Merge pull request github#11138 from atorralba/atorralba/swift/xxe-query-aexml-sinks

Swift: Add AEXML sinks to XXE query

Author: atorralba

swift/ql/lib/codeql/swift/frameworks/AEXML.qll

@@ -0,0 +1,56 @@
+import swift
+
+/** The creation of an `AEXMLParser`. */
+class AexmlParser extends ApplyExpr {
+  AexmlParser() {
+    this.getStaticTarget().(ConstructorDecl).getEnclosingDecl() instanceof AexmlParserDecl
+  }
+}
+
+/** The creation of an `AEXMLDocument`. */
+class AexmlDocument extends ApplyExpr {
+  AexmlDocument() {
+    this.getStaticTarget().(ConstructorDecl).getEnclosingDecl() instanceof AexmlDocumentDecl
+  }
+}
+
+/** A call to `AEXMLDocument.loadXML(_:)`. */
+class AexmlDocumentLoadXml extends MethodApplyExpr {
+  AexmlDocumentLoadXml() {
+    exists(MethodDecl f |
+      this.getStaticTarget() = f and
+      f.hasName("loadXML(_:)") and
+      f.getEnclosingDecl() instanceof AexmlDocumentDecl
+    )
+  }
+}
+
+/** The class `AEXMLParser`. */
+class AexmlParserDecl extends ClassDecl {
+  AexmlParserDecl() { this.getFullName() = "AEXMLParser" }
+}
+
+/** The class `AEXMLDocument`. */
+class AexmlDocumentDecl extends ClassDecl {
+  AexmlDocumentDecl() { this.getFullName() = "AEXMLDocument" }
+}
+
+/** A reference to the field `AEXMLOptions.ParserSettings.shouldResolveExternalEntities`. */
+class AexmlShouldResolveExternalEntities extends MemberRefExpr {
+  AexmlShouldResolveExternalEntities() {
+    exists(FieldDecl f | this.getMember() = f |
+      f.getName() = "shouldResolveExternalEntities" and
+      f.getEnclosingDecl().(NominalTypeDecl).getType() instanceof AexmlOptionsParserSettingsType
+    )
+  }
+}
+
+/** The type `AEXMLOptions`. */
+class AexmlOptionsType extends StructType {
+  AexmlOptionsType() { this.getFullName() = "AEXMLOptions" }
+}
+
+/** The type `AEXMLOptions.ParserSettings`. */
+class AexmlOptionsParserSettingsType extends StructType {
+  AexmlOptionsParserSettingsType() { this.getFullName() = "AEXMLOptions.ParserSettings" }
+}

swift/ql/lib/codeql/swift/security/XXE.qll

@@ -2,6 +2,7 @@
 
 import swift
 private import codeql.swift.dataflow.DataFlow
+private import codeql.swift.frameworks.AEXML
 
 /** A data flow sink for XML external entities (XXE) vulnerabilities. */
 abstract class XxeSink extends DataFlow::Node { }
@@ -90,3 +91,75 @@ private class NodeLoadExternalEntitiesAlways extends VarDecl {
     this.getEnclosingDecl().(StructDecl).getFullName() = "XMLNode.Options"
   }
 }
+
+/** The XML argument of an `AEXMLDocument` vulnerable to XXE. */
+private class AexmlDocumentSink extends XxeSink {
+  AexmlDocumentSink() {
+    // `AEXMLDocument` initialized with vulnerable options.
+    exists(ApplyExpr call | this.asExpr() = call.getArgument(0).getExpr() |
+      call.(VulnerableAexmlDocument)
+          .getStaticTarget()
+          .hasName(["init(xml:options:)", "init(xml:encoding:options:)"])
+      or
+      // `loadXML` called on a vulnerable AEXMLDocument.
+      DataFlow::localExprFlow(any(VulnerableAexmlDocument v),
+        call.(AexmlDocumentLoadXml).getQualifier())
+    )
+  }
+}
+
+/** The XML argument of an `AEXMLParser` initialized with an `AEXMLDocument` vulnerable to XXE. */
+private class AexmlParserSink extends XxeSink {
+  AexmlParserSink() {
+    exists(AexmlParser parser | this.asExpr() = parser.getArgument(1).getExpr() |
+      DataFlow::localExprFlow(any(VulnerableAexmlDocument v), parser.getArgument(0).getExpr())
+    )
+  }
+}
+
+/** The creation of an `AEXMLDocument` that receives a vulnerable `AEXMLOptions` argument. */
+private class VulnerableAexmlDocument extends AexmlDocument {
+  VulnerableAexmlDocument() {
+    exists(AexmlOptions optionsArgument, VulnerableAexmlOptions vulnOpts |
+      this.getAnArgument().getExpr() = optionsArgument and
+      DataFlow::localExprFlow(vulnOpts, optionsArgument)
+    )
+  }
+}
+
+/**
+ * An `AEXMLOptions` object which contains a `parserSettings` with `shouldResolveExternalEntities`
+ * set to `true`.
+ */
+private class VulnerableAexmlOptions extends AexmlOptions {
+  VulnerableAexmlOptions() {
+    exists(
+      AexmlParserSettings parserSettings, AexmlShouldResolveExternalEntities sree, AssignExpr a
+    |
+      a.getSource() = any(BooleanLiteralExpr b | b.getValue() = true) and
+      a.getDest() = sree and
+      sree.(MemberRefExpr).getBase() = parserSettings and
+      parserSettings.(MemberRefExpr).getBase() = this
+    )
+  }
+}
+
+/** An expression of type `AEXMLOptions.ParserSettings`. */
+private class AexmlParserSettings extends Expr {
+  pragma[inline]
+  AexmlParserSettings() {
+    this.getType() instanceof AexmlOptionsParserSettingsType or
+    this.getType() = any(OptionalType t | t.getBaseType() instanceof AexmlOptionsParserSettingsType) or
+    this.getType() = any(LValueType t | t.getObjectType() instanceof AexmlOptionsParserSettingsType)
+  }
+}
+
+/** An expression of type `AEXMLOptions`. */
+private class AexmlOptions extends Expr {
+  pragma[inline]
+  AexmlOptions() {
+    this.getType() instanceof AexmlOptionsType or
+    this.getType() = any(OptionalType t | t.getBaseType() instanceof AexmlOptionsType) or
+    this.getType() = any(LValueType t | t.getObjectType() instanceof AexmlOptionsType)
+  }
+}

swift/ql/test/query-tests/Security/CWE-611/testAEXMLDocumentXXE.swift

@@ -0,0 +1,148 @@
+// --- stubs ---
+
+class Data {
+    init<S>(_ elements: S) {}
+}
+
+struct URL {
+	init?(string: String) {}
+}
+
+extension String {
+    struct Encoding: Hashable {
+        let rawValue: UInt
+        static let utf8 = String.Encoding(rawValue: 1)
+    }
+
+	init(contentsOf: URL) {
+        let data = ""
+        self.init(data)
+    }
+}
+
+class AEXMLElement {}
+
+struct AEXMLOptions {
+    var parserSettings = ParserSettings()
+
+    struct ParserSettings {
+        public var shouldResolveExternalEntities = false
+    }
+}
+
+class AEXMLDocument {
+    init(root: AEXMLElement? = nil, options: AEXMLOptions) {}
+    init(xml: Data, options: AEXMLOptions = AEXMLOptions()) {}
+    init(xml: String, encoding: String.Encoding, options: AEXMLOptions) {}
+    func loadXML(_: Data) {}
+}
+
+class AEXMLParser {
+    init(document: AEXMLDocument, data: Data) {}
+}
+
+// --- tests ---
+
+func testString() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = true
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = AEXMLDocument(xml: remoteString, encoding: String.Encoding.utf8, options: options) // $ hasXXE=50
+}
+
+func testStringSafeImplicit() {
+    var options = AEXMLOptions()
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = AEXMLDocument(xml: remoteString, encoding: String.Encoding.utf8, options: options) // NO XXE
+}
+
+func testStringSafeExplicit() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = false
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = AEXMLDocument(xml: remoteString, encoding: String.Encoding.utf8, options: options) // NO XXE
+}
+
+func testData() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = true
+    let _ = AEXMLDocument(xml: remoteData, options: options) // $ hasXXE=70
+}
+
+func testDataSafeImplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    var options = AEXMLOptions()
+    let _ = AEXMLDocument(xml: remoteData, options: options) // NO XXE
+}
+
+func testDataSafeExplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = false
+    let _ = AEXMLDocument(xml: remoteData, options: options) // NO XXE
+}
+
+func testDataLoadXml() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = true
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    doc.loadXML(remoteData) // $ hasXXE=97
+}
+
+func testDataLoadXmlSafeImplicit() {
+    var options = AEXMLOptions()
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    doc.loadXML(remoteData) // NO XXE
+}
+
+func testDataLoadXmlSafeExplicit() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = false
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    doc.loadXML(remoteData) // NO XXE
+}
+
+func testParser() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = true
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = AEXMLParser(document: doc, data: remoteData) // $ hasXXE=126
+}
+
+func testParserSafeImplicit() {
+    var options = AEXMLOptions()
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = AEXMLParser(document: doc, data: remoteData) // NO XXE
+}
+
+func testParserSafeExplicit() {
+    var options = AEXMLOptions()
+    options.parserSettings.shouldResolveExternalEntities = false
+    let doc = AEXMLDocument(root: nil, options: options)
+
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = AEXMLParser(document: doc, data: remoteData) // NO XXE
+}