Update

Author: jorgectf

python/ql/src/experimental/Security/CWE-611/XXE.py

@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<!DOCTYPE dt [
+<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<test>&xxe;</test>

python/ql/src/experimental/Security/CWE-611/XXE.ql

@@ -0,0 +1,25 @@
+from flask import request, Flask
+import lxml.etree
+import xml.etree.ElementTree
+
+app = Flask(__name__)
+
+# BAD
+@app.route("/bad")
+def bad():
+    xml_content = request.args['xml_content']
+
+    parser = lxml.etree.XMLParser()
+    parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
+
+    return parsed_xml.text
+
+# GOOD
+@app.route("/good")
+def good():
+    xml_content = request.args['xml_content']
+
+    parser = lxml.etree.XMLParser(resolve_entities=False)
+    parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
+
+    return parsed_xml.text

python/ql/src/experimental/Security/CWE-611/XXE.xml

@@ -5,31 +5,18 @@
 
 <overview>
 <p>
-Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack.
+Parsing untrusted XML files with a weakly configured XML parser may lead to attacks such as XML External Entity (XXE),
+Billion Laughs, Quadratic Blowup and DTD retrieval.
 This type of attack uses external entity references to access arbitrary files on a system, carry out denial of
 service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band
 data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out
 in this situation.
 </p>
-<p>
-Refer to the following links to check the details regarding how and which libraries are vulnerable:
-</p>
-
-<ul>
-<li><a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities">Python 3</a>.</li>
-<li><a href="https://docs.python.org/2/library/xml.html#xml-vulnerabilities">Python 2</a>.</li>
-</ul>
-
-<p>
-This query currently identifies vulnerable XML parsing from the following parsers:
-<code>xml.etree.ElementTree.XMLParser</code>, <code>lxml.etree.XMLParser</code>, <code>lxml.etree.get_default_parser</code>,
-<code>xml.sax.make_parser</code>.
-</p>
 </overview>
 
 <recommendation>
 <p>
-Use <a href="https://docs.python.org/3/library/xml.html#the-defusedxml-package">defusedxml</a>, a Python package aimed
+Use <a href="https://pypi.org/project/defusedxml/">defusedxml</a>, a Python package aimed
 to prevent any potentially malicious operation.
 </p>
 </recommendation>
@@ -39,10 +26,17 @@ to prevent any potentially malicious operation.
 The following example calls <code>xml.etree.ElementTree.fromstring</code> using a parser (<code>lxml.etree.XMLParser</code>)
 that is not safely configured on untrusted data, and is therefore inherently unsafe.
 </p>
-<sample src="XXE.py"/>
+<sample src="XmlInjection.py"/>
+<p>
+Providing an input (<code>xml_content</code>) like the following XML content against /bad, the request response would contain the contents of
+<code>/etc/passwd</code>.
+</p>
+<sample src="XXE.xml"/>
 </example>
 
 <references>
+<li>Python 3 <a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities">XML Vulnerabilities</a>.</li>
+<li>Python 2 <a href="https://docs.python.org/2/library/xml.html#xml-vulnerabilities">XML Vulnerabilities</a>.</li>
 <li>Python <a href="https://www.edureka.co/blog/python-xml-parser-tutorial/">XML Parsing</a>.</li>
 <li>OWASP vulnerability description: <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.</li>
 <li>OWASP guidance on parsing xml files: <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python">XXE Prevention Cheat Sheet</a>.</li>

python/ql/src/experimental/Security/CWE-611/XmlInjection.py

@@ -0,0 +1,22 @@
+/**
+ * @name XML injection
+ * @description User input should not be parsed without security options enabled.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/xml-injection
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
+ */
+
+// determine precision above
+import python
+import experimental.semmle.python.security.dataflow.XmlInjection
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, string kind
+where XmlInjection::xmlInjectionVulnerable(source, sink, kind)
+select sink.getNode(), source, sink,
+  "$@ XML input is constructed from a $@ and is vulnerable to " + kind + ".", sink.getNode(),
+  "This", source.getNode(), "user-provided value"

python/ql/src/experimental/Security/CWE-611/XXE.qhelp renamed to python/ql/src/experimental/Security/CWE-611/XmlInjection.qhelp

@@ -44,94 +44,84 @@ class LogOutput extends DataFlow::Node {
   DataFlow::Node getAnInput() { result = range.getAnInput() }
 }
 
-/** Provides classes for modeling XML parsing APIs. */
-module XMLParsing {
+module XML {
   /**
    * A data-flow node that collects functions parsing XML.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `XMLParsing` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
     /**
      * Gets the argument containing the content to parse.
      */
-    abstract DataFlow::Node getAnInput();
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
 
     /**
-     * Holds if the parser may be parsing the input dangerously.
-     *
-     * Specifically, this predicate holds whether the XML parsing parses/extends external
-     * entities in the parsed XML stream.
+     * Holds if the parsing method or the parser holding it is vulnerable to `kind`.
      */
-    abstract predicate mayBeDangerous();
+    predicate vulnerable(string kind) { super.vulnerable(kind) }
   }
-}
 
-/**
- * A data-flow node that collects functions parsing XML.
- *
- * Extend this class to model new APIs. If you want to refine existing API models,
- * extend `XMLParsing` instead.
- */
-class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
-  /**
-   * Gets the argument containing the content to parse.
-   *
-   * Specifically, this predicate holds whether the XML parsing parses/extends external
-   * entities in the parsed XML stream.
-   */
-  DataFlow::Node getAnInput() { result = super.getAnInput() }
-
-  /**
-   * Holds if the parser may be parsing the input dangerously.
-   */
-  predicate mayBeDangerous() { super.mayBeDangerous() }
-}
+  /** Provides classes for modeling XML parsing APIs. */
+  module XMLParsing {
+    /**
+     * A data-flow node that collects functions parsing XML.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XMLParsing` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /**
+       * Gets the argument containing the content to parse.
+       */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Holds if the parsing method or the parser holding it is vulnerable to `kind`.
+       */
+      abstract predicate vulnerable(string kind);
+    }
+  }
 
-/** Provides classes for modeling XML parsers. */
-module XMLParser {
   /**
    * A data-flow node that collects XML parsers.
    *
    * Extend this class to model new APIs. If you want to refine existing API models,
    * extend `XMLParser` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  class XMLParser extends DataFlow::Node instanceof XMLParser::Range {
     /**
      * Gets the argument containing the content to parse.
      */
-    abstract DataFlow::Node getAnInput();
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
 
     /**
-     * Holds if the parser may be dangerously configured.
-     *
-     * Specifically, this predicate holds whether the XML parser parses/extends external
-     * entities in the parsed XML stream.
+     * Holds if the parser is vulnerable to `kind`.
      */
-    abstract predicate mayBeDangerous();
+    predicate vulnerable(string kind) { super.vulnerable(kind) }
   }
-}
-
-/**
- * A data-flow node that collects XML parsers.
- *
- * Extend this class to model new APIs. If you want to refine existing API models,
- * extend `XMLParser` instead.
- */
-class XMLParser extends DataFlow::Node instanceof XMLParser::Range {
-  /**
-   * Gets the argument containing the content to parse.
-   */
-  DataFlow::Node getAnInput() { result = super.getAnInput() }
 
-  /**
-   * Holds if the parser may be dangerously configured.
-   *
-   * Specifically, this predicate holds whether the XML parser parses/extends external
-   * entities in the parsed XML stream.
-   */
-  predicate mayBeDangerous() { super.mayBeDangerous() }
+  /** Provides classes for modeling XML parsers. */
+  module XMLParser {
+    /**
+     * A data-flow node that collects XML parsers.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XMLParser` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /**
+       * Gets the argument containing the content to parse.
+       */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Holds if the parser is vulnerable to `kind`.
+       */
+      abstract predicate vulnerable(string kind);
+    }
+  }
 }
 
 /** Provides classes for modeling LDAP query execution-related APIs. */

python/ql/src/experimental/Security/CWE-611/XmlInjection.ql

@@ -3,7 +3,7 @@
  */
 
 private import experimental.semmle.python.frameworks.Stdlib
-private import experimental.semmle.python.frameworks.XML
+private import experimental.semmle.python.frameworks.Xml
 private import experimental.semmle.python.frameworks.Flask
 private import experimental.semmle.python.frameworks.Django
 private import experimental.semmle.python.frameworks.Werkzeug