python: Create XML modulein Concepts

to prepare for XXE and other XML related modelling

Author: yoff

python/ql/lib/semmle/python/Concepts.qll

@@ -453,99 +453,102 @@ module RegexExecution {
   }
 }
 
-/**
- * A data-flow node that constructs an XPath expression.
- *
- * Often, it is worthy of an alert if an XPath expression is constructed such that
- * executing it would be a security risk.
- *
- * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `XPathConstruction::Range` instead.
- */
-class XPathConstruction extends DataFlow::Node {
-  XPathConstruction::Range range;
-
-  XPathConstruction() { this = range }
-
-  /** Gets the argument that specifies the XPath expressions to be constructed. */
-  DataFlow::Node getXPath() { result = range.getXPath() }
-
-  /**
-   * Gets the name of this XPath expression construction, typically the name of an executing method.
-   * This is used for nice alert messages and should include the module if possible.
-   */
-  string getName() { result = range.getName() }
-}
-
-/** Provides a class for modeling new XPath construction APIs. */
-module XPathConstruction {
+/** Provides classes for modeling XML-related APIs. */
+module XML {
   /**
    * A data-flow node that constructs an XPath expression.
    *
    * Often, it is worthy of an alert if an XPath expression is constructed such that
    * executing it would be a security risk.
    *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `XPathConstruction` instead.
+   * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathConstruction::Range` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  class XPathConstruction extends DataFlow::Node {
+    XPathConstruction::Range range;
+
+    XPathConstruction() { this = range }
+
     /** Gets the argument that specifies the XPath expressions to be constructed. */
-    abstract DataFlow::Node getXPath();
+    DataFlow::Node getXPath() { result = range.getXPath() }
 
     /**
      * Gets the name of this XPath expression construction, typically the name of an executing method.
      * This is used for nice alert messages and should include the module if possible.
      */
-    abstract string getName();
+    string getName() { result = range.getName() }
   }
-}
-
-/**
- * A data-flow node that executes a xpath expression.
- *
- * If the context of interest is such that merely constructing an XPath expression
- * would be valuabe to report, then consider using `XPathConstruction`.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `XPathExecution::Range` instead.
- */
-class XPathExecution extends DataFlow::Node {
-  XPathExecution::Range range;
-
-  XPathExecution() { this = range }
 
-  /** Gets the data flow node for the XPath expression being executed by this node. */
-  DataFlow::Node getXPath() { result = range.getXPath() }
+  /** Provides a class for modeling new XPath construction APIs. */
+  module XPathConstruction {
+    /**
+     * A data-flow node that constructs an XPath expression.
+     *
+     * Often, it is worthy of an alert if an XPath expression is constructed such that
+     * executing it would be a security risk.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathConstruction` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the argument that specifies the XPath expressions to be constructed. */
+      abstract DataFlow::Node getXPath();
 
-  /**
-   * Gets the name of this XPath expression execution, typically the name of an executing method.
-   * This is used for nice alert messages and should include the module if possible.
-   */
-  string getName() { result = range.getName() }
-}
+      /**
+       * Gets the name of this XPath expression construction, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
+  }
 
-/** Provides classes for modeling new regular-expression execution APIs. */
-module XPathExecution {
   /**
-   * A data-flow node that executes a XPath expression.
+   * A data-flow node that executes a xpath expression.
    *
    * If the context of interest is such that merely constructing an XPath expression
    * would be valuabe to report, then consider using `XPathConstruction`.
    *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `XPathExecution` instead.
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathExecution::Range` instead.
    */
-  abstract class Range extends DataFlow::Node {
+  class XPathExecution extends DataFlow::Node {
+    XPathExecution::Range range;
+
+    XPathExecution() { this = range }
+
     /** Gets the data flow node for the XPath expression being executed by this node. */
-    abstract DataFlow::Node getXPath();
+    DataFlow::Node getXPath() { result = range.getXPath() }
 
     /**
-     * Gets the name of this xpath expression execution, typically the name of an executing method.
+     * Gets the name of this XPath expression execution, typically the name of an executing method.
      * This is used for nice alert messages and should include the module if possible.
      */
-    abstract string getName();
+    string getName() { result = range.getName() }
+  }
+
+  /** Provides classes for modeling new regular-expression execution APIs. */
+  module XPathExecution {
+    /**
+     * A data-flow node that executes a XPath expression.
+     *
+     * If the context of interest is such that merely constructing an XPath expression
+     * would be valuabe to report, then consider using `XPathConstruction`.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathExecution` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the data flow node for the XPath expression being executed by this node. */
+      abstract DataFlow::Node getXPath();
+
+      /**
+       * Gets the name of this xpath expression execution, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
   }
 }
 

python/ql/lib/semmle/python/frameworks/Libxml2.qll

@@ -28,7 +28,7 @@ private module Libxml2 {
    *
    * See http://xmlsoft.org/python.html
    */
-  class XpathEvalCall extends XPathExecution::Range, DataFlow::CallCfgNode {
+  class XpathEvalCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
     XpathEvalCall() {
       this =
         API::moduleImport("libxml2")

python/ql/lib/semmle/python/frameworks/Lxml.qll

@@ -30,7 +30,7 @@ private module Lxml {
    * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XPath
    * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.ETXPath
    */
-  private class XPathClassCall extends XPathConstruction::Range, DataFlow::CallCfgNode {
+  private class XPathClassCall extends XML::XPathConstruction::Range, DataFlow::CallCfgNode {
     XPathClassCall() {
       this = API::moduleImport("lxml").getMember("etree").getMember(["XPath", "ETXPath"]).getACall()
     }
@@ -55,7 +55,7 @@ private module Lxml {
    * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.HTML
    * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XML
    */
-  class XPathCall extends XPathExecution::Range, DataFlow::CallCfgNode {
+  class XPathCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
     XPathCall() {
       this =
         API::moduleImport("lxml")
@@ -71,7 +71,7 @@ private module Lxml {
     override string getName() { result = "lxml.etree" }
   }
 
-  class XPathEvaluatorCall extends XPathExecution::Range, DataFlow::CallCfgNode {
+  class XPathEvaluatorCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
     XPathEvaluatorCall() {
       this =
         API::moduleImport("lxml")

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2856,7 +2856,7 @@ private module StdlibPrivate {
   /**
    * A call to a find method on a tree or an element will execute an XPath expression.
    */
-  private class ElementTreeFindCall extends XPathExecution::Range, DataFlow::CallCfgNode {
+  private class ElementTreeFindCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
     string methodName;
 
     ElementTreeFindCall() {

python/ql/test/experimental/meta/ConceptsTest.qll

@@ -171,7 +171,7 @@ class XPathConstructionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
-    exists(XPathConstruction e, DataFlow::Node xpath |
+    exists(XML::XPathConstruction e, DataFlow::Node xpath |
       exists(location.getFile().getRelativePath()) and
       xpath = e.getXPath() and
       location = e.getLocation() and
@@ -189,7 +189,7 @@ class XPathExecutionTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     exists(location.getFile().getRelativePath()) and
-    exists(XPathExecution e, DataFlow::Node xpath |
+    exists(XML::XPathExecution e, DataFlow::Node xpath |
       exists(location.getFile().getRelativePath()) and
       xpath = e.getXPath() and
       location = e.getLocation() and