Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit e45f9d6

Browse files
RasmusWLRasmusWL
committed
Python: Adjust Xxe/XmlBomb for Python
I changed a few QLdocs so they fit the style we have used in Python... although I surely do regret having introduced a new style for how these QLDocs look :D
1 parent 65907c9 commit e45f9d6

6 files changed

Lines changed: 51 additions & 50 deletions

File tree

python/ql/src/experimental/Security/NEW/CWE-611/Xxe.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,14 @@
66
* @problem.severity error
77
* @security-severity 9.1
88
* @precision high
9-
* @id js/xxe
9+
* @id py/xxe
1010
* @tags security
1111
* external/cwe/cwe-611
1212
* external/cwe/cwe-827
1313
*/
1414

15-
import javascript
16-
import semmle.javascript.security.dataflow.XxeQuery
15+
import python
16+
import experimental.semmle.python.security.dataflow.XxeQuery
1717
import DataFlow::PathGraph
1818

1919
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink

python/ql/src/experimental/Security/NEW/CWE-776/XmlBomb.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,14 @@
66
* @problem.severity warning
77
* @security-severity 7.5
88
* @precision high
9-
* @id js/xml-bomb
9+
* @id py/xml-bomb
1010
* @tags security
1111
* external/cwe/cwe-776
1212
* external/cwe/cwe-400
1313
*/
1414

15-
import javascript
16-
import semmle.javascript.security.dataflow.XmlBombQuery
15+
import python
16+
import experimental.semmle.python.security.dataflow.XmlBombQuery
1717
import DataFlow::PathGraph
1818

1919
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink

python/ql/src/experimental/semmle/python/security/dataflow/XmlBombCustomizations.qll

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,18 @@
11
/**
2-
* Provides default sources, sinks and sanitizers for reasoning about
3-
* XML-bomb vulnerabilities, as well as extension points for adding
4-
* your own.
2+
* Provides default sources, sinks and sanitizers for detecting
3+
* "XML bomb"
4+
* vulnerabilities, as well as extension points for adding your own.
55
*/
66

7-
import javascript
8-
import semmle.javascript.security.dataflow.DOM
7+
private import python
8+
private import semmle.python.dataflow.new.DataFlow
9+
private import experimental.semmle.python.Concepts
10+
private import semmle.python.dataflow.new.RemoteFlowSources
911

12+
/**
13+
* Provides default sources, sinks and sanitizers for detecting "XML bomb"
14+
* vulnerabilities, as well as extension points for adding your own.
15+
*/
1016
module XmlBomb {
1117
/**
1218
* A data flow source for XML-bomb vulnerabilities.
@@ -28,21 +34,16 @@ module XmlBomb {
2834
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
2935
}
3036

31-
/**
32-
* An access to `document.location`, considered as a flow source for XML bomb vulnerabilities.
33-
*/
34-
class LocationAsSource extends Source, DataFlow::ValueNode {
35-
LocationAsSource() { isLocation(astNode) }
36-
}
37-
3837
/**
3938
* A call to an XML parser that performs internal entity expansion, viewed
4039
* as a data flow sink for XML-bomb vulnerabilities.
4140
*/
42-
class XmlParsingWithEntityResolution extends Sink, DataFlow::ValueNode {
41+
class XmlParsingWithEntityResolution extends Sink {
4342
XmlParsingWithEntityResolution() {
44-
exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
45-
parse.resolvesEntities(XML::InternalEntity())
43+
exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind |
44+
(kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
45+
parsing.vulnerableTo(kind) and
46+
this = parsing.getAnInput()
4647
)
4748
}
4849
}

python/ql/src/experimental/semmle/python/security/dataflow/XmlBombQuery.qll

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,18 @@
11
/**
2-
* Provides a taint tracking configuration for reasoning about
3-
* XML-bomb vulnerabilities.
2+
* Provides a taint-tracking configuration for detecting "XML bomb" vulnerabilities.
43
*
54
* Note, for performance reasons: only import this file if
6-
* `XmlBomb::Configuration` is needed, otherwise
5+
* `Configuration` is needed, otherwise
76
* `XmlBombCustomizations` should be imported instead.
87
*/
98

10-
import javascript
9+
import python
10+
import semmle.python.dataflow.new.DataFlow
11+
import semmle.python.dataflow.new.TaintTracking
1112
import XmlBombCustomizations::XmlBomb
1213

1314
/**
14-
* A taint-tracking configuration for reasoning about XML-bomb vulnerabilities.
15+
* A taint-tracking configuration for detecting "XML bomb" vulnerabilities.
1516
*/
1617
class Configuration extends TaintTracking::Configuration {
1718
Configuration() { this = "XmlBomb" }

python/ql/src/experimental/semmle/python/security/dataflow/XxeCustomizations.qll

Lines changed: 16 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,18 @@
11
/**
2-
* Provides default sources, sinks and sanitizers for reasoning about
3-
* XML External Entity (XXE) vulnerabilities, as well as extension
4-
* points for adding your own.
2+
* Provides default sources, sinks and sanitizers for detecting
3+
* "XML External Entity (XXE)"
4+
* vulnerabilities, as well as extension points for adding your own.
55
*/
66

7-
import javascript
8-
import semmle.javascript.security.dataflow.DOM
7+
private import python
8+
private import semmle.python.dataflow.new.DataFlow
9+
private import experimental.semmle.python.Concepts
10+
private import semmle.python.dataflow.new.RemoteFlowSources
911

12+
/**
13+
* Provides default sources, sinks and sanitizers for detecting "XML External Entity (XXE)"
14+
* vulnerabilities, as well as extension points for adding your own.
15+
*/
1016
module Xxe {
1117
/**
1218
* A data flow source for XXE vulnerabilities.
@@ -28,24 +34,16 @@ module Xxe {
2834
RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
2935
}
3036

31-
/**
32-
* An access to `document.location`, considered as a flow source for XXE vulnerabilities.
33-
*/
34-
class LocationAsSource extends Source, DataFlow::ValueNode {
35-
LocationAsSource() { isLocation(astNode) }
36-
}
37-
3837
/**
3938
* A call to an XML parser that performs external entity expansion, viewed
4039
* as a data flow sink for XXE vulnerabilities.
4140
*/
42-
class XmlParsingWithExternalEntityResolution extends Sink, DataFlow::ValueNode {
41+
class XmlParsingWithExternalEntityResolution extends Sink {
4342
XmlParsingWithExternalEntityResolution() {
44-
exists(XML::ParserInvocation parse | astNode = parse.getSourceArgument() |
45-
parse.resolvesEntities(XML::ExternalEntity(_))
46-
or
47-
parse.resolvesEntities(XML::ParameterEntity(true)) and
48-
parse.resolvesEntities(XML::InternalEntity())
43+
exists(ExperimentalXML::XMLParsing parsing, ExperimentalXML::XMLVulnerabilityKind kind |
44+
kind.isXxe() and
45+
parsing.vulnerableTo(kind) and
46+
this = parsing.getAnInput()
4947
)
5048
}
5149
}

python/ql/src/experimental/semmle/python/security/dataflow/XxeQuery.qll

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,18 @@
11
/**
2-
* Provides a taint tracking configuration for reasoning about XML
3-
* External Entity (XXE) vulnerabilities.
2+
* Provides a taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
43
*
54
* Note, for performance reasons: only import this file if
6-
* `Xxe::Configuration` is needed, otherwise `XxeCustomizations`
7-
* should be imported instead.
5+
* `Configuration` is needed, otherwise
6+
* `XxeCustomizations` should be imported instead.
87
*/
98

10-
import javascript
9+
import python
10+
import semmle.python.dataflow.new.DataFlow
11+
import semmle.python.dataflow.new.TaintTracking
1112
import XxeCustomizations::Xxe
1213

1314
/**
14-
* A taint-tracking configuration for reasoning about XXE vulnerabilities.
15+
* A taint-tracking configuration for detecting "XML External Entity (XXE)" vulnerabilities.
1516
*/
1617
class Configuration extends TaintTracking::Configuration {
1718
Configuration() { this = "Xxe" }

0 commit comments

Comments
 (0)