Merge pull request github#11120 from atorralba/atorralba/swift/xxe-query-xmldocument-sinks

atorralba · web-flow · commit 3ef7f3f44db2 · 2022-11-14T15:46:02.000+01:00
Swift: Adds XMLDocument sinks to the XXE query
diff --git a/swift/ql/lib/codeql/swift/security/XXE.qll b/swift/ql/lib/codeql/swift/security/XXE.qll
@@ -20,8 +20,8 @@ class XxeAdditionalTaintStep extends Unit {
 }
 
 /** The XML argument of a `XMLParser` vulnerable to XXE. */
-private class DefaultXxeSink extends XxeSink {
-  DefaultXxeSink() {
+private class XmlParserXxeSink extends XxeSink {
+  XmlParserXxeSink() {
     this.asExpr() = any(Argument a | a.getApplyExpr() instanceof VulnerableParser).getExpr()
   }
 }
@@ -67,3 +67,26 @@ private class XmlParserRef extends Expr {
 private class XmlParserType extends NominalType {
   XmlParserType() { this.getFullName() = "XMLParser" }
 }
+
+/** The XML argument of a `XMLDocument` vulnerable to XXE. */
+private class XmlDocumentXxeSink extends XxeSink {
+  XmlDocumentXxeSink() { this.asExpr() = any(VulnerableXmlDocument d).getArgument(0).getExpr() }
+}
+
+/** An `XMLDocument` that sets `nodeLoadExternalEntitiesAlways` in its options. */
+private class VulnerableXmlDocument extends ApplyExpr {
+  VulnerableXmlDocument() {
+    this.getStaticTarget().(ConstructorDecl).getEnclosingDecl().(NominalTypeDecl).getFullName() =
+      "XMLDocument" and
+    this.getArgument(1).getExpr().(ArrayExpr).getAnElement().(MemberRefExpr).getMember() instanceof
+      NodeLoadExternalEntitiesAlways
+  }
+}
+
+/** The option `XMLNode.Options.nodeLoadExternalEntitiesAlways`. */
+private class NodeLoadExternalEntitiesAlways extends VarDecl {
+  NodeLoadExternalEntitiesAlways() {
+    this.getName() = "nodeLoadExternalEntitiesAlways" and
+    this.getEnclosingDecl().(StructDecl).getFullName() = "XMLNode.Options"
+  }
+}
diff --git a/swift/ql/test/query-tests/Security/CWE-611/testXMLDocumentXXE.swift b/swift/ql/test/query-tests/Security/CWE-611/testXMLDocumentXXE.swift
@@ -0,0 +1,86 @@
+// --- stubs ---
+
+class Data {
+    init<S>(_ elements: S) {}
+}
+
+struct URL {
+	init?(string: String) {}
+}
+
+extension String {
+	init(contentsOf: URL) {
+        let data = ""
+        self.init(data)
+    }
+}
+
+class XMLNode {
+    struct Options : OptionSet {
+        let rawValue: Int
+        static let nodeLoadExternalEntitiesAlways = XMLNode.Options(rawValue: 1 << 0)
+        static let nodeLoadExternalEntitiesNever = XMLNode.Options(rawValue: 1 << 1)
+    }
+}
+
+class XMLElement {}
+
+class XMLDocument {
+    init(contentsOf: URL, options: XMLNode.Options = []) {}
+    init(data: Data, options: XMLNode.Options = []) {}
+    init(rootElement: XMLElement?) {}
+    init(xmlString: String, options: XMLNode.Options = []) {}
+}
+
+// --- tests ---
+
+func testUrl() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteUrl = URL(string: remoteString)!
+     let _ = XMLDocument(contentsOf: remoteUrl, options: [.nodeLoadExternalEntitiesAlways]) // $ hasXXE=38
+}
+
+func testUrlSafeImplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteUrl = URL(string: remoteString)!
+    let _ = XMLDocument(contentsOf: remoteUrl, options: []) // NO XXE: document doesn't enable external entities
+}
+
+func testUrlSafeExplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteUrl = URL(string: remoteString)!
+    let _ = XMLDocument(contentsOf: remoteUrl, options: [.nodeLoadExternalEntitiesNever]) // NO XXE: document disables external entities
+}
+
+func testData() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = XMLDocument(data: remoteData, options: [.nodeLoadExternalEntitiesAlways]) // $ hasXXE=56
+}
+
+func testDataSafeImplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = XMLDocument(data: remoteData, options: []) // NO XXE: document doesn't enable external entities
+}
+
+func testDataSafeExplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let remoteData = Data(remoteString)
+    let _ = XMLDocument(data: remoteData, options: [.nodeLoadExternalEntitiesNever]) // NO XXE: document disables external entities
+}
+
+func testString() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = XMLDocument(xmlString: remoteString, options: [.nodeLoadExternalEntitiesAlways]) // $ hasXXE=74
+}
+
+func testStringSafeImplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = XMLDocument(xmlString: remoteString, options: []) // NO XXE: document doesn't enable external entities
+}
+
+func testStringSafeExplicit() {
+    let remoteString = String(contentsOf: URL(string: "http://example.com/")!)
+    let _ = XMLDocument(xmlString: remoteString, options: [.nodeLoadExternalEntitiesNever]) // NO XXE: document disables external entities
+}
diff --git a/swift/ql/test/query-tests/Security/CWE-611/testXMLParserXXE.swift b/swift/ql/test/query-tests/Security/CWE-611/testXMLParserXXE.swift
