Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 91795b8

Browse files
RasmusWLRasmusWL
committed
Python: Add simple test of Xxe/XmlBomb
Note that most of the testing happens in the framework specific tests, with an inline-expectation test
1 parent e45f9d6 commit 91795b8

6 files changed

Lines changed: 94 additions & 0 deletions

File tree

python/ql/test/experimental/query-tests/Security/CWE-611-Xxe/Xxe.expected

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
edges
2+
| test.py:8:19:8:25 | ControlFlowNode for request | test.py:8:19:8:30 | ControlFlowNode for Attribute |
3+
| test.py:8:19:8:30 | ControlFlowNode for Attribute | test.py:8:19:8:45 | ControlFlowNode for Subscript |
4+
| test.py:8:19:8:45 | ControlFlowNode for Subscript | test.py:9:34:9:44 | ControlFlowNode for xml_content |
5+
| test.py:19:19:19:25 | ControlFlowNode for request | test.py:19:19:19:30 | ControlFlowNode for Attribute |
6+
| test.py:19:19:19:30 | ControlFlowNode for Attribute | test.py:19:19:19:45 | ControlFlowNode for Subscript |
7+
| test.py:19:19:19:45 | ControlFlowNode for Subscript | test.py:30:34:30:44 | ControlFlowNode for xml_content |
8+
nodes
9+
| test.py:8:19:8:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
10+
| test.py:8:19:8:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
11+
| test.py:8:19:8:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
12+
| test.py:9:34:9:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
13+
| test.py:19:19:19:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
14+
| test.py:19:19:19:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
15+
| test.py:19:19:19:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
16+
| test.py:30:34:30:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
17+
subpaths
18+
#select
19+
| test.py:9:34:9:44 | ControlFlowNode for xml_content | test.py:8:19:8:25 | ControlFlowNode for request | test.py:9:34:9:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against external entity expansion. | test.py:8:19:8:25 | ControlFlowNode for request | user-provided value |
20+
| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:19:19:19:25 | ControlFlowNode for request | test.py:30:34:30:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against external entity expansion. | test.py:19:19:19:25 | ControlFlowNode for request | user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-611-Xxe/Xxe.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
experimental/Security/NEW/CWE-611/Xxe.ql

python/ql/test/experimental/query-tests/Security/CWE-611-Xxe/test.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
from flask import Flask, request
2+
import lxml.etree
3+
4+
app = Flask(__name__)
5+
6+
@app.route("/vuln-handler")
7+
def vuln_handler():
8+
xml_content = request.args['xml_content']
9+
return lxml.etree.fromstring(xml_content).text
10+
11+
@app.route("/safe-handler")
12+
def safe_handler():
13+
xml_content = request.args['xml_content']
14+
parser = lxml.etree.XMLParser(resolve_entities=False)
15+
return lxml.etree.fromstring(xml_content, parser=parser).text
16+
17+
@app.route("/super-vuln-handler")
18+
def super_vuln_handler():
19+
xml_content = request.args['xml_content']
20+
parser = lxml.etree.XMLParser(
21+
# allows XXE
22+
resolve_entities=True,
23+
# allows remote XXE
24+
no_network=False,
25+
# together with `no_network=False`, allows DTD-retrival
26+
load_dtd=True,
27+
# allows DoS attacks
28+
huge_tree=True,
29+
)
30+
return lxml.etree.fromstring(xml_content, parser=parser).text

python/ql/test/experimental/query-tests/Security/CWE-776-XmlBomb/XmlBomb.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
edges
2+
| test.py:19:19:19:25 | ControlFlowNode for request | test.py:19:19:19:30 | ControlFlowNode for Attribute |
3+
| test.py:19:19:19:30 | ControlFlowNode for Attribute | test.py:19:19:19:45 | ControlFlowNode for Subscript |
4+
| test.py:19:19:19:45 | ControlFlowNode for Subscript | test.py:30:34:30:44 | ControlFlowNode for xml_content |
5+
nodes
6+
| test.py:19:19:19:25 | ControlFlowNode for request | semmle.label | ControlFlowNode for request |
7+
| test.py:19:19:19:30 | ControlFlowNode for Attribute | semmle.label | ControlFlowNode for Attribute |
8+
| test.py:19:19:19:45 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
9+
| test.py:30:34:30:44 | ControlFlowNode for xml_content | semmle.label | ControlFlowNode for xml_content |
10+
subpaths
11+
#select
12+
| test.py:30:34:30:44 | ControlFlowNode for xml_content | test.py:19:19:19:25 | ControlFlowNode for request | test.py:30:34:30:44 | ControlFlowNode for xml_content | A $@ is parsed as XML without guarding against uncontrolled entity expansion. | test.py:19:19:19:25 | ControlFlowNode for request | user-provided value |

python/ql/test/experimental/query-tests/Security/CWE-776-XmlBomb/XmlBomb.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
experimental/Security/NEW/CWE-776/XmlBomb.ql

python/ql/test/experimental/query-tests/Security/CWE-776-XmlBomb/test.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
from flask import Flask, request
2+
import lxml.etree
3+
4+
app = Flask(__name__)
5+
6+
@app.route("/vuln-handler")
7+
def vuln_handler():
8+
xml_content = request.args['xml_content']
9+
return lxml.etree.fromstring(xml_content).text
10+
11+
@app.route("/safe-handler")
12+
def safe_handler():
13+
xml_content = request.args['xml_content']
14+
parser = lxml.etree.XMLParser(resolve_entities=False)
15+
return lxml.etree.fromstring(xml_content, parser=parser).text
16+
17+
@app.route("/super-vuln-handler")
18+
def super_vuln_handler():
19+
xml_content = request.args['xml_content']
20+
parser = lxml.etree.XMLParser(
21+
# allows XXE
22+
resolve_entities=True,
23+
# allows remote XXE
24+
no_network=False,
25+
# together with `no_network=False`, allows DTD-retrival
26+
load_dtd=True,
27+
# allows DoS attacks
28+
huge_tree=True,
29+
)
30+
return lxml.etree.fromstring(xml_content, parser=parser).text

0 commit comments

Comments
 (0)