additions and 50 deletions
--- a/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql
+++ b/python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql
@@ -6,14 +6,14 @@
 * @problem.severity error
 * @security-severity 9.1
 * @precision high
- * @id js/xxe
+ * @id py/xxe
 * @tags security
 *       external/cwe/cwe-611
 *       external/cwe/cwe-827
 */

-import javascript
-import semmle.javascript.security.dataflow.XxeQuery
+import python
+import experimental.semmle.python.security.dataflow.XxeQuery
 import DataFlow::PathGraph

 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
--- a/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql
+++ b/python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql
@@ -6,14 +6,14 @@
 * @problem.severity warning
 * @security-severity 7.5
 * @precision high
- * @id js/xml-bomb
+ * @id py/xml-bomb
 * @tags security
 *       external/cwe/cwe-776
 *       external/cwe/cwe-400
 */

-import javascript
-import semmle.javascript.security.dataflow.XmlBombQuery
+import python
+import experimental.semmle.python.security.dataflow.XmlBombQuery
 import DataFlow::PathGraph

 from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll
@@ -1,12 +1,18 @@
 /**
- * Provides default sources, sinks and sanitizers for reasoning about
- * XML-bomb vulnerabilities, as well as extension points for adding
- * your own.
+ * Provides default sources, sinks and sanitizers for detecting
+ * "XML bomb"
+ * vulnerabilities, as well as extension points for adding your own.
 */

-import javascript
-import semmle.javascript.security.dataflow.DOM
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources

+/**
+ * Provides default sources, sinks and sanitizers for detecting "XML bomb"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
 module XmlBomb {
  /**
   * A data flow source for XML-bomb vulnerabilities.
@@ -28,21 +34,16 @@ module XmlBomb {
    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
  }

-  /**
-   * An access to `document.location`, considered as a flow source for XML bomb vulnerabilities.
-   */
-  class LocationAsSource extends Source, DataFlow::ValueNode {
-    LocationAsSource() { isLocation(astNode) }
-  }
-
  /**
   * A call to an XML parser that performs internal entity expansion, viewed
   * as a data flow sink for XML-bomb vulnerabilities.
   */
-  class XmlParsingWithEntityResolution extends Sink, DataFlow::ValueNode {
+  class XmlParsingWithEntityResolution extends Sink {
    XmlParsingWithEntityResolution() {
-      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
-        parse.resolvesEntities(XML::InternalEntity())
+      exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind |
+        (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
+        parsing.vulnerableTo(kind) and
+        this = parsing.getAnInput()
      )
    }
  }
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll
@@ -1,17 +1,18 @@
 /**
- * Provides a taint tracking configuration for reasoning about
- * XML-bomb vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "XML bomb" vulnerabilities.
 *
 * Note, for performance reasons: only import this file if
- * `XmlBomb::Configuration` is needed, otherwise
+ * `Configuration` is needed, otherwise
 * `XmlBombCustomizations` should be imported instead.
 */

-import javascript
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
 import XmlBombCustomizations::XmlBomb

 /**
- * A taint-tracking configuration for reasoning about XML-bomb vulnerabilities.
+ * A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
 */
 class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "XmlBomb" }
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll
@@ -1,12 +1,18 @@
 /**
- * Provides default sources, sinks and sanitizers for reasoning about
- * XML External Entity (XXE) vulnerabilities, as well as extension
- * points for adding your own.
+ * Provides default sources, sinks and sanitizers for detecting
+ * "XML External Entity (XXE)"
+ * vulnerabilities, as well as extension points for adding your own.
 */

-import javascript
-import semmle.javascript.security.dataflow.DOM
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import experimental.semmle.python.Concepts
+private import semmle.python.dataflow.new.RemoteFlowSources

+/**
+ * Provides default sources, sinks and sanitizers for detecting "XML External Entity (XXE)"
+ * vulnerabilities, as well as extension points for adding your own.
+ */
 module Xxe {
  /**
   * A data flow source for XXE vulnerabilities.
@@ -28,24 +34,16 @@ module Xxe {
    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
  }

-  /**
-   * An access to `document.location`, considered as a flow source for XXE vulnerabilities.
-   */
-  class LocationAsSource extends Source, DataFlow::ValueNode {
-    LocationAsSource() { isLocation(astNode) }
-  }
-
  /**
   * A call to an XML parser that performs external entity expansion, viewed
   * as a data flow sink for XXE vulnerabilities.
   */
-  class XmlParsingWithExternalEntityResolution extends Sink, DataFlow::ValueNode {
+  class XmlParsingWithExternalEntityResolution extends Sink {
    XmlParsingWithExternalEntityResolution() {
-      exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
-        parse.resolvesEntities(XML::ExternalEntity(_))
-        or
-        parse.resolvesEntities(XML::ParameterEntity(true)) and
-        parse.resolvesEntities(XML::InternalEntity())
+      exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind |
+        kind.isXxe() and
+        parsing.vulnerableTo(kind) and
+        this = parsing.getAnInput()
      )
    }
  }
--- a/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll
+++ b/python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll
@@ -1,17 +1,18 @@
 /**
- * Provides a taint tracking configuration for reasoning about XML
- * External Entity (XXE) vulnerabilities.
+ * Provides a taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
 *
 * Note, for performance reasons: only import this file if
- * `Xxe::Configuration` is needed, otherwise `XxeCustomizations`
- * should be imported instead.
+ * `Configuration` is needed, otherwise
+ * `XxeCustomizations` should be imported instead.
 */

-import javascript
+import python
+import semmle.python.dataflow.new.DataFlow
+import semmle.python.dataflow.new.TaintTracking
 import XxeCustomizations::Xxe

 /**
- * A taint-tracking configuration for reasoning about XXE vulnerabilities.
+ * A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
 */
 class Configuration extends TaintTracking::Configuration {
  Configuration() { this = "Xxe" }