Merge pull request #5883 from zbazztian/consider-boxed-booleans-to-avoid-xxe-fps

Consider boxed booleans to avoid false positives for XXE.ql

Author: aschackmull

java/change-notes/2021-05-12-xxe-fp-fix.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "Resolving XML external entity in user-controlled data" (`java/xxe`) has been improved to report fewer false positives when a Builder / Factory (e.g. an `XMLInputFactory`) is configured safely by using a boxed boolean as second argument to one or more of its configuration methods.

java/ql/src/semmle/code/java/security/XmlParsers.qll

@@ -36,15 +36,21 @@ abstract class ParserConfig extends MethodAccess {
    */
   predicate disables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = false
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = false or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "FALSE")
+    )
   }
 
   /**
    * Holds if the method enables a property.
    */
   predicate enables(Expr e) {
     this.getArgument(0) = e and
-    this.getArgument(1).(BooleanLiteral).getBooleanValue() = true
+    (
+      this.getArgument(1).(BooleanLiteral).getBooleanValue() = true or
+      this.getArgument(1).(FieldAccess).getField().hasQualifiedName("java.lang", "Boolean", "TRUE")
+    )
   }
 }