Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
91 commits
Select commit Hold shift + click to select a range
0e61558
Empty commit
jorgectf Jun 19, 2021
78deec8
Upload main structure and initial tests
jorgectf Jun 22, 2021
b9fa57f
Move tests to `test/`
jorgectf Jun 29, 2021
c3b3bde
Add `XMLParser` concept
jorgectf Jun 29, 2021
d475d52
Add partial modeling
jorgectf Jun 29, 2021
11f4c1c
Format tests
jorgectf Jul 22, 2021
b5e10b6
Write `(String|Bytes)IO` additional taint step
jorgectf Jul 22, 2021
068150b
Finish modeling
jorgectf Jul 22, 2021
0d2646f
Polish documentation
jorgectf Jul 23, 2021
61e873d
Polish tests
jorgectf Jul 24, 2021
b83b31c
Write qldocs
jorgectf Jul 24, 2021
1dd77f1
Fix undetected tests
jorgectf Jul 24, 2021
93c8529
Add `.expected`
jorgectf Jul 24, 2021
48bca5b
Fix references' link anchor
jorgectf Aug 25, 2021
21da603
Update `.qlref`
jorgectf Sep 7, 2021
61a81b6
Extend `.qlref`
jorgectf Sep 9, 2021
67fddda
Merge branch 'main' into jorgectf/python/deserialization
RasmusWL Sep 28, 2021
9c286a1
Python: fix name of `.qhelp` file
RasmusWL Sep 28, 2021
e472814
Python: Fix XXE qhelp
RasmusWL Sep 28, 2021
8df3dab
Python: Adjust `.expected` with subpaths
RasmusWL Sep 28, 2021
15dfc6d
Fix `xml_sax_parser.py` good/bad naming
jorgectf Oct 16, 2021
5b66a15
Extend `mayBeDangerous()` QLDoc
jorgectf Oct 16, 2021
320a00b
Delete simple `API::Node`s
jorgectf Oct 16, 2021
be42470
Apply suggestions from code review
jorgectf Oct 16, 2021
c2046f1
Improve readability for `xmlDom()`
jorgectf Oct 16, 2021
f1a73e3
Merge branch 'jorgectf/python/deserialization' of https://github.com/…
jorgectf Oct 16, 2021
58bc110
Merge branch 'main' into jorgectf/python/deserialization
RasmusWL Oct 28, 2021
066b400
Add `lxml.etree.XMLParser` missing `resolve_entities` dangerous case
jorgectf Oct 28, 2021
637901d
Make concepts instances of their ranges
jorgectf Nov 16, 2021
cb8e54e
Delete redundant `LXMLParser` dangerous check
jorgectf Nov 16, 2021
9ab6d21
Add forward type tracking test
jorgectf Jan 14, 2022
a1f8acc
Merge branch 'github:main' into jorgectf/python/deserialization
jorgectf Jan 31, 2022
080775c
Merge branch 'jorgectf/python/deserialization' of https://github.com/…
jorgectf Jan 31, 2022
d96eb01
Merge branch 'github:main' into jorgectf/python/deserialization
jorgectf Feb 4, 2022
43fde35
Merge branch 'jorgectf/python/deserialization' of https://github.com/…
jorgectf Feb 4, 2022
99e14d1
Merge branch 'github:main' into jorgectf/python/deserialization
jorgectf Feb 5, 2022
d2f07e4
Merge branch 'jorgectf/python/deserialization' of https://github.com/…
jorgectf Feb 5, 2022
8f9cd16
Update
jorgectf Feb 8, 2022
7c4a6a1
Test polish
jorgectf Feb 8, 2022
01ad25f
Apply `.getALocalSource()` and fix `xmltodict`'s `vulnerable` predicate
jorgectf Feb 8, 2022
b00051e
Update `.expected`
jorgectf Feb 8, 2022
85b5ef3
`XmlInjection` -> `XmlEntityInjection`
jorgectf Feb 9, 2022
c5f30d9
Create an extendable `AdditionalTaintStep` class in customizations
jorgectf Feb 20, 2022
518e2ae
Merge branch 'main' into jorgectf/python/deserialization
RasmusWL Mar 1, 2022
500e0ac
Python: Rewrite sax XML tests
RasmusWL Mar 1, 2022
ee23c05
Python: XML: Expose vuln kind on sink
RasmusWL Mar 1, 2022
aaf55b2
Python: Add XMLVulnerabilityKind
RasmusWL Mar 2, 2022
16e482b
Python: Improve QLDoc for XML parsing/parsers
RasmusWL Mar 2, 2022
6dd776b
Python: Only produce one alert per vulnerable XML sink
RasmusWL Mar 2, 2022
7f7758b
Python: rewrite xml sax modeling
RasmusWL Mar 2, 2022
515b824
Python: Add lxml positive test
RasmusWL Mar 3, 2022
661d8bf
Python: Better handling of `resolve_entities` arg in lxml
RasmusWL Mar 3, 2022
52891cb
Python: Add PoC for XML vulns
RasmusWL Mar 3, 2022
3c321dd
Python: Model `lxml.etree.get_default_parser` in own class
RasmusWL Mar 3, 2022
124c03c
Python: Expand lxml tests
RasmusWL Mar 3, 2022
e295399
Python: Properly handle `huge_tree` in lxml
RasmusWL Mar 3, 2022
703e3e8
Python: Handle DTD retrieval vuln in lxml
RasmusWL Mar 3, 2022
6129193
Python: Properly model `xml.etree`
RasmusWL Mar 3, 2022
3affa6c
Python: Annotate xmltodict tests
RasmusWL Mar 3, 2022
c4d08db
Python: Expand XML PoC with minidom/pulldom/expat
RasmusWL Mar 3, 2022
5a65248
Python: Annotate xml.dom tests
RasmusWL Mar 3, 2022
9406a97
Python: Fix vuln detection for xml.minidom with parser arg
RasmusWL Mar 3, 2022
7cda901
Python: Add separate query for SimpleXMLRPCServer
RasmusWL Mar 3, 2022
4b03f5c
Python: Rename xml.sax test for consistency
RasmusWL Mar 3, 2022
faebaee
Python: Use concept tests for XML Parsing
RasmusWL Mar 3, 2022
a7134ca
Python: Port xml.dom tests
RasmusWL Mar 3, 2022
5fb4c4d
Python: Port xml.etree tests
RasmusWL Mar 3, 2022
0b12d91
Python: Port xml.sax tests
RasmusWL Mar 3, 2022
c739ae4
Python: Port `xmltodict` tests
RasmusWL Mar 3, 2022
2451123
Python: Move XML PoC to new test dir
RasmusWL Mar 3, 2022
3278793
Python: Handle more functions and kw-args
RasmusWL Mar 3, 2022
f72f673
Python: Update `XmlEntityInjection.expected`
RasmusWL Mar 3, 2022
33ebcdf
Python: Support feed method of lxml/xml.etree Parsers
RasmusWL Mar 3, 2022
46238d5
Python: Add test for XMLPullParser
RasmusWL Mar 3, 2022
de0e67f
Python: Restructure overall XML modeling
RasmusWL Mar 3, 2022
a033b71
Python: Align QLdocs of XML modeling
RasmusWL Mar 3, 2022
c0a2c25
Python: Restructure modeling of `xml.etree` parsers
RasmusWL Mar 3, 2022
c0a6f9f
Python: Restructure lxml modeling
RasmusWL Mar 3, 2022
df8e0fc
Python: Minor fixup of qldoc
RasmusWL Mar 3, 2022
837daaa
Python: Remove XMLParser concept
RasmusWL Mar 3, 2022
0d69dc8
Python: Minor qldoc improvement
RasmusWL Mar 3, 2022
3f6c55e
Python: Rename `vulnerable` predicate => `vulnerableTo`
RasmusWL Mar 3, 2022
683c2fa
Apply suggestions from code review
jorgectf Mar 4, 2022
3cd165d
Python: Apply suggestions from code review
RasmusWL Mar 4, 2022
d6cbfec
Python: huge_tree tests were wrong
RasmusWL Mar 4, 2022
f0131af
Python: Fix `huge_tree` modeling
RasmusWL Mar 4, 2022
1a9620a
Python: Add conditional assignment check for sax parser
RasmusWL Mar 4, 2022
ef045a6
Python: Fix typo in set_default_parser
RasmusWL Mar 4, 2022
5552834
Merge pull request #9 from RasmusWL/WIP
jorgectf Mar 4, 2022
6b14c1d
Merge branch 'main' into jorgectf/python/deserialization
RasmusWL Mar 8, 2022
0e9da4a
Python: Resolve name conflict over `XML` module
RasmusWL Mar 8, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Write (String|Bytes)IO additional taint step
  • Loading branch information
jorgectf committed Jul 22, 2021
commit b5e10b6c426e5516a304d23e7dc8fe48754080a7
9 changes: 9 additions & 0 deletions python/ql/src/experimental/semmle/python/security/XXE.qll
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import semmle.python.dataflow.new.DataFlow
import semmle.python.dataflow.new.TaintTracking
import semmle.python.dataflow.new.RemoteFlowSources
import semmle.python.dataflow.new.BarrierGuards
import semmle.python.ApiGraphs

/**
* A taint-tracking configuration for detecting XML External entities abuse.
Expand All @@ -23,4 +24,12 @@ class XXEFlowConfig extends TaintTracking::Configuration {
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
guard instanceof StringConstCompare
}

override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeIn) {
exists(DataFlow::CallCfgNode ioCalls |
ioCalls = API::moduleImport("io").getMember(["StringIO", "BytesIO"]).getACall() and
nodeFrom = ioCalls and
nodeIn = ioCalls.getArg(0)
)
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,6 @@

Extend tests
Model xmltodict and xml.dom
Write StringIO/BytesIO additional tain steps


XML Parsers:
xml.etree.ElementTree.XMLParser() - no options, vuln by default
Expand All @@ -35,6 +33,8 @@
xml.dom.(mini|pull)dom.parse(String)
'''

app = Flask(__name__)


@app.route("/XMLParser-Empty&xml.etree.ElementTree.fromstring")
def test1():
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
from flask import request, Flask
from io import StringIO
import xml.sax


app = Flask(__name__)

# https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges


Expand Down