Merge pull request github#5774 from atorralba/promote-xpath-injection

Java: Promote XPath Injection query from experimental

Author: aschackmull

java/change-notes/2021-04-26-xpath-injection-query.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* The query "XPath injection" (`java/xml/xpath-injection`) has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @SpaceWhite](https://github.com/github/codeql/pull/2800)

java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.java renamed to java/ql/src/Security/CWE/CWE-643/XPathInjection.java

@@ -58,9 +58,19 @@
         // Bad Dom4j 
         org.dom4j.io.SAXReader reader = new org.dom4j.io.SAXReader();
         org.dom4j.Document document = reader.read(new InputSource(new StringReader(xmlStr)));
-        isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']").hasContent();
+        isExist = document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']") != null;
         // or document.selectNodes
         System.out.println(isExist);
+
+        // Good Dom4j
+        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();
+        svc.setVariableValue("user", user);
+        svc.setVariableValue("pass", pass);
+        String xpathString = "/users/user[@name=$user and @pass=$pass]";
+        org.dom4j.XPath safeXPath = document.createXPath(xpathString);
+        safeXPath.setVariableContext(svc);
+        isExist = safeXPath.selectSingleNode(document) != null;
+        System.out.println(isExist);
     }
 } catch (ParserConfigurationException e) {
 

java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.qhelp renamed to java/ql/src/Security/CWE/CWE-643/XPathInjection.qhelp

@@ -5,14 +5,14 @@
 <overview>
 <p>
 If an XPath expression is built using string concatenation, and the components of the concatenation
-include user input, a user is likely to be able to create a malicious XPath expression.
+include user input, it makes it very easy for a user to create a malicious XPath expression.
 </p>
 </overview>
 
 <recommendation>
 <p>
-If user input must be included in an XPath expression, pre-compile the query and use variable
-references to include the user input.
+If user input must be included in an XPath expression, either sanitize the data or pre-compile the query
+and use variable references to include the user input.
 </p>
 <p>
 XPath injection can also be prevented by using XQuery.
@@ -22,23 +22,23 @@ XPath injection can also be prevented by using XQuery.
 
 <example>
 <p>
-In the first, second, and third example, the code accepts a name and password specified by the user, and uses this
+In the first three examples, the code accepts a name and password specified by the user, and uses this
 unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing
 special characters or string sequences that change the meaning of the XPath expression to search
 for different values.
 </p>
 
 <p>
-In the fourth example, the code utilizes setXPathVariableResolver which prevents XPath Injection.
+In the fourth example, the code uses <code>setXPathVariableResolver</code> which prevents XPath injection.
 </p>
 <p>
-The fifth example is a dom4j XPath injection example.
+The final two examples are for dom4j. They show an example of XPath injection and one method of preventing it.
 </p>
 <sample src="XPathInjection.java" />
 </example>
 
 <references>
 <li>OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection">Testing for XPath Injection</a>.</li>
-<li>OWASP: <a href="https://www.owasp.org/index.php/XPATH_Injection">XPath Injection</a>.</li>
+<li>OWASP: <a href="https://owasp.org/www-community/attacks/XPATH_Injection">XPath Injection</a>.</li>
 </references>
 </qhelp>

java/ql/src/experimental/Security/CWE/CWE-643/XPathInjection.ql renamed to java/ql/src/Security/CWE/CWE-643/XPathInjection.ql

@@ -13,7 +13,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XmlParsers
+import semmle.code.java.security.XPath
 import DataFlow::PathGraph
 
 class XPathInjectionConfiguration extends TaintTracking::Configuration {
@@ -24,20 +24,6 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
 }
 
-class XPathInjectionSink extends DataFlow::ExprNode {
-  XPathInjectionSink() {
-    exists(Method m, MethodAccess ma | ma.getMethod() = m |
-      m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
-      (m.hasName("evaluate") or m.hasName("compile")) and
-      ma.getArgument(0) = this.getExpr()
-      or
-      m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
-      (m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
-      ma.getArgument(0) = this.getExpr()
-    )
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
 where c.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -80,6 +80,7 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection
+  private import semmle.code.java.security.XPath
 }
 
 private predicate sourceModelCsv(string row) {

java/ql/src/semmle/code/java/security/XPath.qll

@@ -0,0 +1,58 @@
+/** Provides classes to reason about XPath vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+
+/**
+ * A sink that represents a method that interprets XPath expressions.
+ * Extend this class to add your own XPath Injection sinks.
+ */
+abstract class XPathInjectionSink extends DataFlow::Node { }
+
+/** CSV sink models representing methods susceptible to XPath Injection attacks. */
+private class DefaultXPathInjectionSinkModel extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "javax.xml.xpath;XPath;true;evaluate;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;evaluateExpression;;;Argument[0];xpath",
+        "javax.xml.xpath;XPath;true;compile;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectObject;;;Argument[0];xpath",
+        "org.dom4j;Node;true;selectNodes;;;Argument[0..1];xpath",
+        "org.dom4j;Node;true;selectSingleNode;;;Argument[0];xpath",
+        "org.dom4j;Node;true;numberValueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;valueOf;;;Argument[0];xpath",
+        "org.dom4j;Node;true;matches;;;Argument[0];xpath",
+        "org.dom4j;Node;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentFactory;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createPattern;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPath;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;selectNodes;;;Argument[0];xpath",
+        "org.dom4j;DocumentHelper;false;sort;;;Argument[1];xpath",
+        "org.dom4j.tree;AbstractNode;true;createXPathFilter;;;Argument[0];xpath",
+        "org.dom4j.tree;AbstractNode;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createPattern;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPath;;;Argument[0];xpath",
+        "org.dom4j.util;ProxyDocumentFactory;true;createXPathFilter;;;Argument[0];xpath"
+      ]
+  }
+}
+
+/** A default sink representing methods susceptible to XPath Injection attacks. */
+private class DefaultXPathInjectionSink extends XPathInjectionSink {
+  DefaultXPathInjectionSink() {
+    sinkNode(this, "xpath")
+    or
+    exists(ClassInstanceExpr constructor |
+      constructor.getConstructedType().getASourceSupertype*().hasQualifiedName("org.dom4j", "XPath")
+      or
+      constructor.getConstructedType().hasQualifiedName("org.dom4j.xpath", "XPathPattern")
+    |
+      this.asExpr() = constructor.getArgument(0)
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-611/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0

java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.expected

@@ -0,0 +1,166 @@
+import java.io.ByteArrayInputStream;
+import java.io.StringReader;
+import java.util.ArrayList;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+
+import org.jaxen.pattern.Pattern;
+import org.dom4j.DocumentFactory;
+import org.dom4j.DocumentHelper;
+import org.dom4j.Namespace;
+import org.dom4j.Node;
+import org.dom4j.io.SAXReader;
+import org.dom4j.util.ProxyDocumentFactory;
+import org.dom4j.xpath.DefaultXPath;
+import org.dom4j.xpath.XPathPattern;
+import org.w3c.dom.Document;
+import org.xml.sax.InputSource;
+
+public class XPathInjectionTest {
+    private static abstract class XPathImplStub implements XPath {
+        public static XPathImplStub getInstance() {
+            return null;
+        }
+
+        @Override
+        public XPathExpression compile(String expression) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public Object evaluate(String expression, Object item, QName returnType) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public String evaluate(String expression, Object item) throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public Object evaluate(String expression, InputSource source, QName returnType)
+                throws XPathExpressionException {
+            return null;
+        }
+
+        @Override
+        public String evaluate(String expression, InputSource source) throws XPathExpressionException {
+            return null;
+        }
+
+    }
+
+    private static class ProxyDocumentFactoryStub extends ProxyDocumentFactory {
+    }
+
+    private static class PatternStub extends Pattern {
+        private String text;
+
+        PatternStub(String text) {
+            this.text = text;
+        }
+
+        public String getText() {
+            return text;
+        }
+    }
+
+    public void handle(HttpServletRequest request) throws Exception {
+        String user = request.getParameter("user");
+        String pass = request.getParameter("pass");
+        String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']";
+
+        final String xmlStr = "<users>" + "   <user name=\"aaa\" pass=\"pass1\"></user>"
+                + "   <user name=\"bbb\" pass=\"pass2\"></user>" + "</users>";
+        DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = domFactory.newDocumentBuilder();
+        InputSource xmlSource = new InputSource(new StringReader(xmlStr));
+        Document doc = builder.parse(xmlSource);
+
+        XPathFactory factory = XPathFactory.newInstance();
+        XPath xpath = factory.newXPath();
+
+        xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpath.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpath.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        XPathImplStub xpathStub = XPathImplStub.getInstance();
+        xpathStub.evaluate(expression, doc, XPathConstants.BOOLEAN); // $hasXPathInjection
+        xpathStub.evaluateExpression(expression, xmlSource); // $hasXPathInjection
+        xpathStub.compile("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        StringBuffer sb = new StringBuffer("/users/user[@name=");
+        sb.append(user);
+        sb.append("' and @pass='");
+        sb.append(pass);
+        sb.append("']");
+        String query = sb.toString();
+
+        xpath.compile(query); // $hasXPathInjection
+        xpathStub.compile(query); // $hasXPathInjection
+
+        String expression4 = "/users/user[@name=$user and @pass=$pass]";
+        xpath.setXPathVariableResolver(v -> {
+            switch (v.getLocalPart()) {
+                case "user":
+                    return user;
+                case "pass":
+                    return pass;
+                default:
+                    throw new IllegalArgumentException();
+            }
+        });
+        xpath.evaluate(expression4, doc, XPathConstants.BOOLEAN); // Safe
+
+        SAXReader reader = new SAXReader();
+        org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
+        document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
+        document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.matches("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        document.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        new DefaultXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        new XPathPattern(new PatternStub(user)); // $ MISSING: hasXPathInjection // Jaxen is not modeled yet
+
+        DocumentFactory docFactory = DocumentFactory.getInstance();
+        docFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        docFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        DocumentHelper.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        DocumentHelper.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']", new ArrayList<Node>()); // $hasXPathInjection
+        DocumentHelper.sort(new ArrayList<Node>(), "/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        ProxyDocumentFactoryStub proxyDocFactory = new ProxyDocumentFactoryStub();
+        proxyDocFactory.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPath("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        proxyDocFactory.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        Namespace namespace = new Namespace("prefix", "http://some.uri.io");
+        namespace.createPattern("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+        namespace.createXPathFilter("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
+
+        org.jaxen.SimpleVariableContext svc = new org.jaxen.SimpleVariableContext();
+        svc.setVariableValue("user", user);
+        svc.setVariableValue("pass", pass);
+        String xpathString = "/users/user[@name=$user and @pass=$pass]";
+        org.dom4j.XPath safeXPath = document.createXPath(xpathString); // Safe
+        safeXPath.setVariableContext(svc);
+        safeXPath.selectSingleNode(document); // Safe
+    }
+}

java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java

@@ -0,0 +1,28 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.XPath
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "test:xml:xpathinjection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
+}
+
+class HasXPathInjectionTest extends InlineExpectationsTest {
+  HasXPathInjectionTest() { this = "HasXPathInjectionTest" }
+
+  override string getARelevantTag() { result = "hasXPathInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasXPathInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}