New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Swift: Add new query for XML External Entities (XML) vulnerabilities #11086
base: main
Are you sure you want to change the base?
Conversation
|
QHelp previews: swift/ql/src/queries/Security/CWE-611/XXE.qhelpResolving XML external entity in user-controlled dataParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial-of-service attacks, or server-side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation. RecommendationThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of ExampleThe following example uses the To guard against XXE attacks, the References
|
Only XMLParser sinks for the time being
Use an alert message consistent with the other languages
f9c49bb
to
da67b10
Compare
|
I think this might be ready for docs review? |
|
I'll review this for Docs |
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
Hey @mchammer01 thanks for the review! Actually, the QHelp file was copy-pasted from the XXE query of other languages, but still I applied your suggestions. We can always apply those same fixes to the other languages in a follow-up PR |
|
Oh sorry @atorralba - I didn't know that |
Adds a new query to cover XXE vulnerabilities. Only covers
XMLParsersinks for now, follow up PRs will add more sinks in third-party libraries.Note that the CSV summaries added for the classes
DataandInputStreamare the bare minimum for the XXE tests to work properly. These classes need proper modeling, which deserve their own PRs.