mirror of
https://github.com/github/codeql.git
synced 2026-05-14 19:29:28 +02:00
f5131f9bc6
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`, `createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls where the static receiver type is `WstxInputFactory` (or its supertype `org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in its default configuration, so these missed sinks were false negatives in `java/xxe`. This adds a scoped framework model under `semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the `Frameworks` module of `XmlParsers.qll`) that recognises these calls as XXE sinks and treats the factory as safe when both `javax.xml.stream.supportDTD` and `javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring the existing `XMLInputFactory` safe-configuration logic.
45 lines
1.8 KiB
Java
45 lines
1.8 KiB
Java
import java.net.Socket;
|
|
|
|
import javax.xml.stream.XMLInputFactory;
|
|
|
|
import com.ctc.wstx.stax.WstxInputFactory;
|
|
|
|
public class WstxInputFactoryTests {
|
|
|
|
public void unconfiguredFactory(Socket sock) throws Exception {
|
|
WstxInputFactory factory = new WstxInputFactory();
|
|
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
|
|
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
|
|
}
|
|
|
|
public void safeFactory(Socket sock) throws Exception {
|
|
WstxInputFactory factory = new WstxInputFactory();
|
|
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
|
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
|
factory.createXMLStreamReader(sock.getInputStream()); // safe
|
|
factory.createXMLEventReader(sock.getInputStream()); // safe
|
|
}
|
|
|
|
public void safeFactoryStringProperties(Socket sock) throws Exception {
|
|
WstxInputFactory factory = new WstxInputFactory();
|
|
factory.setProperty("javax.xml.stream.supportDTD", false);
|
|
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
|
factory.createXMLStreamReader(sock.getInputStream()); // safe
|
|
factory.createXMLEventReader(sock.getInputStream()); // safe
|
|
}
|
|
|
|
public void misConfiguredFactory(Socket sock) throws Exception {
|
|
WstxInputFactory factory = new WstxInputFactory();
|
|
factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
|
|
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
|
|
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
|
|
}
|
|
|
|
public void misConfiguredFactory2(Socket sock) throws Exception {
|
|
WstxInputFactory factory = new WstxInputFactory();
|
|
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
|
factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
|
|
factory.createXMLEventReader(sock.getInputStream()); // $ Alert
|
|
}
|
|
}
|