Add local version of the XXE query

Author: atorralba

java/ql/lib/semmle/code/java/security/XxeQuery.qll

@@ -0,0 +1,55 @@
+/** Provides taint tracking configurations to be used in XXE queries. */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.security.XmlParsers
+import DataFlow::PathGraph
+
+/**
+ * A taint-tracking configuration for unvalidated remote user input that is used in XML external entity expansion.
+ */
+class XxeConfig extends TaintTracking::Configuration {
+  XxeConfig() { this = "XxeConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+}
+
+/**
+ * A taint-tracking configuration for unvalidated local user input that is used in XML external entity expansion.
+ */
+class XxeLocalConfig extends TaintTracking::Configuration {
+  XxeLocalConfig() { this = "XxeLocalConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+}
+
+private class UnsafeXxeSink extends DataFlow::ExprNode {
+  UnsafeXxeSink() {
+    not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
+    exists(XmlParserCall parse |
+      parse.getSink() = this.getExpr() and
+      not parse.isSafe()
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for safe XML readers used to parse XML documents.
+ */
+private class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
+  SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(XmlParserCall parse).getSink()
+  }
+
+  override int fieldFlowBranchLimit() { result = 0 }
+}

java/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -14,41 +14,9 @@
  */
 
 import java
-import semmle.code.java.security.XmlParsers
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.TaintTracking2
+import semmle.code.java.security.XxeQuery
 import DataFlow::PathGraph
 
-class SafeSaxSourceFlowConfig extends TaintTracking2::Configuration {
-  SafeSaxSourceFlowConfig() { this = "XmlParsers::SafeSAXSourceFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeSaxSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(XmlParserCall parse).getSink()
-  }
-
-  override int fieldFlowBranchLimit() { result = 0 }
-}
-
-class UnsafeXxeSink extends DataFlow::ExprNode {
-  UnsafeXxeSink() {
-    not exists(SafeSaxSourceFlowConfig safeSource | safeSource.hasFlowTo(this)) and
-    exists(XmlParserCall parse |
-      parse.getSink() = this.getExpr() and
-      not parse.isSafe()
-    )
-  }
-}
-
-class XxeConfig extends TaintTracking::Configuration {
-  XxeConfig() { this = "XXE.ql::XxeConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,

java/ql/src/Security/CWE/CWE-611/XXELocal.qhelp

@@ -0,0 +1,5 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<include src="XXE.qhelp" /></qhelp>

java/ql/src/Security/CWE/CWE-611/XXELocal.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Resolving XML external entity in user-controlled data from local source
+ * @description Parsing user-controlled XML documents and allowing expansion of external entity
+ * references may lead to disclosure of confidential data or denial of service.
+ * @kind path-problem
+ * @problem.severity recommendation
+ * @security-severity 9.1
+ * @precision medium
+ * @id java/xxe-local
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
+ */
+
+import java
+import semmle.code.java.security.XxeQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, XxeLocalConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "XML parsing depends on a $@ without guarding against external entity expansion.",
+  source.getNode(), "user-provided value"