C++: Add support for createLSParser.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -163,6 +163,13 @@ class ParseFunction extends Function {
   ParseFunction() { this.getClassAndName("parse") instanceof AbstractDOMParserClass }
 }
 
+/**
+ * The `createLSParser` function that returns a newly created `LSParser` object.
+ */
+class CreateLSParser extends Function {
+  CreateLSParser() { this.hasName("createLSParser") }
+}
+
 /**
  * Configuration for tracking XML objects and their states.
  */
@@ -178,6 +185,13 @@ class XXEConfiguration extends DataFlow::Configuration {
         call.getThisArgument() and
       encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
     )
+    or
+    // source is the result of a call to `createLSParser`.
+    exists(Call call |
+      call.getTarget() instanceof CreateLSParser and
+      call = node.asExpr() and
+      encodeXercesDOMFlowState(flowstate, 0, 1) // default configuration
+    )
   }
 
   override predicate isSink(DataFlow::Node node, string flowstate) {
@@ -208,5 +222,4 @@ class XXEConfiguration extends DataFlow::Configuration {
 from XXEConfiguration conf, DataFlow::PathNode source, DataFlow::PathNode sink
 where conf.hasFlowPath(source, sink)
 select sink, source, sink,
-  "This $@ is not configured to prevent an XML external entity (XXE) attack.", source,
-  "XML parser"
+  "This $@ is not configured to prevent an XML external entity (XXE) attack.", source, "XML parser"

cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected

@@ -25,6 +25,7 @@ edges
 | tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:146:18:146:18 | q |
 | tests.cpp:144:18:144:18 | q | tests.cpp:130:39:130:39 | p |
 | tests.cpp:146:18:146:18 | q | tests.cpp:134:39:134:39 | p |
+| tests.cpp:150:16:150:29 | call to createLSParser | tests.cpp:152:2:152:2 | p |
 nodes
 | tests.cpp:33:23:33:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
 | tests.cpp:35:2:35:2 | p | semmle.label | p |
@@ -61,6 +62,8 @@ nodes
 | tests.cpp:140:23:140:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
 | tests.cpp:144:18:144:18 | q | semmle.label | q |
 | tests.cpp:146:18:146:18 | q | semmle.label | q |
+| tests.cpp:150:16:150:29 | call to createLSParser | semmle.label | call to createLSParser |
+| tests.cpp:152:2:152:2 | p | semmle.label | p |
 subpaths
 #select
 | tests.cpp:35:2:35:2 | p | tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:33:23:33:43 | XercesDOMParser output argument | XML parser |
@@ -74,3 +77,4 @@ subpaths
 | tests.cpp:122:3:122:3 | q | tests.cpp:118:24:118:44 | XercesDOMParser output argument | tests.cpp:122:3:122:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:118:24:118:44 | XercesDOMParser output argument | XML parser |
 | tests.cpp:131:2:131:2 | p | tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:131:2:131:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:140:23:140:43 | XercesDOMParser output argument | XML parser |
 | tests.cpp:135:2:135:2 | p | tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:135:2:135:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:140:23:140:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:152:2:152:2 | p | tests.cpp:150:16:150:29 | call to createLSParser | tests.cpp:152:2:152:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:150:16:150:29 | call to createLSParser | XML parser |

cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp

@@ -149,7 +149,7 @@ void test10(InputSource &data) {
 void test11(InputSource &data) {
 	LSParser *p = createLSParser();
 
-	p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
+	p->parse(data); // BAD (parser not correctly configured)
 }
 
 void test12(InputSource &data) {