Merge pull request #286 from github/aibaars/xxe

XXE query

Author: aibaars

ql/lib/codeql/ruby/Concepts.qll

@@ -503,3 +503,38 @@ module CodeExecution {
     abstract DataFlow::Node getCode();
   }
 }
+
+/**
+ * A data-flow node that parses XML content.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `XmlParserCall::Range` instead.
+ */
+class XmlParserCall extends DataFlow::Node {
+  XmlParserCall::Range range;
+
+  XmlParserCall() { this = range }
+
+  /** Gets the argument that specifies the XML content to be parsed. */
+  DataFlow::Node getInput() { result = range.getInput() }
+
+  /** Holds if this XML parser call is configured to process external entities */
+  predicate externalEntitiesEnabled() { range.externalEntitiesEnabled() }
+}
+
+/** Provides a class for modeling new XML parsing APIs. */
+module XmlParserCall {
+  /**
+   * A data-flow node that parses XML content.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `class XmlParserCall` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets the argument that specifies the XML content to be parsed. */
+    abstract DataFlow::Node getInput();
+
+    /** Holds if this XML parser call is configured to process external entities */
+    abstract predicate externalEntitiesEnabled();
+  }
+}

ql/lib/codeql/ruby/Frameworks.qll

@@ -8,3 +8,4 @@ private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.StandardLibrary
 private import codeql.ruby.frameworks.Files
 private import codeql.ruby.frameworks.HttpClients
+private import codeql.ruby.frameworks.XmlParsing

ql/lib/codeql/ruby/frameworks/XmlParsing.qll

@@ -0,0 +1,182 @@
+private import codeql.ruby.Concepts
+private import codeql.ruby.AST
+private import codeql.ruby.DataFlow
+private import codeql.ruby.typetracking.TypeTracker
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.controlflow.CfgNodes as CfgNodes
+
+private class NokogiriXmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+  NokogiriXmlParserCall() {
+    this =
+      [
+        API::getTopLevelMember("Nokogiri").getMember("XML"),
+        API::getTopLevelMember("Nokogiri").getMember("XML").getMember("Document"),
+        API::getTopLevelMember("Nokogiri")
+            .getMember("XML")
+            .getMember("SAX")
+            .getMember("Parser")
+            .getInstance()
+      ].getAMethodCall("parse")
+  }
+
+  override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+  override predicate externalEntitiesEnabled() {
+    this.getArgument(3) =
+      [trackEnableFeature(TNOENT()), trackEnableFeature(TDTDLOAD()), trackDisableFeature(TNONET())]
+    or
+    // calls to methods that enable/disable features in a block argument passed to this parser call.
+    // For example:
+    // ```ruby
+    // doc.parse(...) { |options| options.nononet; options.noent }
+    // ```
+    this.asExpr()
+        .getExpr()
+        .(MethodCall)
+        .getBlock()
+        .getAStmt()
+        .getAChild*()
+        .(MethodCall)
+        .getMethodName() = ["noent", "dtdload", "nononet"]
+  }
+}
+
+private class LibXmlRubyXmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+  LibXmlRubyXmlParserCall() {
+    this =
+      [API::getTopLevelMember("LibXML").getMember("XML"), API::getTopLevelMember("XML")]
+          .getMember(["Document", "Parser"])
+          .getAMethodCall(["file", "io", "string"])
+  }
+
+  override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+  override predicate externalEntitiesEnabled() {
+    exists(Pair pair |
+      pair = this.getArgument(1).asExpr().getExpr().(HashLiteral).getAKeyValuePair() and
+      pair.getKey().(Literal).getValueText() = "options" and
+      pair.getValue() =
+        [
+          trackEnableFeature(TNOENT()), trackEnableFeature(TDTDLOAD()),
+          trackDisableFeature(TNONET())
+        ].asExpr().getExpr()
+    )
+  }
+}
+
+private newtype TFeature =
+  TNOENT() or
+  TNONET() or
+  TDTDLOAD()
+
+class Feature extends TFeature {
+  abstract int getValue();
+
+  string toString() { result = getConstantName() }
+
+  abstract string getConstantName();
+}
+
+private class FeatureNOENT extends Feature, TNOENT {
+  override int getValue() { result = 2 }
+
+  override string getConstantName() { result = "NOENT" }
+}
+
+private class FeatureNONET extends Feature, TNONET {
+  override int getValue() { result = 2048 }
+
+  override string getConstantName() { result = "NONET" }
+}
+
+private class FeatureDTDLOAD extends Feature, TDTDLOAD {
+  override int getValue() { result = 4 }
+
+  override string getConstantName() { result = "DTDLOAD" }
+}
+
+private API::Node parseOptionsModule() {
+  result = API::getTopLevelMember("Nokogiri").getMember("XML").getMember("ParseOptions")
+  or
+  result =
+    API::getTopLevelMember("LibXML").getMember("XML").getMember("Parser").getMember("Options")
+  or
+  result = API::getTopLevelMember("XML").getMember("Parser").getMember("Options")
+}
+
+private predicate bitWiseAndOr(CfgNodes::ExprNodes::OperationCfgNode operation) {
+  operation.getExpr() instanceof BitwiseAndExpr or
+  operation.getExpr() instanceof AssignBitwiseAndExpr or
+  operation.getExpr() instanceof BitwiseOrExpr or
+  operation.getExpr() instanceof AssignBitwiseOrExpr
+}
+
+private DataFlow::LocalSourceNode trackFeature(Feature f, boolean enable, TypeTracker t) {
+  t.start() and
+  (
+    // An integer literal with the feature-bit enabled/disabled
+    exists(int bitValue |
+      bitValue = result.asExpr().getExpr().(IntegerLiteral).getValue().bitAnd(f.getValue())
+    |
+      if bitValue = 0 then enable = false else enable = true
+    )
+    or
+    // Use of a constant f
+    enable = true and
+    result = parseOptionsModule().getMember(f.getConstantName()).getAUse()
+    or
+    // Treat `&`, `&=`, `|` and `|=` operators as if they preserve the on/off states
+    // of their operands. This is an overapproximation but likely to work well in practice
+    // because it makes little sense to explicitly set a feature to both `on` and `off` in the
+    // same code.
+    exists(CfgNodes::ExprNodes::OperationCfgNode operation |
+      bitWiseAndOr(operation) and
+      operation = result.asExpr().(CfgNodes::ExprNodes::OperationCfgNode) and
+      operation.getAnOperand() = trackFeature(f, enable).asExpr()
+    )
+    or
+    // The complement operator toggles a feature from enabled to disabled and vice-versa
+    result.asExpr().getExpr() instanceof ComplementExpr and
+    result.asExpr().(CfgNodes::ExprNodes::OperationCfgNode).getAnOperand() =
+      trackFeature(f, enable.booleanNot()).asExpr()
+    or
+    // Nokogiri has a ParseOptions class that is a wrapper around the bit-fields and
+    // provides methods for querying and updating the fields.
+    result =
+      API::getTopLevelMember("Nokogiri")
+          .getMember("XML")
+          .getMember("ParseOptions")
+          .getAnInstantiation() and
+    result.asExpr().(CfgNodes::ExprNodes::CallCfgNode).getArgument(0) =
+      trackFeature(f, enable).asExpr()
+    or
+    // The Nokogiri ParseOptions class has methods for setting/unsetting features.
+    // The method names are the lowercase variants of the constant names, with a "no"
+    // prefix for unsetting a feature.
+    exists(CfgNodes::ExprNodes::CallCfgNode call |
+      enable = true and
+      call.getExpr().(MethodCall).getMethodName() = f.getConstantName().toLowerCase()
+      or
+      enable = false and
+      call.getExpr().(MethodCall).getMethodName() = "no" + f.getConstantName().toLowerCase()
+    |
+      (
+        // these methods update the receiver
+        result.flowsTo(any(DataFlow::Node n | n.asExpr() = call.getReceiver()))
+        or
+        // in addition they return the (updated) receiver to allow chaining calls.
+        result.asExpr() = call
+      )
+    )
+  )
+  or
+  exists(TypeTracker t2 | result = trackFeature(f, enable, t2).track(t2, t))
+}
+
+private DataFlow::Node trackFeature(Feature f, boolean enable) {
+  trackFeature(f, enable, TypeTracker::end()).flowsTo(result)
+}
+
+private DataFlow::Node trackEnableFeature(Feature f) { result = trackFeature(f, true) }
+
+private DataFlow::Node trackDisableFeature(Feature f) { result = trackFeature(f, false) }

ql/src/queries/security/cwe-611/Xxe.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Parsing untrusted XML files with a weakly configured XML parser may lead to an
+XML External Entity (XXE) attack. This type of attack uses external entity references
+to access arbitrary files on a system, carry out denial-of-service (DoS) attacks, or server-side
+request forgery. Even when the result of parsing is not returned to the user, DoS attacks are still possible
+and out-of-band data retrieval techniques may allow attackers to steal sensitive data.
+</p>
+</overview>
+
+<recommendation>
+<p>
+The easiest way to prevent XXE attacks is to disable external entity handling when
+parsing untrusted data. How this is done depends on the library being used. Note that some
+libraries, such as <code>rexml</code>, <code>nokogiri</code> and <code>libxml-ruby</code>, 
+disable entity expansion by default, so unless you have explicitly enabled entity expansion,
+no further action needs to be taken.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses the <code>nokogiri</code> XML parser to parse a string <code>xmlSrc</code>.
+If that string is from an untrusted source, this code may be vulnerable to an XXE attack, since
+the parser is invoked with the <code>noent</code> option set:
+</p>
+<sample src="examples/Xxe.rb"/>
+
+<p>
+To guard against XXE attacks, the <code>noent</code> option should be omitted or cleared
+(e.g. using <code>nonoent</code>). This means that no entity expansion is undertaken at all, 
+not even for standard internal entities such as <code>&amp;amp;</code> or <code>&amp;gt;</code>.
+If desired, these entities can be expanded in a separate step using utility functions.
+</p>
+<sample src="examples/XxeGood.rb"/>
+</example>
+
+<references>
+<li>
+OWASP:
+<a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.
+</li>
+<li>
+Timothy Morgen:
+<a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a>.
+</li>
+<li>
+Timur Yunusov, Alexey Osipov:
+<a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.
+</li>
+</references>
+</qhelp>

ql/src/queries/security/cwe-611/Xxe.ql

@@ -0,0 +1,43 @@
+/**
+ * @name XML external entity expansion
+ * @description Parsing user input as an XML document with external
+ *              entity expansion is vulnerable to XXE attacks.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.1
+ * @precision high
+ * @id rb/xxe
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
+ */
+
+import ruby
+import codeql.ruby.dataflow.RemoteFlowSources
+import codeql.ruby.TaintTracking
+import codeql.ruby.Concepts
+import codeql.ruby.DataFlow
+import DataFlow::PathGraph
+
+class UnsafeXxeSink extends DataFlow::ExprNode {
+  UnsafeXxeSink() {
+    exists(XmlParserCall parse |
+      parse.getInput() = this and
+      parse.externalEntitiesEnabled()
+    )
+  }
+}
+
+class XxeConfig extends TaintTracking::Configuration {
+  XxeConfig() { this = "XXE.ql::XxeConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
+  "user input"

ql/src/queries/security/cwe-611/examples/Xxe.rb

@@ -0,0 +1,12 @@
+require "nokogiri"
+
+def process_data1
+   xmlSrc = request.body
+   doc = Nokogiri::XML.parse(xmlSrc, nil, nil, Nokogiri::XML::ParseOptions::NOENT) # BAD
+end
+
+def process_data2
+   xmlSrc = request.body
+   doc = Nokogiri::XML.parse(xmlSrc) { |config| config.noent } # BAD
+end
+

ql/src/queries/security/cwe-611/examples/XxeGood.rb

@@ -0,0 +1,12 @@
+require "nokogiri"
+
+def process_data1
+   xmlSrc = request.body
+   doc = Nokogiri::XML.parse(xmlSrc) # GOOD
+end
+
+def process_data2
+   xmlSrc = request.body
+   doc = Nokogiri::XML.parse(xmlSrc) { |config| config.nonoent } # GOOD
+end
+

ql/test/query-tests/security/cwe-611/LibXmlRuby.rb

@@ -0,0 +1,16 @@
+class LibXmlRubyXXE < ApplicationController
+
+    content = params[:xml]
+    LibXML::XML::Document.string(content, { options: 2 | 2048, encoding: 'utf-8' })
+    LibXML::XML::Document.file(content, { options: LibXML::XML::Parser::Options::NOENT | 2048})
+    LibXML::XML::Document.io(content, { options: XML::Parser::Options::NOENT | 2048 })
+    LibXML::XML::Parser.string(content, { options: 2 | 2048 })
+    LibXML::XML::Parser.file(content, { options: 3 | 2048 })
+    LibXML::XML::Parser.io(content, { options: 2 | 2048})
+
+    XML::Document.string(content, { options: 2 | 2048 })
+    XML::Parser.string(content, { options: 2 | 2048 })
+
+    LibXML::XML::Parser.file(content, { options: 2048 }) # OK
+
+end