Skip to content

Commit 3e1819f

Browse files
atorralbaatorralba
committed
Model XMLParser constructor init(contentsOf:)
1 parent fe138dc commit 3e1819f

File tree

2 files changed

+23
-2
lines changed

2 files changed

+23
-2
lines changed

swift/ql/lib/codeql/swift/security/XXE.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,10 @@ private class ShouldResolveExternalEntities extends MemberRefExpr {
5858

5959
/** An expression of type `XMLParser`. */
6060
private class XmlParserRef extends Expr {
61-
XmlParserRef() { this.getType() instanceof XmlParserType }
61+
XmlParserRef() {
62+
this.getType() instanceof XmlParserType or
63+
this.getType() = any(OptionalType t | t.getBaseType() instanceof XmlParserType)
64+
}
6265
}
6366

6467
/** The type `XMLParser`. */

swift/ql/test/query-tests/Security/CWE-611/testXXE.swift

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,13 @@ func testInputStream() {
4141
let remoteStream = InputStream(data: remoteData)
4242
let parser = XMLParser(stream: remoteStream) // $ hasXXE=39
4343
parser.shouldResolveExternalEntities = true
44+
}
4445

46+
func testUrl() {
47+
let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
48+
let remoteUrl = URL(string: remoteString)!
49+
let parser = XMLParser(contentsOf: remoteUrl) // $ hasXXE=47
50+
parser?.shouldResolveExternalEntities = true
4551
}
4652

4753
func testDataSafe() {
@@ -55,7 +61,6 @@ func testDataSafeExplicit() {
5561
let remoteData = Data(remoteString)
5662
let parser = XMLParser(data: remoteData) // NO XXE: parser disables external entities
5763
parser.shouldResolveExternalEntities = false
58-
5964
}
6065

6166
func testInputStreamSafe() {
@@ -71,4 +76,17 @@ func testInputStreamSafeExplicit() {
7176
let remoteStream = InputStream(data: remoteData)
7277
let parser = XMLParser(stream: remoteStream) // NO XXE: parser disables external entities
7378
parser.shouldResolveExternalEntities = false
79+
}
80+
81+
func testUrlSafe() {
82+
let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
83+
let remoteUrl = URL(string: remoteString)!
84+
let _ = XMLParser(contentsOf: remoteUrl) // NO XXE: parser doesn't enable external entities
85+
}
86+
87+
func testUrlSafeExplicit() {
88+
let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
89+
let remoteUrl = URL(string: remoteString)!
90+
let parser = XMLParser(contentsOf: remoteUrl) // NO XXE: parser disables external entities
91+
parser?.shouldResolveExternalEntities = false
7492
}

0 commit comments

Comments
 (0)