Refactored sto use CSV sink model. Also, added more sinks

Author: atorralba

java/ql/src/semmle/code/java/security/XPath.qll

@@ -3,62 +3,55 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-
-/** The interface `javax.xml.xpath.XPath` */
-private class XPath extends Interface {
-  XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
-}
-
-/** A call to methods of any class implementing the interface `XPath` that evaluate XPath expressions */
-private class XPathEvaluation extends MethodAccess {
-  XPathEvaluation() {
-    exists(Method m |
-      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof XPath
-    |
-      m.hasName(["evaluate", "evaluateExpression", "compile"])
-    )
-  }
-
-  Expr getSink() { result = this.getArgument(0) }
-}
-
-/** The interface `org.dom4j.Node` */
-private class Dom4JNode extends Interface {
-  Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
-}
-
-/** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
-private class NodeXPathEvaluation extends MethodAccess {
-  Expr sink;
-
-  NodeXPathEvaluation() {
-    exists(Method m, int index |
-      this.getMethod() = m and
-      m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode and
-      sink = this.getArgument(index)
-    |
-      m.hasName([
-          "selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
-          "createXPath"
-        ]) and
-      index = 0
-      or
-      m.hasName("selectNodes") and index in [0, 1]
-    )
-  }
-
-  Expr getSink() { result = sink }
-}
+import semmle.code.java.dataflow.ExternalFlow
 
 /**
  *  A sink that represents a method that interprets XPath expressions.
  *  Extend this class to add your own XPath Injection sinks.
  */
 abstract class XPathInjectionSink extends DataFlow::Node { }
 
+/** CSV sink models representing methods susceptible to XPath Injection attacks. */
+private class DefaultXPathInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.xpath;XPath;true;evaluate;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;evaluateExpression;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;compile;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectObject;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectNodes;;;Argument[0..1];xpath",
+        "org.dom4j;Node;true;selectSingleNode;;;Argument[0];xpath",
+        "org.dom4j;Node;true;numberValueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;valueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;matches;;;Argument[0];xpath",
+        "org.dom4j;Node;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j.tree;AbstractNode;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j.tree;AbstractNode;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPathFilter;;;Argument[0];xpath"
+      ]
+  }
+}
+
+/** A default sink representing methods susceptible to XPath Injection attacks. */
 private class DefaultXPathInjectionSink extends XPathInjectionSink {
   DefaultXPathInjectionSink() {
-    exists(NodeXPathEvaluation sink | sink.getSink() = this.asExpr()) or
-    exists(XPathEvaluation sink | sink.getSink() = this.asExpr())
+    sinkNode(this, "xpath")
+    or
+    exists(ClassInstanceExpr constructor |
+      constructor.getConstructedType().getASourceSupertype*().hasQualifiedName("org.dom4j", "XPath")
+      or
+      constructor.getConstructedType().hasQualifiedName("org.dom4j.xpath", "XPathPattern")
+    |
+      this.asExpr() = constructor.getArgument(0)
+    )
   }
 }

java/ql/test/experimental/query-tests/security/CWE-643/A.java

@@ -11,6 +11,13 @@
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 
+import org.dom4j.DocumentFactory;
+import org.dom4j.DocumentHelper;
+import org.dom4j.Namespace;
+import org.dom4j.io.SAXReader;
+import org.dom4j.util.ProxyDocumentFactory;
+import org.dom4j.xpath.DefaultXPath;
+import org.dom4j.xpath.XPathPattern;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
@@ -48,71 +55,86 @@ public String evaluate(String expression, InputSource source) throws XPathExpres
 
     }
 
+    private static class ProxyDocumentFactoryStub extends ProxyDocumentFactory {
+    }
+
     public void handle(HttpServletRequest request) throws Exception {
+        String user = request.getParameter("user");
+        String pass = request.getParameter("pass");
+        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
+
         final String xmlStr = "<users>" + "   <user name=\"aaa\" pass=\"pass1\"></user>"
                 + "   <user name=\"bbb\" pass=\"pass2\"></user>" + "</users>";
         DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
-        domFactory.setNamespaceAware(true);
         DocumentBuilder builder = domFactory.newDocumentBuilder();
         InputSource xmlSource = new InputSource(new StringReader(xmlStr));
         Document doc = builder.parse(xmlSource);
 
         XPathFactory factory = XPathFactory.newInstance();
         XPath xpath = factory.newXPath();
-        XPathImplStub xpathStub = XPathImplStub.getInstance();
 
-        // Injectable data
-        String user = request.getParameter("user");
-        String pass = request.getParameter("pass");
-        if (user != null && pass != null) {
-            // Bad expression
-            String expression1 = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
-            xpath.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            xpathStub.evaluate(expression1, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
-            xpath.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
-            xpathStub.evaluateExpression(expression1, xmlSource); // $hasXPathInjection
-
-            // Bad expression
-            XPathExpression expression2 = xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            expression2.evaluate(doc, XPathConstants.BOOLEAN);
-
-            // Bad expression
-            StringBuffer sb = new StringBuffer("/users/user[@name=");
-            sb.append(user);
-            sb.append("' and @pass='");
-            sb.append(pass);
-            sb.append("']");
-            String query = sb.toString();
-            XPathExpression expression3 = xpath.compile(query); // $hasXPathInjection
-            xpathStub.compile(query); // $hasXPathInjection
-            expression3.evaluate(doc, XPathConstants.BOOLEAN);
-
-            // Good expression
-            String expression4 = "/users/user[@name=$user and @pass=$pass]";
-            xpath.setXPathVariableResolver(v -> {
-                switch (v.getLocalPart()) {
-                case "user":
-                    return user;
-                case "pass":
-                    return pass;
-                default:
-                    throw new IllegalArgumentException();
-                }
-            });
-            xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
-
-            // Bad Dom4j
-            org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
-            org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
-            document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
-            document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-        }
+        xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpath.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        XPathImplStub xpathStub = XPathImplStub.getInstance();
+        xpathStub.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpathStub.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        StringBuffer sb = new StringBuffer("/users/user[@name=");
+        sb.append(user);
+        sb.append("' and @pass='");
+        sb.append(pass);
+        sb.append("']");
+        String query = sb.toString();
+
+        xpath.compile(query); // $hasXPathInjection
+        xpathStub.compile(query); // $hasXPathInjection
+
+        String expression4 = "/users/user[@name=$user and @pass=$pass]";
+        xpath.setXPathVariableResolver(v -> {
+            switch (v.getLocalPart()) {
+            case "user":
+                return user;
+            case "pass":
+                return pass;
+            default:
+                throw new IllegalArgumentException();
+            }
+        });
+        xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
+
+        SAXReader reader = new SAXReader();
+        org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
+        document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
+        document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        DocumentFactory docFactory = DocumentFactory.getInstance();
+        docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub();
+        proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        Namespace namespace = new Namespace("prefix", "http://some.uri.io");
+        namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
     }
 }

java/ql/test/experimental/query-tests/security/CWE-643/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/dom4j-2.1.1:${testdir}/../../../../stubs/servlet-api-2.4:${testdir}/../../../../stubs/jaxen-1.2.0

java/ql/test/stubs/dom4j-2.1.1/org/dom4j/DocumentFactory.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2001-2005 (C) MetaStuff, Ltd. All Rights Reserved.
+ *
+ * This software is open source.
+ * See the bottom of this file for the licence.
+ */
+
+package org.dom4j;
+
+import java.io.Serializable;
+import java.util.Map;
+
+import org.dom4j.rule.Pattern;
+import org.jaxen.VariableContext;
+
+public class DocumentFactory implements Serializable {
+  public DocumentFactory() {
+  }
+
+  public static synchronized DocumentFactory getInstance() {
+    return null;
+  }
+
+  public Document createDocument() {
+    return null;
+  }
+
+  public Document createDocument(String encoding) {
+    return null;
+  }
+
+  public Document createDocument(Element rootElement) {
+    return null;
+  }
+
+  public Element createElement(String name) {
+    return null;
+  }
+
+  public Element createElement(String qualifiedName, String namespaceURI) {
+    return null;
+  }
+
+  public Namespace createNamespace(String prefix, String uri) {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression) throws InvalidXPathException {
+    return null;
+  }
+
+  public XPath createXPath(String xpathExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression, VariableContext variableContext) {
+    return null;
+  }
+
+  public NodeFilter createXPathFilter(String xpathFilterExpression) {
+    return null;
+  }
+
+  public Pattern createPattern(String xpathPattern) {
+    return null;
+  }
+
+  public Map<String, String> getXPathNamespaceURIs() {
+    return null;
+  }
+
+  public void setXPathNamespaceURIs(Map<String, String> namespaceURIs) {
+  }
+
+}