Python: => XMLParsingVulnerabilityKind

RasmusWL · RasmusWL · commit e45288e812a0 · 2022-03-31T09:52:55.000+02:00
Since there are other XML vulnerabilities that are not about parsing,
this is more correct.
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -556,8 +556,8 @@ module XML {
    *
    * See overview of kinds at https://pypi.org/project/defusedxml/#python-xml-libraries
    */
-  class XMLVulnerabilityKind extends string {
-    XMLVulnerabilityKind() {
+  class XMLParsingVulnerabilityKind extends string {
+    XMLParsingVulnerabilityKind() {
       this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
     }
 
@@ -589,7 +589,7 @@ module XML {
     /**
      * Holds if this XML parsing is vulnerable to `kind`.
      */
-    predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
+    predicate vulnerableTo(XMLParsingVulnerabilityKind kind) { super.vulnerableTo(kind) }
   }
 
   /** Provides classes for modeling XML parsing APIs. */
@@ -609,7 +609,7 @@ module XML {
       /**
        * Holds if this XML parsing is vulnerable to `kind`.
        */
-      abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
+      abstract predicate vulnerableTo(XMLParsingVulnerabilityKind kind);
     }
   }
 }
diff --git a/python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql b/python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql
@@ -17,7 +17,7 @@ from DataFlow::CallCfgNode call, string kinds
 where
   call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and
   kinds =
-    strictconcat(ExperimentalXML::XMLVulnerabilityKind kind |
+    strictconcat(ExperimentalXML::XMLParsingVulnerabilityKind kind |
       kind.isBillionLaughs() or kind.isQuadraticBlowup()
     |
       kind, ", "
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -66,7 +66,7 @@ private module XmlEtree {
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
 
-      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
         kind.isBillionLaughs() or kind.isQuadraticBlowup()
       }
     }
@@ -103,7 +103,7 @@ private module XmlEtree {
         ]
     }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       // note: it does not matter what `xml.etree` parser you are using, you cannot
       // change the security features anyway :|
       kind.isBillionLaughs() or kind.isQuadraticBlowup()
@@ -218,7 +218,7 @@ private module SaxBasedParsing {
 
     override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       // always vuln to these
       (kind.isBillionLaughs() or kind.isQuadraticBlowup())
       or
@@ -251,7 +251,7 @@ private module SaxBasedParsing {
         ]
     }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       // always vuln to these
       (kind.isBillionLaughs() or kind.isQuadraticBlowup())
       or
@@ -290,7 +290,7 @@ private module SaxBasedParsing {
 
     DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and
       (kind.isXxe() or kind.isDtdRetrieval())
       or
@@ -317,7 +317,7 @@ private module Lxml {
      */
     abstract class InstanceSource extends DataFlow::LocalSourceNode {
       /** Holds if this instance is vulnerable to `kind`. */
-      abstract predicate vulnerableTo(XML::XMLVulnerabilityKind kind);
+      abstract predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind);
     }
 
     /**
@@ -331,7 +331,7 @@ private module Lxml {
       }
 
       // NOTE: it's not possible to change settings of a parser after constructing it
-      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
         kind.isXxe() and
         (
           // resolve_entities has default True
@@ -361,7 +361,7 @@ private module Lxml {
           API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()
       }
 
-      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
         // as highlighted by
         // https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
         // by default XXE is allow. so as long as the default parser has not been
@@ -385,7 +385,7 @@ private module Lxml {
     }
 
     /** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
-    DataFlow::Node instanceVulnerableTo(XML::XMLVulnerabilityKind kind) {
+    DataFlow::Node instanceVulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       exists(InstanceSource origin | result = instance(origin) and origin.vulnerableTo(kind))
     }
 
@@ -397,7 +397,7 @@ private module Lxml {
 
       override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }
 
-      override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+      override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
         this.calls(instanceVulnerableTo(kind), "feed")
       }
     }
@@ -436,7 +436,7 @@ private module Lxml {
 
     DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       this.getParserArg() = XMLParser::instanceVulnerableTo(kind)
       or
       kind.isXxe() and
@@ -456,7 +456,7 @@ private module Xmltodict {
       result in [this.getArg(0), this.getArgByName("xml_input")]
     }
 
-    override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {
+    override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {
       (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
       this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
     }
diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll
@@ -41,7 +41,7 @@ module XmlBomb {
    */
   class XmlParsingWithEntityResolution extends Sink {
     XmlParsingWithEntityResolution() {
-      exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
+      exists(XML::XMLParsing parsing, XML::XMLParsingVulnerabilityKind kind |
         (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
         parsing.vulnerableTo(kind) and
         this = parsing.getAnInput()
diff --git a/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll b/python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll
@@ -41,7 +41,7 @@ module Xxe {
    */
   class XmlParsingWithExternalEntityResolution extends Sink {
     XmlParsingWithExternalEntityResolution() {
-      exists(XML::XMLParsing parsing, XML::XMLVulnerabilityKind kind |
+      exists(XML::XMLParsing parsing, XML::XMLParsingVulnerabilityKind kind |
         kind.isXxe() and
         parsing.vulnerableTo(kind) and
         this = parsing.getAnInput()
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql b/python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql
@@ -21,7 +21,7 @@ class XmlParsingTest extends InlineExpectationsTest {
         tag = "input"
       )
       or
-      exists(XML::XMLVulnerabilityKind kind |
+      exists(XML::XMLParsingVulnerabilityKind kind |
         parsing.vulnerableTo(kind) and
         location = parsing.getLocation() and
         element = parsing.toString() and

Original file line number	Diff line number	Diff line change
`@@ -556,8 +556,8 @@ module XML {`
`556`	`556`	`*`
`557`	`557`	`* See overview of kinds at https://pypi.org/project/defusedxml/#python-xml-libraries`
`558`	`558`	`*/`
`559`		`- class XMLVulnerabilityKind extends string {`
`560`		`- XMLVulnerabilityKind() {`
	`559`	`+ class XMLParsingVulnerabilityKind extends string {`
	`560`	`+ XMLParsingVulnerabilityKind() {`
`561`	`561`	`this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]`
`562`	`562`	`}`
`563`	`563`
`@@ -589,7 +589,7 @@ module XML {`
`589`	`589`	`/**`
`590`	`590`	* Holds if this XML parsing is vulnerable to `kind`.
`591`	`591`	`*/`
`592`		`- predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }`
	`592`	`+ predicate vulnerableTo(XMLParsingVulnerabilityKind kind) { super.vulnerableTo(kind) }`
`593`	`593`	`}`
`594`	`594`
`595`	`595`	`/** Provides classes for modeling XML parsing APIs. */`
`@@ -609,7 +609,7 @@ module XML {`
`609`	`609`	`/**`
`610`	`610`	* Holds if this XML parsing is vulnerable to `kind`.
`611`	`611`	`*/`
`612`		`- abstract predicate vulnerableTo(XMLVulnerabilityKind kind);`
	`612`	`+ abstract predicate vulnerableTo(XMLParsingVulnerabilityKind kind);`
`613`	`613`	`}`
`614`	`614`	`}`
`615`	`615`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ from DataFlow::CallCfgNode call, string kinds`
`17`	`17`	`where`
`18`	`18`	`call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and`
`19`	`19`	`kinds =`
`20`		`- strictconcat(ExperimentalXML::XMLVulnerabilityKind kind \|`
	`20`	`+ strictconcat(ExperimentalXML::XMLParsingVulnerabilityKind kind \|`
`21`	`21`	`kind.isBillionLaughs() or kind.isQuadraticBlowup()`
`22`	`22`	`\|`
`23`	`23`	`kind, ", "`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ private module XmlEtree {`
`66`	`66`
`67`	`67`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }`
`68`	`68`
`69`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`69`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`70`	`70`	`kind.isBillionLaughs() or kind.isQuadraticBlowup()`
`71`	`71`	`}`
`72`	`72`	`}`
`@@ -103,7 +103,7 @@ private module XmlEtree {`
`103`	`103`	`]`
`104`	`104`	`}`
`105`	`105`
`106`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`106`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`107`	`107`	// note: it does not matter what `xml.etree` parser you are using, you cannot
`108`	`108`	`// change the security features anyway :\|`
`109`	`109`	`kind.isBillionLaughs() or kind.isQuadraticBlowup()`
`@@ -218,7 +218,7 @@ private module SaxBasedParsing {`
`218`	`218`
`219`	`219`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("source")] }`
`220`	`220`
`221`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`221`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`222`	`222`	`// always vuln to these`
`223`	`223`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup())`
`224`	`224`	`or`
`@@ -251,7 +251,7 @@ private module SaxBasedParsing {`
`251`	`251`	`]`
`252`	`252`	`}`
`253`	`253`
`254`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`254`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`255`	`255`	`// always vuln to these`
`256`	`256`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup())`
`257`	`257`	`or`
`@@ -290,7 +290,7 @@ private module SaxBasedParsing {`
`290`	`290`
`291`	`291`	`DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }`
`292`	`292`
`293`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`293`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`294`	`294`	`this.getParserArg() = saxParserWithFeatureExternalGesTurnedOn() and`
`295`	`295`	`(kind.isXxe() or kind.isDtdRetrieval())`
`296`	`296`	`or`
`@@ -317,7 +317,7 @@ private module Lxml {`
`317`	`317`	`*/`
`318`	`318`	`abstract class InstanceSource extends DataFlow::LocalSourceNode {`
`319`	`319`	/** Holds if this instance is vulnerable to `kind`. */
`320`		`- abstract predicate vulnerableTo(XML::XMLVulnerabilityKind kind);`
	`320`	`+ abstract predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind);`
`321`	`321`	`}`
`322`	`322`
`323`	`323`	`/**`
`@@ -331,7 +331,7 @@ private module Lxml {`
`331`	`331`	`}`
`332`	`332`
`333`	`333`	`// NOTE: it's not possible to change settings of a parser after constructing it`
`334`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`334`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`335`	`335`	`kind.isXxe() and`
`336`	`336`	`(`
`337`	`337`	`// resolve_entities has default True`
`@@ -361,7 +361,7 @@ private module Lxml {`
`361`	`361`	`API::moduleImport("lxml").getMember("etree").getMember("get_default_parser").getACall()`
`362`	`362`	`}`
`363`	`363`
`364`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`364`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`365`	`365`	`// as highlighted by`
`366`	`366`	`// https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser`
`367`	`367`	`// by default XXE is allow. so as long as the default parser has not been`
`@@ -385,7 +385,7 @@ private module Lxml {`
`385`	`385`	`}`
`386`	`386`
`387`	`387`	/** Gets a reference to an `lxml.etree` parser instance, that is vulnerable to `kind`. */
`388`		`- DataFlow::Node instanceVulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`388`	`+ DataFlow::Node instanceVulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`389`	`389`	`exists(InstanceSource origin \| result = instance(origin) and origin.vulnerableTo(kind))`
`390`	`390`	`}`
`391`	`391`
`@@ -397,7 +397,7 @@ private module Lxml {`
`397`	`397`
`398`	`398`	`override DataFlow::Node getAnInput() { result in [this.getArg(0), this.getArgByName("data")] }`
`399`	`399`
`400`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`400`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`401`	`401`	`this.calls(instanceVulnerableTo(kind), "feed")`
`402`	`402`	`}`
`403`	`403`	`}`
`@@ -436,7 +436,7 @@ private module Lxml {`
`436`	`436`
`437`	`437`	`DataFlow::Node getParserArg() { result in [this.getArg(1), this.getArgByName("parser")] }`
`438`	`438`
`439`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`439`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`440`	`440`	`this.getParserArg() = XMLParser::instanceVulnerableTo(kind)`
`441`	`441`	`or`
`442`	`442`	`kind.isXxe() and`
`@@ -456,7 +456,7 @@ private module Xmltodict {`
`456`	`456`	`result in [this.getArg(0), this.getArgByName("xml_input")]`
`457`	`457`	`}`
`458`	`458`
`459`		`- override predicate vulnerableTo(XML::XMLVulnerabilityKind kind) {`
	`459`	`+ override predicate vulnerableTo(XML::XMLParsingVulnerabilityKind kind) {`
`460`	`460`	`(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and`
`461`	`461`	`this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)`
`462`	`462`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ class XmlParsingTest extends InlineExpectationsTest {`
`21`	`21`	`tag = "input"`
`22`	`22`	`)`
`23`	`23`	`or`
`24`		`- exists(XML::XMLVulnerabilityKind kind \|`
	`24`	`+ exists(XML::XMLParsingVulnerabilityKind kind \|`
`25`	`25`	`parsing.vulnerableTo(kind) and`
`26`	`26`	`location = parsing.getLocation() and`
`27`	`27`	`element = parsing.toString() and`