Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1851deb

Browse files
NapalysNapalys
committed
Removed libxmljs from being marked as sink for xml-bomb.
1 parent 19d6f66 commit 1851deb

6 files changed

Lines changed: 11 additions & 19 deletions

File tree

javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -49,9 +49,7 @@ module XML {
4949
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
5050

5151
override predicate resolvesEntities(EntityKind kind) {
52-
// internal entities are always resolved
53-
kind = InternalEntity()
54-
or
52+
not kind = InternalEntity() and
5553
// other entities are only resolved if the configuration option `noent` is set to `true`
5654
exists(JS::Expr noent |
5755
this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +124,9 @@ module XML {
126124
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
127125

128126
override predicate resolvesEntities(EntityKind kind) {
129-
// entities are resolved by default
130-
any()
127+
// SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
128+
kind = ExternalEntity(_) or
129+
kind = ParameterEntity(true)
131130
}
132131

133132
override DataFlow::Node getAResult() {
@@ -149,8 +148,9 @@ module XML {
149148
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
150149

151150
override predicate resolvesEntities(EntityKind kind) {
152-
// entities are resolved by default
153-
any()
151+
// SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
152+
kind = ExternalEntity(_) or
153+
kind = ParameterEntity(true)
154154
}
155155

156156
override DataFlow::Node getAResult() {

javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,6 @@
55
| domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
66
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
77
| jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
8-
| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
9-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
10-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
11-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
128
edges
139
| closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance | |
1410
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance | |
@@ -31,8 +27,4 @@ nodes
3127
| jquery.js:2:7:2:36 | src | semmle.label | src |
3228
| jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
3329
| jquery.js:4:14:4:16 | src | semmle.label | src |
34-
| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
35-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
36-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
37-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
3830
subpaths

javascript/ql/test/query-tests/Security/CWE-776/libxml.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default
5+
libxmljs.parseXml(req.param("some-xml"));
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion
5+
libxmljs.parseXml(req.param("some-xml"), { noent: true });
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxParser();
6-
parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.parseString(req.param("some-xml"));
77
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxPushParser();
6-
parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.push(req.param("some-xml"));
77
});

0 commit comments

Comments
 (0)