Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 30bdd25

Browse files
jketemajketema
committed
C++: Fix CWE-611 XXE query to work with use-use dataflow
1 parent 9e4cab7 commit 30bdd25

2 files changed

Lines changed: 68 additions & 4 deletions

File tree

cpp/ql/src/Security/CWE/CWE-611/Xerces.qll

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -67,8 +67,7 @@ class XercesDomParserLibrary extends XmlLibrary {
6767
// constructor.
6868
exists(CallInstruction call |
6969
call.getStaticCallTarget() = any(XercesDomParserClass c).getAConstructor() and
70-
node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
71-
call.getThisArgument() and
70+
node.asInstruction().(StoreInstruction).getSourceValue() = call.getThisArgument() and
7271
encodeXercesFlowState(flowstate, 0, 1) // default configuration
7372
)
7473
}
@@ -153,8 +152,7 @@ class SaxParserLibrary extends XmlLibrary {
153152
// constructor.
154153
exists(CallInstruction call |
155154
call.getStaticCallTarget() = any(SaxParserClass c).getAConstructor() and
156-
node.asInstruction().(WriteSideEffectInstruction).getDestinationAddress() =
157-
call.getThisArgument() and
155+
node.asInstruction().(StoreInstruction).getSourceValue() = call.getThisArgument() and
158156
encodeXercesFlowState(flowstate, 0, 1) // default configuration
159157
)
160158
}

cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
edges
2+
| tests2.cpp:20:17:20:31 | Store | tests2.cpp:22:2:22:2 | p |
3+
| tests2.cpp:33:17:33:31 | Store | tests2.cpp:37:2:37:2 | p |
24
| tests3.cpp:23:21:23:53 | call to createXMLReader | tests3.cpp:25:2:25:2 | p |
35
| tests3.cpp:35:16:35:20 | p_3_3 | tests3.cpp:38:2:38:6 | Load |
46
| tests3.cpp:35:24:35:56 | Store | tests3.cpp:35:16:35:20 | p_3_3 |
@@ -35,7 +37,30 @@ edges
3537
| tests5.cpp:88:2:88:2 | Load | tests5.cpp:88:2:88:2 | p |
3638
| tests5.cpp:88:2:88:2 | p | tests5.cpp:89:2:89:2 | p |
3739
| tests5.cpp:88:2:88:2 | p indirection | tests5.cpp:88:2:88:2 | p |
40+
| tests.cpp:15:23:15:43 | Store | tests.cpp:17:2:17:2 | p |
41+
| tests.cpp:28:23:28:43 | Store | tests.cpp:31:2:31:2 | p |
42+
| tests.cpp:35:23:35:43 | Store | tests.cpp:37:2:37:2 | p |
43+
| tests.cpp:37:2:37:2 | p | tests.cpp:39:2:39:2 | p |
44+
| tests.cpp:51:23:51:43 | Store | tests.cpp:54:2:54:2 | p |
45+
| tests.cpp:54:2:54:2 | p | tests.cpp:56:2:56:2 | p |
46+
| tests.cpp:54:2:54:2 | p | tests.cpp:56:2:56:2 | p |
47+
| tests.cpp:56:2:56:2 | p | tests.cpp:58:2:58:2 | p |
48+
| tests.cpp:58:2:58:2 | p | tests.cpp:60:2:60:2 | p |
49+
| tests.cpp:66:23:66:43 | Store | tests.cpp:69:2:69:2 | p |
50+
| tests.cpp:73:23:73:43 | Store | tests.cpp:80:2:80:2 | p |
51+
| tests.cpp:85:24:85:44 | Store | tests.cpp:88:3:88:3 | q |
52+
| tests.cpp:100:24:100:44 | Store | tests.cpp:104:3:104:3 | q |
53+
| tests.cpp:112:39:112:39 | p | tests.cpp:113:2:113:2 | p |
54+
| tests.cpp:116:39:116:39 | p | tests.cpp:117:2:117:2 | p |
55+
| tests.cpp:122:23:122:43 | Store | tests.cpp:126:18:126:18 | q |
56+
| tests.cpp:122:23:122:43 | Store | tests.cpp:128:18:128:18 | q |
57+
| tests.cpp:126:18:126:18 | q | tests.cpp:112:39:112:39 | p |
58+
| tests.cpp:128:18:128:18 | q | tests.cpp:116:39:116:39 | p |
3859
nodes
60+
| tests2.cpp:20:17:20:31 | Store | semmle.label | Store |
61+
| tests2.cpp:22:2:22:2 | p | semmle.label | p |
62+
| tests2.cpp:33:17:33:31 | Store | semmle.label | Store |
63+
| tests2.cpp:37:2:37:2 | p | semmle.label | p |
3964
| tests3.cpp:23:21:23:53 | call to createXMLReader | semmle.label | call to createXMLReader |
4065
| tests3.cpp:25:2:25:2 | p | semmle.label | p |
4166
| tests3.cpp:35:16:35:20 | p_3_3 | semmle.label | p_3_3 |
@@ -87,8 +112,38 @@ nodes
87112
| tests5.cpp:88:2:88:2 | p | semmle.label | p |
88113
| tests5.cpp:88:2:88:2 | p indirection | semmle.label | p indirection |
89114
| tests5.cpp:89:2:89:2 | p | semmle.label | p |
115+
| tests.cpp:15:23:15:43 | Store | semmle.label | Store |
116+
| tests.cpp:17:2:17:2 | p | semmle.label | p |
117+
| tests.cpp:28:23:28:43 | Store | semmle.label | Store |
118+
| tests.cpp:31:2:31:2 | p | semmle.label | p |
119+
| tests.cpp:35:23:35:43 | Store | semmle.label | Store |
120+
| tests.cpp:37:2:37:2 | p | semmle.label | p |
121+
| tests.cpp:39:2:39:2 | p | semmle.label | p |
122+
| tests.cpp:51:23:51:43 | Store | semmle.label | Store |
123+
| tests.cpp:54:2:54:2 | p | semmle.label | p |
124+
| tests.cpp:56:2:56:2 | p | semmle.label | p |
125+
| tests.cpp:56:2:56:2 | p | semmle.label | p |
126+
| tests.cpp:58:2:58:2 | p | semmle.label | p |
127+
| tests.cpp:60:2:60:2 | p | semmle.label | p |
128+
| tests.cpp:66:23:66:43 | Store | semmle.label | Store |
129+
| tests.cpp:69:2:69:2 | p | semmle.label | p |
130+
| tests.cpp:73:23:73:43 | Store | semmle.label | Store |
131+
| tests.cpp:80:2:80:2 | p | semmle.label | p |
132+
| tests.cpp:85:24:85:44 | Store | semmle.label | Store |
133+
| tests.cpp:88:3:88:3 | q | semmle.label | q |
134+
| tests.cpp:100:24:100:44 | Store | semmle.label | Store |
135+
| tests.cpp:104:3:104:3 | q | semmle.label | q |
136+
| tests.cpp:112:39:112:39 | p | semmle.label | p |
137+
| tests.cpp:113:2:113:2 | p | semmle.label | p |
138+
| tests.cpp:116:39:116:39 | p | semmle.label | p |
139+
| tests.cpp:117:2:117:2 | p | semmle.label | p |
140+
| tests.cpp:122:23:122:43 | Store | semmle.label | Store |
141+
| tests.cpp:126:18:126:18 | q | semmle.label | q |
142+
| tests.cpp:128:18:128:18 | q | semmle.label | q |
90143
subpaths
91144
#select
145+
| tests2.cpp:22:2:22:2 | p | tests2.cpp:20:17:20:31 | Store | tests2.cpp:22:2:22:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | Store | XML parser |
146+
| tests2.cpp:37:2:37:2 | p | tests2.cpp:33:17:33:31 | Store | tests2.cpp:37:2:37:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | Store | XML parser |
92147
| tests3.cpp:25:2:25:2 | p | tests3.cpp:23:21:23:53 | call to createXMLReader | tests3.cpp:25:2:25:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:23:21:23:53 | call to createXMLReader | XML parser |
93148
| tests3.cpp:38:2:38:6 | p_3_3 | tests3.cpp:35:24:35:56 | call to createXMLReader | tests3.cpp:38:2:38:6 | p_3_3 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:35:24:35:56 | call to createXMLReader | XML parser |
94149
| tests3.cpp:45:2:45:6 | p_3_4 | tests3.cpp:41:24:41:56 | call to createXMLReader | tests3.cpp:45:2:45:6 | p_3_4 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests3.cpp:41:24:41:56 | call to createXMLReader | XML parser |
@@ -107,3 +162,14 @@ subpaths
107162
| tests5.cpp:77:2:77:5 | g_p2 | tests5.cpp:70:17:70:30 | call to createLSParser | tests5.cpp:77:2:77:5 | g_p2 | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:70:17:70:30 | call to createLSParser | XML parser |
108163
| tests5.cpp:83:2:83:2 | p | tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:83:2:83:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser | XML parser |
109164
| tests5.cpp:89:2:89:2 | p | tests5.cpp:81:25:81:38 | call to createLSParser | tests5.cpp:89:2:89:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:81:25:81:38 | call to createLSParser | XML parser |
165+
| tests.cpp:17:2:17:2 | p | tests.cpp:15:23:15:43 | Store | tests.cpp:17:2:17:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | Store | XML parser |
166+
| tests.cpp:31:2:31:2 | p | tests.cpp:28:23:28:43 | Store | tests.cpp:31:2:31:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | Store | XML parser |
167+
| tests.cpp:39:2:39:2 | p | tests.cpp:35:23:35:43 | Store | tests.cpp:39:2:39:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | Store | XML parser |
168+
| tests.cpp:56:2:56:2 | p | tests.cpp:51:23:51:43 | Store | tests.cpp:56:2:56:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | Store | XML parser |
169+
| tests.cpp:60:2:60:2 | p | tests.cpp:51:23:51:43 | Store | tests.cpp:60:2:60:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | Store | XML parser |
170+
| tests.cpp:69:2:69:2 | p | tests.cpp:66:23:66:43 | Store | tests.cpp:69:2:69:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | Store | XML parser |
171+
| tests.cpp:80:2:80:2 | p | tests.cpp:73:23:73:43 | Store | tests.cpp:80:2:80:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | Store | XML parser |
172+
| tests.cpp:88:3:88:3 | q | tests.cpp:85:24:85:44 | Store | tests.cpp:88:3:88:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | Store | XML parser |
173+
| tests.cpp:104:3:104:3 | q | tests.cpp:100:24:100:44 | Store | tests.cpp:104:3:104:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | Store | XML parser |
174+
| tests.cpp:113:2:113:2 | p | tests.cpp:122:23:122:43 | Store | tests.cpp:113:2:113:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | Store | XML parser |
175+
| tests.cpp:117:2:117:2 | p | tests.cpp:122:23:122:43 | Store | tests.cpp:117:2:117:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | Store | XML parser |

0 commit comments

Comments
 (0)