Java: Add XXE tests.

Author: aschackmull

java/ql/test/query-tests/security/CWE-611/SAXSourceTests.java

@@ -0,0 +1,41 @@
+import java.net.Socket;
+
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+
+import org.xml.sax.InputSource;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+public class SAXSourceTests {
+
+  public void unsafeSource(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream()));
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(source); //unsafe
+  }
+
+  public void explicitlySafeSource1(Socket sock) throws Exception {
+    XMLReader reader = XMLReaderFactory.createXMLReader();
+    reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+    SAXSource source = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+  }
+
+  public void createdSafeSource(Socket sock) throws Exception {
+    SAXParserFactory factory = SAXParserFactory.newInstance();
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    SAXParser parser = factory.newSAXParser();
+    XMLReader reader = parser.getXMLReader();
+    SAXSource source = new SAXSource(parser.getXMLReader(), new InputSource(sock.getInputStream())); //safe
+    SAXSource source2 = new SAXSource(reader, new InputSource(sock.getInputStream())); //safe
+  }
+}

java/ql/test/query-tests/security/CWE-611/UnmarshallerTests.java

@@ -0,0 +1,30 @@
+import java.net.Socket;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Source;
+import javax.xml.transform.sax.SAXSource;
+
+import org.xml.sax.InputSource;
+
+public class UnmarshallerTests {
+
+  public void safeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(sock.getInputStream()));
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(xmlSource); //safe
+  }
+
+  public void unsafeUnmarshal(Socket sock) throws Exception {
+    SAXParserFactory spf = SAXParserFactory.newInstance();
+    JAXBContext jc = JAXBContext.newInstance(Object.class);
+    Unmarshaller um = jc.createUnmarshaller();
+    um.unmarshal(sock.getInputStream()); //unsafe
+  }
+}

java/ql/test/query-tests/security/CWE-611/XXE.expected

@@ -2,6 +2,7 @@ edges
 | DocumentBuilderTests.java:93:51:93:71 | getInputStream(...) : InputStream | DocumentBuilderTests.java:94:16:94:38 | getInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:101:16:101:52 | sourceToInputSource(...) |
 | DocumentBuilderTests.java:100:41:100:61 | getInputStream(...) : InputStream | DocumentBuilderTests.java:102:16:102:38 | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) |
 | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) |
 | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) |
@@ -78,6 +79,8 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | semmle.label | getInputStream(...) |
+| SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| SAXSourceTests.java:20:18:20:23 | source | semmle.label | source |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
 | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | semmle.label | new StreamSource(...) |
@@ -163,6 +166,7 @@ nodes
 | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | semmle.label | new SAXSource(...) |
 | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | semmle.label | new InputSource(...) |
 | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | semmle.label | new InputSource(...) |
@@ -220,6 +224,7 @@ nodes
 | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:45:17:45:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:53:17:53:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:61:17:61:37 | getInputStream(...) | user input |
+| SAXSourceTests.java:20:18:20:23 | source | SAXSourceTests.java:17:62:17:82 | getInputStream(...) : InputStream | SAXSourceTests.java:20:18:20:23 | source | Unsafe parsing of XML file from $@. | SAXSourceTests.java:17:62:17:82 | getInputStream(...) | user input |
 | SchemaTests.java:12:39:12:77 | new StreamSource(...) | SchemaTests.java:12:56:12:76 | getInputStream(...) : InputStream | SchemaTests.java:12:39:12:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:12:56:12:76 | getInputStream(...) | user input |
 | SchemaTests.java:25:39:25:77 | new StreamSource(...) | SchemaTests.java:25:56:25:76 | getInputStream(...) : InputStream | SchemaTests.java:25:39:25:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:25:56:25:76 | getInputStream(...) | user input |
 | SchemaTests.java:31:39:31:77 | new StreamSource(...) | SchemaTests.java:31:56:31:76 | getInputStream(...) : InputStream | SchemaTests.java:31:39:31:77 | new StreamSource(...) | Unsafe parsing of XML file from $@. | SchemaTests.java:31:56:31:76 | getInputStream(...) | user input |
@@ -267,6 +272,7 @@ nodes
 | TransformerTests.java:129:21:129:59 | new StreamSource(...) | TransformerTests.java:129:38:129:58 | getInputStream(...) : InputStream | TransformerTests.java:129:21:129:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:129:38:129:58 | getInputStream(...) | user input |
 | TransformerTests.java:136:21:136:59 | new StreamSource(...) | TransformerTests.java:136:38:136:58 | getInputStream(...) : InputStream | TransformerTests.java:136:21:136:59 | new StreamSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:136:38:136:58 | getInputStream(...) | user input |
 | TransformerTests.java:141:18:141:70 | new SAXSource(...) | TransformerTests.java:141:48:141:68 | getInputStream(...) : InputStream | TransformerTests.java:141:18:141:70 | new SAXSource(...) | Unsafe parsing of XML file from $@. | TransformerTests.java:141:48:141:68 | getInputStream(...) | user input |
+| UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | UnmarshallerTests.java:28:18:28:38 | getInputStream(...) | user input |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user input |
 | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | XMLReaderTests.java:63:34:63:54 | getInputStream(...) : InputStream | XMLReaderTests.java:63:18:63:55 | new InputSource(...) | Unsafe parsing of XML file from $@. | XMLReaderTests.java:63:34:63:54 | getInputStream(...) | user input |

java/ql/test/query-tests/security/CWE-611/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1

java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/JAXBContext.java

@@ -0,0 +1,33 @@
+package javax.xml.bind;
+
+import java.util.Map;
+
+abstract public class JAXBContext {
+  protected JAXBContext() { }
+
+//  public static final String JAXB_CONTEXT_FACTORY;
+//
+//  public Binder<Node> createBinder() { return null; }
+//
+//  public Binder<T> createBinder(Class<T> p0) { return null; }
+//
+//  public JAXBIntrospector createJAXBIntrospector() { return null; }
+//
+//  abstract public Marshaller createMarshaller();
+
+  abstract public Unmarshaller createUnmarshaller();
+
+//  abstract public Validator createValidator();
+//
+//  public void generateSchema(SchemaOutputResolver p0) { }
+
+  public static JAXBContext newInstance(Class... p0) { return null; }
+
+  public static JAXBContext newInstance(Class<?>[] p0, Map<String,?> p1) { return null; }
+
+  public static JAXBContext newInstance(String p0) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1) { return null; }
+
+  public static JAXBContext newInstance(String p0, ClassLoader p1, Map<String,?> p2) { return null; }
+}

java/ql/test/stubs/jaxb-api-2.3.1/javax/xml/bind/Unmarshaller.java

@@ -0,0 +1,76 @@
+package javax.xml.bind;
+
+import java.net.URL;
+import java.io.Reader;
+import java.io.InputStream;
+import java.io.File;
+import javax.xml.transform.Source;
+
+abstract public interface Unmarshaller {
+  abstract public static class Listener {
+    public Listener() { }
+  
+    public void afterUnmarshal(Object p0, Object p1) { }
+  
+    public void beforeUnmarshal(Object p0, Object p1) { }
+  }
+
+//  abstract public A getAdapter(Class<A> p0);
+//
+//  abstract public AttachmentUnmarshaller getAttachmentUnmarshaller();
+//
+//  abstract public ValidationEventHandler getEventHandler();
+//
+//  abstract public Listener getListener();
+
+  abstract public Object getProperty(String p0);
+
+//  abstract public Schema getSchema();
+//
+//  abstract public UnmarshallerHandler getUnmarshallerHandler();
+
+  abstract public boolean isValidating();
+
+//  abstract public void setAdapter(Class<A> p0, A p1);
+//
+//  abstract public void setAdapter(XmlAdapter p0);
+//
+//  abstract public void setAttachmentUnmarshaller(AttachmentUnmarshaller p0);
+//
+//  abstract public void setEventHandler(ValidationEventHandler p0);
+//
+//  abstract public void setListener(Listener p0);
+//
+//  abstract public void setProperty(String p0, Object p1);
+//
+//  abstract public void setSchema(Schema p0);
+
+  abstract public void setValidating(boolean p0);
+
+  abstract public Object unmarshal(File p0);
+
+  abstract public Object unmarshal(InputStream p0);
+
+  abstract public Object unmarshal(Reader p0);
+
+  abstract public Object unmarshal(URL p0);
+
+//  abstract public Object unmarshal(XMLEventReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLEventReader p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(XMLStreamReader p0);
+//
+//  abstract public JAXBElement<T> unmarshal(XMLStreamReader p0, Class<T> p1);
+
+  abstract public Object unmarshal(Source p0);
+
+//  abstract public JAXBElement<T> unmarshal(Source p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(Node p0);
+//
+//  abstract public JAXBElement<T> unmarshal(Node p0, Class<T> p1);
+//
+//  abstract public Object unmarshal(InputSource p0);
+}
+