jorgectf
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.java
Lines changed: 70 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.java
Lines changed: 70 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.qhelp
Lines changed: 33 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.qhelp
Lines changed: 33 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
Lines changed: 43 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
Lines changed: 43 additions & 0 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
Lines changed: 68 additions & 0 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjectionLib.qll
Lines changed: 68 additions & 0 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
Lines changed: 43 additions & 0 deletions b/‎java/ql/test/experimental/query-tests/security/CWE-652/XQueryInjection.expected
Lines changed: 43 additions & 0 deletions
@@ -0,0 +1,70 @@
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.namespace.QName;
+import javax.xml.xquery.XQConnection;
+import javax.xml.xquery.XQDataSource;
+import javax.xml.xquery.XQException;
+import javax.xml.xquery.XQItemType;
+import javax.xml.xquery.XQPreparedExpression;
+import javax.xml.xquery.XQResultSequence;
+import net.sf.saxon.xqj.SaxonXQDataSource;
+
+public void bad(HttpServletRequest request) throws XQException {
+    String name = request.getParameter("name");
+    XQDataSource ds = new SaxonXQDataSource();
+    XQConnection conn = ds.getConnection();
+    String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+    XQPreparedExpression xqpe = conn.prepareExpression(query);
+    XQResultSequence result = xqpe.executeQuery();
+    while (result.next()){
+        System.out.println(result.getItemAsString(null));
+    }
+}
+
+public void bad1(HttpServletRequest request) throws XQException {
+    String name = request.getParameter("name");
+    XQDataSource xqds = new SaxonXQDataSource();
+    String query = "for $user in doc(\"users.xml\")/Users/User[name='" + name + "'] return $user/password";
+    XQConnection conn = xqds.getConnection();
+    XQExpression expr = conn.createExpression();
+    XQResultSequence result = expr.executeQuery(query);
+    while (result.next()){
+        System.out.println(result.getItemAsString(null));
+    }
+}
+
+public void bad2(HttpServletRequest request) throws XQException {
+    String name = request.getParameter("name");
+    XQDataSource xqds = new SaxonXQDataSource();
+    XQConnection conn = xqds.getConnection();
+    XQExpression expr = conn.createExpression();
+    //bad code
+    expr.executeCommand(name);
+}
+
+public void good(HttpServletRequest request) throws XQException {
+    String name = request.getParameter("name");
+    XQDataSource ds = new SaxonXQDataSource();
+    XQConnection conn = ds.getConnection();
+    String query = "declare variable $name as xs:string external;"
+            + " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
+    XQPreparedExpression xqpe = conn.prepareExpression(query);
+    xqpe.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+    XQResultSequence result = xqpe.executeQuery();
+    while (result.next()){
+        System.out.println(result.getItemAsString(null));
+    }
+}
+
+public void good1(HttpServletRequest request) throws XQException {
+    String name = request.getParameter("name");
+    String query = "declare variable $name as xs:string external;"
+            + " for $user in doc(\"users.xml\")/Users/User[name=$name] return $user/password";
+    XQDataSource xqds = new SaxonXQDataSource();
+    XQConnection conn = xqds.getConnection();
+    XQExpression expr = conn.createExpression();
+    expr.bindString(new QName("name"), name, conn.createAtomicType(XQItemType.XQBASETYPE_STRING));
+    XQResultSequence result = expr.executeQuery(query);
+    while (result.next()){
+        System.out.println(result.getItemAsString(null));
+    }
+}
@@ -0,0 +1,33 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The software uses external input to dynamically construct an XQuery expression which is then used to retrieve data from an XML database. 
+However, the input is not neutralized, or is incorrectly neutralized, which allows an attacker to control the structure of the query.</p>
+
+</overview>
+<recommendation>
+
+<p>Use parameterized queries. This will help ensure the program retains control of the query structure.</p>
+
+</recommendation>
+<example>
+
+<p>The following example compares building a query by string concatenation (bad) vs. using  <code>bindString</code> to parameterize the query (good).</p>
+
+<sample src="XQueryInjection.java" />
+
+</example>
+<references>
+
+<li>Balisage: 
+<a href="https://www.balisage.net/Proceedings/vol7/html/Vlist02/BalisageVol7-Vlist02.html">XQuery Injection</a>.</li>
+
+
+
+<!--  LocalWords:  CWE
+ -->
+
+</references>
+</qhelp>
@@ -0,0 +1,43 @@
+/**
+ * @name XQuery query built from user-controlled sources
+ * @description Building an XQuery query from user-controlled sources is vulnerable to insertion of
+ *              malicious XQuery code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/xquery-injection
+ * @tags security
+ *       external/cwe/cwe-652
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import XQueryInjectionLib
+import DataFlow::PathGraph
+
+/**
+ * A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
+ */
+class XQueryInjectionConfig extends TaintTracking::Configuration {
+  XQueryInjectionConfig() { this = "XQueryInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
+    sink.asExpr() = any(XQueryExecuteCall xec).getExecuteQueryArgument() or
+    sink.asExpr() = any(XQueryExecuteCommandCall xecc).getExecuteCommandArgument()
+  }
+
+  /**
+   * Holds if taint from the input `pred` to a `prepareExpression` call flows to the returned prepared expression `succ`.
+   */
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(XQueryParserCall parser | pred.asExpr() = parser.getInput() and succ.asExpr() = parser)
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, XQueryInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "XQuery query might include code from $@.", source.getNode(),
+  "this user input"
@@ -0,0 +1,68 @@
+import java
+
+/** A call to `XQConnection.prepareExpression`. */
+class XQueryParserCall extends MethodAccess {
+  XQueryParserCall() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("javax.xml.xquery", "XQConnection") and
+      m.hasName("prepareExpression")
+    )
+  }
+
+  /**
+   * Returns the first parameter of the `prepareExpression` method, which provides
+   * the string, stream or reader to be compiled into a prepared expression.
+   */
+  Expr getInput() { result = this.getArgument(0) }
+}
+
+/** A call to `XQPreparedExpression.executeQuery`. */
+class XQueryPreparedExecuteCall extends MethodAccess {
+  XQueryPreparedExecuteCall() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.hasName("executeQuery") and
+      m.getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("javax.xml.xquery", "XQPreparedExpression")
+    )
+  }
+
+  /** Return this prepared expression. */
+  Expr getPreparedExpression() { result = this.getQualifier() }
+}
+
+/** A call to `XQExpression.executeQuery`. */
+class XQueryExecuteCall extends MethodAccess {
+  XQueryExecuteCall() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.hasName("executeQuery") and
+      m.getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+    )
+  }
+
+  /** Return this execute query argument. */
+  Expr getExecuteQueryArgument() { result = this.getArgument(0) }
+}
+
+/** A call to `XQExpression.executeCommand`. */
+class XQueryExecuteCommandCall extends MethodAccess {
+  XQueryExecuteCommandCall() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.hasName("executeCommand") and
+      m.getDeclaringType()
+          .getASourceSupertype*()
+          .hasQualifiedName("javax.xml.xquery", "XQExpression")
+    )
+  }
+
+  /** Return this execute command argument. */
+  Expr getExecuteCommandArgument() { result = this.getArgument(0) }
+}
@@ -0,0 +1,43 @@
+edges
+| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe |
+| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query |
+| XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe |
+| XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query |
+| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe |
+| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name |
+| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe |
+| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br |
+| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name |
+| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br |
+nodes
+| XQueryInjection.java:45:23:45:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| XQueryInjection.java:51:35:51:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:59:23:59:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| XQueryInjection.java:65:53:65:57 | query | semmle.label | query |
+| XQueryInjection.java:73:32:73:59 | nameStr : String | semmle.label | nameStr : String |
+| XQueryInjection.java:79:35:79:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:86:33:86:60 | nameStr : String | semmle.label | nameStr : String |
+| XQueryInjection.java:92:53:92:57 | query | semmle.label | query |
+| XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:104:35:104:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:116:53:116:56 | name | semmle.label | name |
+| XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:129:35:129:38 | xqpe | semmle.label | xqpe |
+| XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:142:53:142:54 | br | semmle.label | br |
+| XQueryInjection.java:150:23:150:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| XQueryInjection.java:155:29:155:32 | name | semmle.label | name |
+| XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
+| XQueryInjection.java:159:29:159:30 | br | semmle.label | br |
+#select
+| XQueryInjection.java:51:35:51:38 | xqpe | XQueryInjection.java:45:23:45:50 | getParameter(...) : String | XQueryInjection.java:51:35:51:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:45:23:45:50 | getParameter(...) | this user input |
+| XQueryInjection.java:65:53:65:57 | query | XQueryInjection.java:59:23:59:50 | getParameter(...) : String | XQueryInjection.java:65:53:65:57 | query | XQuery query might include code from $@. | XQueryInjection.java:59:23:59:50 | getParameter(...) | this user input |
+| XQueryInjection.java:79:35:79:38 | xqpe | XQueryInjection.java:73:32:73:59 | nameStr : String | XQueryInjection.java:79:35:79:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:73:32:73:59 | nameStr | this user input |
+| XQueryInjection.java:92:53:92:57 | query | XQueryInjection.java:86:33:86:60 | nameStr : String | XQueryInjection.java:92:53:92:57 | query | XQuery query might include code from $@. | XQueryInjection.java:86:33:86:60 | nameStr | this user input |
+| XQueryInjection.java:104:35:104:38 | xqpe | XQueryInjection.java:100:28:100:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:104:35:104:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:100:28:100:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:116:53:116:56 | name | XQueryInjection.java:112:28:112:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:116:53:116:56 | name | XQuery query might include code from $@. | XQueryInjection.java:112:28:112:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:129:35:129:38 | xqpe | XQueryInjection.java:124:28:124:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:129:35:129:38 | xqpe | XQuery query might include code from $@. | XQueryInjection.java:124:28:124:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:142:53:142:54 | br | XQueryInjection.java:137:28:137:51 | getInputStream(...) : ServletInputStream | XQueryInjection.java:142:53:142:54 | br | XQuery query might include code from $@. | XQueryInjection.java:137:28:137:51 | getInputStream(...) | this user input |
+| XQueryInjection.java:155:29:155:32 | name | XQueryInjection.java:150:23:150:50 | getParameter(...) : String | XQueryInjection.java:155:29:155:32 | name | XQuery query might include code from $@. | XQueryInjection.java:150:23:150:50 | getParameter(...) | this user input |
+| XQueryInjection.java:159:29:159:30 | br | XQueryInjection.java:157:26:157:49 | getInputStream(...) : ServletInputStream | XQueryInjection.java:159:29:159:30 | br | XQuery query might include code from $@. | XQueryInjection.java:157:26:157:49 | getInputStream(...) | this user input |