Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6fa5fdf

Browse files
jketemajketema
committed
C++: Fix CWE-611 XXE query to work with use-use dataflow - take 2
This commit ensures stack allocated parsers are also handled.
1 parent 30bdd25 commit 6fa5fdf

4 files changed

Lines changed: 150 additions & 173 deletions

File tree

cpp/ql/src/Security/CWE/CWE-611/XXE.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,14 +34,14 @@ class XxeConfiguration extends DataFlow::Configuration {
3434
DataFlow::Node node1, string state1, DataFlow::Node node2, string state2
3535
) {
3636
// create additional flow steps for `XxeFlowStateTransformer`s
37-
state2 = node2.asConvertedExpr().(XxeFlowStateTransformer).transform(state1) and
37+
state2 = node2.asIndirectExpr().(XxeFlowStateTransformer).transform(state1) and
3838
DataFlow::simpleLocalFlowStep(node1, node2)
3939
}
4040

4141
override predicate isBarrier(DataFlow::Node node, string flowstate) {
4242
// when the flowstate is transformed at a call node, block the original
4343
// flowstate value.
44-
node.asConvertedExpr().(XxeFlowStateTransformer).transform(flowstate) != flowstate
44+
node.asIndirectExpr().(XxeFlowStateTransformer).transform(flowstate) != flowstate
4545
}
4646
}
4747

cpp/ql/src/Security/CWE/CWE-611/Xerces.qll

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -65,9 +65,9 @@ class XercesDomParserLibrary extends XmlLibrary {
6565
override predicate configurationSource(DataFlow::Node node, string flowstate) {
6666
// source is the write on `this` of a call to the `XercesDOMParser`
6767
// constructor.
68-
exists(CallInstruction call |
69-
call.getStaticCallTarget() = any(XercesDomParserClass c).getAConstructor() and
70-
node.asInstruction().(StoreInstruction).getSourceValue() = call.getThisArgument() and
68+
exists(Call call |
69+
call.getTarget() = any(XercesDomParserClass c).getAConstructor() and
70+
node.asExpr() = call and
7171
encodeXercesFlowState(flowstate, 0, 1) // default configuration
7272
)
7373
}
@@ -76,7 +76,7 @@ class XercesDomParserLibrary extends XmlLibrary {
7676
// sink is the read of the qualifier of a call to `AbstractDOMParser.parse`.
7777
exists(Call call |
7878
call.getTarget().getClassAndName("parse") instanceof AbstractDomParserClass and
79-
call.getQualifier() = node.asConvertedExpr()
79+
call.getQualifier() = node.asIndirectConvertedExpr()
8080
) and
8181
flowstate instanceof XercesFlowState and
8282
not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -111,7 +111,7 @@ class CreateLSParserLibrary extends XmlLibrary {
111111
// source is the result of a call to `createLSParser`.
112112
exists(Call call |
113113
call.getTarget() instanceof CreateLSParser and
114-
call = node.asExpr() and
114+
call = node.asIndirectExpr() and
115115
encodeXercesFlowState(flowstate, 0, 1) // default configuration
116116
)
117117
}
@@ -120,7 +120,7 @@ class CreateLSParserLibrary extends XmlLibrary {
120120
// sink is the read of the qualifier of a call to `DOMLSParserClass.parse`.
121121
exists(Call call |
122122
call.getTarget().getClassAndName("parse") instanceof DomLSParserClass and
123-
call.getQualifier() = node.asConvertedExpr()
123+
call.getQualifier() = node.asIndirectConvertedExpr()
124124
) and
125125
flowstate instanceof XercesFlowState and
126126
not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -150,9 +150,9 @@ class SaxParserLibrary extends XmlLibrary {
150150
override predicate configurationSource(DataFlow::Node node, string flowstate) {
151151
// source is the write on `this` of a call to the `SAXParser`
152152
// constructor.
153-
exists(CallInstruction call |
154-
call.getStaticCallTarget() = any(SaxParserClass c).getAConstructor() and
155-
node.asInstruction().(StoreInstruction).getSourceValue() = call.getThisArgument() and
153+
exists(Call call |
154+
call.getTarget() = any(SaxParserClass c).getAConstructor() and
155+
node.asExpr() = call and
156156
encodeXercesFlowState(flowstate, 0, 1) // default configuration
157157
)
158158
}
@@ -161,7 +161,7 @@ class SaxParserLibrary extends XmlLibrary {
161161
// sink is the read of the qualifier of a call to `SAXParser.parse`.
162162
exists(Call call |
163163
call.getTarget().getClassAndName("parse") instanceof SaxParserClass and
164-
call.getQualifier() = node.asConvertedExpr()
164+
call.getQualifier() = node.asIndirectConvertedExpr()
165165
) and
166166
flowstate instanceof XercesFlowState and
167167
not encodeXercesFlowState(flowstate, 1, 1) // safe configuration
@@ -189,7 +189,7 @@ class Sax2XmlReaderLibrary extends XmlLibrary {
189189
// source is the result of a call to `createXMLReader`.
190190
exists(Call call |
191191
call.getTarget() instanceof CreateXmlReader and
192-
call = node.asExpr() and
192+
call = node.asIndirectExpr() and
193193
encodeXercesFlowState(flowstate, 0, 1) // default configuration
194194
)
195195
}
@@ -198,7 +198,7 @@ class Sax2XmlReaderLibrary extends XmlLibrary {
198198
// sink is the read of the qualifier of a call to `SAX2XMLReader.parse`.
199199
exists(Call call |
200200
call.getTarget().getClassAndName("parse") instanceof Sax2XmlReader and
201-
call.getQualifier() = node.asConvertedExpr()
201+
call.getQualifier() = node.asIndirectConvertedExpr()
202202
) and
203203
flowstate instanceof XercesFlowState and
204204
not encodeXercesFlowState(flowstate, 1, 1) // safe configuration

0 commit comments

Comments
 (0)