Consider second parameter of Node.selectNodes

atorralba · atorralba · commit ab62bb66f423 · 2021-05-06T09:18:49.000+02:00
diff --git a/java/ql/src/semmle/code/java/security/XPath.qll b/java/ql/src/semmle/code/java/security/XPath.qll
@@ -18,6 +18,8 @@ private class XPathEvaluation extends MethodAccess {
       m.hasName(["evaluate", "evaluateExpression", "compile"])
     )
   }
+
+  Expr getSink() { result = this.getArgument(0) }
 }
 
 /** The interface `org.dom4j.Node` */
@@ -27,16 +29,25 @@ private class Dom4JNode extends Interface {
 
 /** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
 private class NodeXPathEvaluation extends MethodAccess {
+  Expr sink;
+
   NodeXPathEvaluation() {
-    exists(Method m |
-      this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
+    exists(Method m, int index |
+      this.getMethod() = m and
+      m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode and
+      sink = this.getArgument(index)
     |
       m.hasName([
           "selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
           "createXPath"
-        ])
+        ]) and
+      index = 0
+      or
+      m.hasName("selectNodes") and index in [0, 1]
     )
   }
+
+  Expr getSink() { result = sink }
 }
 
 /**
@@ -47,7 +58,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
 
 private class DefaultXPathInjectionSink extends XPathInjectionSink {
   DefaultXPathInjectionSink() {
-    exists(NodeXPathEvaluation sink | sink.getArgument(0) = this.asExpr()) or
-    exists(XPathEvaluation sink | sink.getArgument(0) = this.asExpr())
+    exists(NodeXPathEvaluation sink | sink.getSink() = this.asExpr()) or
+    exists(XPathEvaluation sink | sink.getSink() = this.asExpr())
   }
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-643/A.java b/java/ql/test/experimental/query-tests/security/CWE-643/A.java
@@ -107,7 +107,7 @@ public void handle(HttpServletRequest request) throws Exception {
             org.dom4j.Document document = reader.read(new ByteArrayInputStream(xmlStr.getBytes()));
             document.selectObject("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.selectNodes("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
-            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // Safe-ish
+            document.selectNodes("/users/user[@name='test']", "/users/user[@pass='" + pass + "']"); // $hasXPathInjection
             document.selectSingleNode("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.valueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection
             document.numberValueOf("/users/user[@name='" + user + "' and @pass='" + pass + "']"); // $hasXPathInjection

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ private class XPathEvaluation extends MethodAccess {`
`18`	`18`	`m.hasName(["evaluate", "evaluateExpression", "compile"])`
`19`	`19`	`)`
`20`	`20`	`}`
	`21`	`+`
	`22`	`+ Expr getSink() { result = this.getArgument(0) }`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	/** The interface `org.dom4j.Node` */
`@@ -27,16 +29,25 @@ private class Dom4JNode extends Interface {`
`27`	`29`
`28`	`30`	/** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
`29`	`31`	`private class NodeXPathEvaluation extends MethodAccess {`
	`32`	`+ Expr sink;`
	`33`	`+`
`30`	`34`	`NodeXPathEvaluation() {`
`31`		`- exists(Method m \|`
`32`		`- this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode`
	`35`	`+ exists(Method m, int index \|`
	`36`	`+ this.getMethod() = m and`
	`37`	`+ m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode and`
	`38`	`+ sink = this.getArgument(index)`
`33`	`39`	`\|`
`34`	`40`	`m.hasName([`
`35`	`41`	`"selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",`
`36`	`42`	`"createXPath"`
`37`		`- ])`
	`43`	`+ ]) and`
	`44`	`+ index = 0`
	`45`	`+ or`
	`46`	`+ m.hasName("selectNodes") and index in [0, 1]`
`38`	`47`	`)`
`39`	`48`	`}`
	`49`	`+`
	`50`	`+ Expr getSink() { result = sink }`
`40`	`51`	`}`
`41`	`52`
`42`	`53`	`/**`
`@@ -47,7 +58,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }`
`47`	`58`
`48`	`59`	`private class DefaultXPathInjectionSink extends XPathInjectionSink {`
`49`	`60`	`DefaultXPathInjectionSink() {`
`50`		`- exists(NodeXPathEvaluation sink \| sink.getArgument(0) = this.asExpr()) or`
`51`		`- exists(XPathEvaluation sink \| sink.getArgument(0) = this.asExpr())`
	`61`	`+ exists(NodeXPathEvaluation sink \| sink.getSink() = this.asExpr()) or`
	`62`	`+ exists(XPathEvaluation sink \| sink.getSink() = this.asExpr())`
`52`	`63`	`}`
`53`	`64`	`}`