Python: Promote XMLParsing concept test

RasmusWL · RasmusWL · commit 35ccba2ec10b · 2022-03-31T09:52:55.000+02:00
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/ConceptsTest.expected b/python/ql/test/experimental/library-tests/frameworks/XML/ConceptsTest.expected
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/ConceptsTest.ql b/python/ql/test/experimental/library-tests/frameworks/XML/ConceptsTest.ql
@@ -0,0 +1,3 @@
+import python
+import experimental.meta.ConceptsTest
+import experimental.semmle.python.frameworks.Xml // needed until modeling have been promoted
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql b/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py b/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py
@@ -4,51 +4,51 @@
 x = "some xml"
 
 # different parsing methods
-lxml.etree.fromstring(x) # $ input=x vuln='XXE'
-lxml.etree.fromstring(text=x) # $ input=x vuln='XXE'
+lxml.etree.fromstring(x) # $ xmlInput=x xmlVuln='XXE'
+lxml.etree.fromstring(text=x) # $ xmlInput=x xmlVuln='XXE'
 
-lxml.etree.fromstringlist([x]) # $ input=List vuln='XXE'
-lxml.etree.fromstringlist(strings=[x]) # $ input=List vuln='XXE'
+lxml.etree.fromstringlist([x]) # $ xmlInput=List xmlVuln='XXE'
+lxml.etree.fromstringlist(strings=[x]) # $ xmlInput=List xmlVuln='XXE'
 
-lxml.etree.XML(x) # $ input=x vuln='XXE'
-lxml.etree.XML(text=x) # $ input=x vuln='XXE'
+lxml.etree.XML(x) # $ xmlInput=x xmlVuln='XXE'
+lxml.etree.XML(text=x) # $ xmlInput=x xmlVuln='XXE'
 
-lxml.etree.parse(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-lxml.etree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'
+lxml.etree.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE'
+lxml.etree.parse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE'
 
-lxml.etree.parseid(StringIO(x)) # $ input=StringIO(..) vuln='XXE'
-lxml.etree.parseid(source=StringIO(x)) # $ input=StringIO(..) vuln='XXE'
+lxml.etree.parseid(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE'
+lxml.etree.parseid(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE'
 
 # With default parsers (nothing changed)
 parser = lxml.etree.XMLParser()
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE'
 
 parser = lxml.etree.get_default_parser()
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE'
 
 # manual use of feed method
 parser = lxml.etree.XMLParser()
-parser.feed(x) # $ input=x vuln='XXE'
-parser.feed(data=x) # $ input=x vuln='XXE'
+parser.feed(x) # $ xmlInput=x xmlVuln='XXE'
+parser.feed(data=x) # $ xmlInput=x xmlVuln='XXE'
 parser.close()
 
 # XXE-safe
 parser = lxml.etree.XMLParser(resolve_entities=False)
-lxml.etree.fromstring(x, parser) # $ input=x
-lxml.etree.fromstring(x, parser=parser) # $ input=x
+lxml.etree.fromstring(x, parser) # $ xmlInput=x
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x
 
 # XXE-vuln
 parser = lxml.etree.XMLParser(resolve_entities=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE'
 
 # Billion laughs vuln (also XXE)
 parser = lxml.etree.XMLParser(huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup' vuln='XXE'
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
 
 # Safe for both Billion laughs and XXE
 parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x
 
 # DTD retrival vuln (also XXE)
 parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='DTD retrieval' vuln='XXE'
+lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='DTD retrieval' xmlVuln='XXE'
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py b/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py
@@ -6,26 +6,26 @@
 x = "some xml"
 
 # minidom
-xml.dom.minidom.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.minidom.parse(file=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.minidom.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.dom.minidom.parse(file=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.dom.minidom.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.minidom.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.minidom.parseString(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.dom.minidom.parseString(string=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 
 # pulldom
-xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.pulldom.parse(stream_or_string=StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.dom.pulldom.parse(stream_or_string=StringIO(x))['START_DOCUMENT'][1] # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.dom.pulldom.parseString(string=x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.dom.pulldom.parseString(string=x)['START_DOCUMENT'][1] # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 
 # These are based on SAX parses, and you can specify your own, so you can expose yourself to XXE (yay/)
 parser = xml.sax.make_parser()
 parser.setFeature(xml.sax.handler.feature_external_ges, True)
-xml.dom.minidom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-xml.dom.minidom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+xml.dom.minidom.parse(StringIO(x), parser) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
+xml.dom.minidom.parse(StringIO(x), parser=parser) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
 
-xml.dom.pulldom.parse(StringIO(x), parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
-xml.dom.pulldom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+xml.dom.pulldom.parse(StringIO(x), parser) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
+xml.dom.pulldom.parse(StringIO(x), parser=parser) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py b/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
@@ -4,39 +4,39 @@
 x = "some xml"
 
 # Parsing in different ways
-xml.etree.ElementTree.fromstring(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.fromstring(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstring(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstring(text=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.etree.ElementTree.fromstringlist([x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.fromstringlist(sequence=[x]) # $ input=List vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstringlist([x]) # $ xmlInput=List xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstringlist(sequence=[x]) # $ xmlInput=List xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.etree.ElementTree.XML(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.XML(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XML(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.XML(text=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.etree.ElementTree.XMLID(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.XMLID(text=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XMLID(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.XMLID(text=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.etree.ElementTree.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.parse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.etree.ElementTree.iterparse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.iterparse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 
 # With parsers (no options available to disable/enable security features)
 parser = xml.etree.ElementTree.XMLParser()
-xml.etree.ElementTree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 # manual use of feed method
 parser = xml.etree.ElementTree.XMLParser()
-parser.feed(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.feed(data=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.feed(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+parser.feed(data=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 parser.close()
 
 # manual use of feed method on XMLPullParser
 parser = xml.etree.ElementTree.XMLPullParser()
-parser.feed(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.feed(data=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.feed(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+parser.feed(data=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 parser.close()
 
 # note: it's technically possible to use the thing wrapper func `fromstring` with an
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/xml_sax.py b/python/ql/test/experimental/library-tests/frameworks/XML/xml_sax.py
@@ -10,49 +10,49 @@ def __init__(self):
     def characters(self, data):
         self._result.append(data)
 
-xml.sax.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.sax.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.sax.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.sax.parse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
-xml.sax.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
-xml.sax.parseString(string=x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.sax.parseString(x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+xml.sax.parseString(string=x) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 parser = xml.sax.make_parser()
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
-parser.parse(source=StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+parser.parse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 # You can make it vuln to both XXE and DTD retrieval by setting this flag
 # see https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
 parser = xml.sax.make_parser()
 parser.setFeature(xml.sax.handler.feature_external_ges, True)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
 
 parser = xml.sax.make_parser()
 parser.setFeature(xml.sax.handler.feature_external_ges, False)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 # Forward Type Tracking test
 def func(cond):
     parser = xml.sax.make_parser()
     if cond:
         parser.setFeature(xml.sax.handler.feature_external_ges, True)
-        parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+        parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
     else:
-        parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+        parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 # make it vuln, then making it safe
 # a bit of an edge-case, but is nice to be able to handle.
 parser = xml.sax.make_parser()
 parser.setFeature(xml.sax.handler.feature_external_ges, True)
 parser.setFeature(xml.sax.handler.feature_external_ges, False)
-parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 
 def check_conditional_assignment(cond):
     parser = xml.sax.make_parser()
     if cond:
         parser.setFeature(xml.sax.handler.feature_external_ges, True)
     else:
         parser.setFeature(xml.sax.handler.feature_external_ges, False)
-    parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+    parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
 
 def check_conditional_assignment2(cond):
     parser = xml.sax.make_parser()
@@ -61,4 +61,4 @@ def check_conditional_assignment2(cond):
     else:
         flag_value = False
     parser.setFeature(xml.sax.handler.feature_external_ges, flag_value)
-    parser.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
+    parser.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='DTD retrieval' xmlVuln='Quadratic Blowup' xmlVuln='XXE'
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/xmltodict.py b/python/ql/test/experimental/library-tests/frameworks/XML/xmltodict.py
@@ -2,7 +2,7 @@
 
 x = "some xml"
 
-xmltodict.parse(x) # $ input=x
-xmltodict.parse(xml_input=x) # $ input=x
+xmltodict.parse(x) # $ xmlInput=x
+xmltodict.parse(xml_input=x) # $ xmlInput=x
 
-xmltodict.parse(x, disable_entities=False) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xmltodict.parse(x, disable_entities=False) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
diff --git a/python/ql/test/experimental/meta/ConceptsTest.qll b/python/ql/test/experimental/meta/ConceptsTest.qll
@@ -539,3 +539,30 @@ class HttpClientRequestTest extends InlineExpectationsTest {
     )
   }
 }
+
+class XmlParsingTest extends InlineExpectationsTest {
+  XmlParsingTest() { this = "XmlParsingTest" }
+
+  override string getARelevantTag() { result in ["xmlInput", "xmlVuln"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(XML::XMLParsing parsing |
+      exists(DataFlow::Node input |
+        input = parsing.getAnInput() and
+        location = input.getLocation() and
+        element = input.toString() and
+        value = prettyNodeForInlineTest(input) and
+        tag = "xmlInput"
+      )
+      or
+      exists(XML::XMLParsingVulnerabilityKind kind |
+        parsing.vulnerableTo(kind) and
+        location = parsing.getLocation() and
+        element = parsing.toString() and
+        value = "'" + kind + "'" and
+        tag = "xmlVuln"
+      )
+    )
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+import python`
	`2`	`+import experimental.meta.ConceptsTest`
	`3`	`+import experimental.semmle.python.frameworks.Xml // needed until modeling have been promoted`