Skip to content

Commit 0f3918a

Browse files
atorralbaatorralba
authored
Merge pull request github#13773 from atorralba/atorralba/java/mdht-xxe-sink
Java: Add XXE sinks for MDHT
2 parents a5c8917 + 2cbb7ed commit 0f3918a

File tree

271 files changed

+8984
-1
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

271 files changed

+8984
-1
lines changed

java/ql/lib/semmle/code/java/frameworks/mdht/MdhtXml.qll

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
/** Provides definitions related to XML parsing in Model-Driven Health Tools. */
2+
3+
import java
4+
private import semmle.code.java.security.XmlParsers
5+
6+
/** A call to `CDAUtil.load` or `CDAUtil.loadAs`. */
7+
private class CdaUtilLoad extends XmlParserCall {
8+
CdaUtilLoad() {
9+
this.getMethod()
10+
.hasQualifiedName("org.openhealthtools.mdht.uml.cda.util", "CDAUtil", ["load", "loadAs"])
11+
}
12+
13+
override Expr getSink() {
14+
result = this.getAnArgument() and
15+
exists(RefType t | result.getType().(RefType).getASourceSupertype*() = t |
16+
t instanceof TypeInputStream or
17+
t instanceof InputSource
18+
)
19+
}
20+
21+
override predicate isSafe() { none() }
22+
}

java/ql/lib/semmle/code/java/security/XmlParsers.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ private module Frameworks {
99
private import semmle.code.java.frameworks.apache.CommonsXml
1010
private import semmle.code.java.frameworks.javaee.Xml
1111
private import semmle.code.java.frameworks.javase.Beans
12+
private import semmle.code.java.frameworks.mdht.MdhtXml
1213
private import semmle.code.java.frameworks.rundeck.RundeckXml
1314
}
1415

java/ql/src/change-notes/2023-07-19-xxe-new-sinks.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the MDHT library.

java/ql/test/query-tests/security/CWE-611/CdaUtilTests.java

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
import java.io.InputStream;
2+
import java.io.InputStreamReader;
3+
import java.net.Socket;
4+
import org.openhealthtools.mdht.uml.cda.util.CDAUtil;
5+
import org.xml.sax.InputSource;
6+
7+
public class CdaUtilTests {
8+
9+
public void test(Socket sock) throws Exception {
10+
InputStream is = sock.getInputStream();
11+
InputSource iSrc = new InputSource(new InputStreamReader(is));
12+
CDAUtil.load(is); // $ hasTaintFlow
13+
CDAUtil.load(iSrc); // $ hasTaintFlow
14+
CDAUtil.load(is, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow
15+
CDAUtil.load(is, (CDAUtil.LoadHandler) null); // $ hasTaintFlow
16+
CDAUtil.load(null, null, is, null); // $ hasTaintFlow
17+
CDAUtil.load(iSrc, (CDAUtil.ValidationHandler) null); // $ hasTaintFlow
18+
CDAUtil.load(iSrc, (CDAUtil.LoadHandler) null); // $ hasTaintFlow
19+
CDAUtil.load(null, null, iSrc, null); // $ hasTaintFlow
20+
CDAUtil.loadAs(is, null); // $ hasTaintFlow
21+
CDAUtil.loadAs(is, null, null); // $ hasTaintFlow
22+
}
23+
}

java/ql/test/query-tests/security/CWE-611/options

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.3.8/
1+
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.3.8/:${testdir}/../../../stubs/mdht-1.2.0/

java/ql/test/stubs/mdht-1.2.0/javax/xml/namespace/QName.java

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mdht-1.2.0/org/eclipse/emf/common/notify/Adapter.java

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mdht-1.2.0/org/eclipse/emf/common/notify/AdapterFactory.java

Lines changed: 15 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mdht-1.2.0/org/eclipse/emf/common/notify/Notification.java

Lines changed: 50 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

java/ql/test/stubs/mdht-1.2.0/org/eclipse/emf/common/notify/NotificationChain.java

Lines changed: 11 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)