add support for libxml2

Author: Porcupiney Hairs

python/ql/src/experimental/semmle/python/security/injection/Xpath.qll

@@ -15,6 +15,9 @@ module XpathInjection {
   /** Returns a class value which refers to `lxml.etree` */
   Value etree() { result = Value::named("lxml.etree") }
 
+  /** Returns a class value which refers to `lxml.etree` */
+  Value libxml2parseFile() { result = Value::named("libxml2.parseFile") }
+
   /** A generic taint sink that is vulnerable to Xpath injection. */
   abstract class XpathInjectionSink extends TaintSink { }
 
@@ -83,4 +86,30 @@ module XpathInjection {
 
     override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
   }
+
+  /**
+   * A Sink representing an argument to the `xpathEval` call to a parsed libxml2 document.
+   *
+   *    import libxml2
+   *    tree = libxml2.parseFile("file.xml")
+   *    r = tree.xpathEval('`sink`')
+   */
+  private class ParseFileXpathEvalArgument extends XpathInjectionSink {
+    override string toString() { result = "libxml2.parseFile.xpathEval" }
+
+    ParseFileXpathEvalArgument() {
+      exists(
+        CallNode parseCall, CallNode xpathCall, ControlFlowNode obj, Variable var, AssignStmt assign
+      |
+        parseCall.getFunction().(AttrNode).pointsTo(libxml2parseFile()) and
+        assign.getValue().(Call).getAFlowNode() = parseCall and
+        xpathCall.getFunction().(AttrNode).getObject("xpathEval") = obj and
+        var.getAUse() = obj and
+        assign.getATarget() = var.getAStore() and
+        xpathCall.getArg(0) = this
+      )
+    }
+
+    override predicate sinks(TaintKind kind) { kind instanceof ExternalStringKind }
+  }
 }

python/ql/test/experimental/CWE-643/xpath.expected

@@ -9,25 +9,30 @@ edges
 | xpathBad.py:10:13:10:32 | externally controlled string | xpathBad.py:13:39:13:43 | externally controlled string |
 | xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
 | xpathBad.py:13:39:13:43 | externally controlled string | xpathBad.py:13:20:13:43 | externally controlled string |
-| xpathFlow.py:10:18:10:29 | dict of externally controlled string | xpathFlow.py:10:18:10:44 | externally controlled string |
-| xpathFlow.py:10:18:10:29 | dict of externally controlled string | xpathFlow.py:10:18:10:44 | externally controlled string |
-| xpathFlow.py:10:18:10:44 | externally controlled string | xpathFlow.py:13:20:13:29 | externally controlled string |
-| xpathFlow.py:10:18:10:44 | externally controlled string | xpathFlow.py:13:20:13:29 | externally controlled string |
-| xpathFlow.py:18:18:18:29 | dict of externally controlled string | xpathFlow.py:18:18:18:44 | externally controlled string |
-| xpathFlow.py:18:18:18:29 | dict of externally controlled string | xpathFlow.py:18:18:18:44 | externally controlled string |
-| xpathFlow.py:18:18:18:44 | externally controlled string | xpathFlow.py:21:29:21:38 | externally controlled string |
-| xpathFlow.py:18:18:18:44 | externally controlled string | xpathFlow.py:21:29:21:38 | externally controlled string |
-| xpathFlow.py:27:18:27:29 | dict of externally controlled string | xpathFlow.py:27:18:27:44 | externally controlled string |
-| xpathFlow.py:27:18:27:29 | dict of externally controlled string | xpathFlow.py:27:18:27:44 | externally controlled string |
-| xpathFlow.py:27:18:27:44 | externally controlled string | xpathFlow.py:29:29:29:38 | externally controlled string |
-| xpathFlow.py:27:18:27:44 | externally controlled string | xpathFlow.py:29:29:29:38 | externally controlled string |
-| xpathFlow.py:35:18:35:29 | dict of externally controlled string | xpathFlow.py:35:18:35:44 | externally controlled string |
-| xpathFlow.py:35:18:35:29 | dict of externally controlled string | xpathFlow.py:35:18:35:44 | externally controlled string |
-| xpathFlow.py:35:18:35:44 | externally controlled string | xpathFlow.py:37:31:37:40 | externally controlled string |
-| xpathFlow.py:35:18:35:44 | externally controlled string | xpathFlow.py:37:31:37:40 | externally controlled string |
+| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
+| xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:11:18:11:44 | externally controlled string |
+| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
+| xpathFlow.py:11:18:11:44 | externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string |
+| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
+| xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:20:18:20:44 | externally controlled string |
+| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
+| xpathFlow.py:20:18:20:44 | externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string |
+| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
+| xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:30:18:30:44 | externally controlled string |
+| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
+| xpathFlow.py:30:18:30:44 | externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string |
+| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
+| xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:39:18:39:44 | externally controlled string |
+| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
+| xpathFlow.py:39:18:39:44 | externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string |
+| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
+| xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:47:18:47:44 | externally controlled string |
+| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
+| xpathFlow.py:47:18:47:44 | externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string |
 #select
 | xpathBad.py:13:20:13:43 | BinaryExpr | xpathBad.py:9:7:9:13 | django.request.HttpRequest | xpathBad.py:13:20:13:43 | externally controlled string | This Xpath query depends on $@. | xpathBad.py:9:7:9:13 | request | a user-provided value |
-| xpathFlow.py:13:20:13:29 | xpathQuery | xpathFlow.py:10:18:10:29 | dict of externally controlled string | xpathFlow.py:13:20:13:29 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:10:18:10:29 | Attribute | a user-provided value |
-| xpathFlow.py:21:29:21:38 | xpathQuery | xpathFlow.py:18:18:18:29 | dict of externally controlled string | xpathFlow.py:21:29:21:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:18:18:18:29 | Attribute | a user-provided value |
-| xpathFlow.py:29:29:29:38 | xpathQuery | xpathFlow.py:27:18:27:29 | dict of externally controlled string | xpathFlow.py:29:29:29:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:27:18:27:29 | Attribute | a user-provided value |
-| xpathFlow.py:37:31:37:40 | xpathQuery | xpathFlow.py:35:18:35:29 | dict of externally controlled string | xpathFlow.py:37:31:37:40 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:35:18:35:29 | Attribute | a user-provided value |
+| xpathFlow.py:14:20:14:29 | xpathQuery | xpathFlow.py:11:18:11:29 | dict of externally controlled string | xpathFlow.py:14:20:14:29 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:11:18:11:29 | Attribute | a user-provided value |
+| xpathFlow.py:23:29:23:38 | xpathQuery | xpathFlow.py:20:18:20:29 | dict of externally controlled string | xpathFlow.py:23:29:23:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:20:18:20:29 | Attribute | a user-provided value |
+| xpathFlow.py:32:29:32:38 | xpathQuery | xpathFlow.py:30:18:30:29 | dict of externally controlled string | xpathFlow.py:32:29:32:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:30:18:30:29 | Attribute | a user-provided value |
+| xpathFlow.py:41:31:41:40 | xpathQuery | xpathFlow.py:39:18:39:29 | dict of externally controlled string | xpathFlow.py:41:31:41:40 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:39:18:39:29 | Attribute | a user-provided value |
+| xpathFlow.py:49:29:49:38 | xpathQuery | xpathFlow.py:47:18:47:29 | dict of externally controlled string | xpathFlow.py:49:29:49:38 | externally controlled string | This Xpath query depends on $@. | xpathFlow.py:47:18:47:29 | Attribute | a user-provided value |

python/ql/test/experimental/CWE-643/xpath.py

@@ -26,8 +26,15 @@ def d():
     text = find_text(root)[0]
 
 
+def e():
+    import libxml2
+    doc = libxml2.parseFile('xpath_injection/credential.xml')
+    results = doc.xpathEval('sink')
+
+
 if __name__ == "__main__":
     a()
     b()
     c()
     d()
+    e()

python/ql/test/experimental/CWE-643/xpathFlow.py

@@ -1,4 +1,3 @@
-from lxml import etree
 from io import StringIO
 from flask import Flask, request
 
@@ -7,6 +6,8 @@
 
 @app.route("/xpath1")
 def xpath1():
+    from lxml import etree
+
     xpathQuery = request.args.get('xml', '')
     f = StringIO('<foo><bar></bar></foo>')
     tree = etree.parse(f)
@@ -15,6 +16,7 @@ def xpath1():
 
 @app.route("/xpath2")
 def xpath2():
+    from lxml import etree
     xpathQuery = request.args.get('xml', '')
 
     root = etree.XML("<root><a>TEXT</a></root>")
@@ -24,6 +26,7 @@ def xpath2():
 
 @app.route("/xpath3")
 def xpath3():
+    from lxml import etree
     xpathQuery = request.args.get('xml', '')
     root = etree.XML("<root><a>TEXT</a></root>")
     find_text = etree.XPath(xpathQuery, smart_strings=False)
@@ -32,7 +35,15 @@ def xpath3():
 
 @app.route("/xpath4")
 def xpath4():
+    from lxml import etree
     xpathQuery = request.args.get('xml', '')
     root = etree.XML("<root><a>TEXT</a></root>")
     find_text = etree.ETXPath(xpathQuery)
     text = find_text(root)[0]
+
+@app.route("/xpath5")
+def xpath5():
+    import libxml2
+    xpathQuery = request.args.get('xml', '')
+    doc = libxml2.parseFile('xpath_injection/credential.xml')
+    results = doc.xpathEval(xpathQuery)

python/ql/test/experimental/CWE-643/xpathSinks.expected

@@ -2,9 +2,11 @@
 | xpath.py:13:29:13:38 | lxml.etree.Xpath | externally controlled string |
 | xpath.py:19:29:19:38 | lxml.etree.Xpath | externally controlled string |
 | xpath.py:25:38:25:46 | lxml.etree.ETXpath | externally controlled string |
+| xpath.py:32:29:32:34 | libxml2.parseFile.xpathEval | externally controlled string |
 | xpathBad.py:13:20:13:43 | lxml.etree.parse.xpath | externally controlled string |
-| xpathFlow.py:13:20:13:29 | lxml.etree.parse.xpath | externally controlled string |
-| xpathFlow.py:21:29:21:38 | lxml.etree.Xpath | externally controlled string |
-| xpathFlow.py:29:29:29:38 | lxml.etree.Xpath | externally controlled string |
-| xpathFlow.py:37:31:37:40 | lxml.etree.ETXpath | externally controlled string |
+| xpathFlow.py:14:20:14:29 | lxml.etree.parse.xpath | externally controlled string |
+| xpathFlow.py:23:29:23:38 | lxml.etree.Xpath | externally controlled string |
+| xpathFlow.py:32:29:32:38 | lxml.etree.Xpath | externally controlled string |
+| xpathFlow.py:41:31:41:40 | lxml.etree.ETXpath | externally controlled string |
+| xpathFlow.py:49:29:49:38 | libxml2.parseFile.xpathEval | externally controlled string |
 | xpathGood.py:13:20:13:37 | lxml.etree.parse.xpath | externally controlled string |

python/ql/test/experimental/CWE-643/xpathSinks.ql

@@ -3,4 +3,4 @@ import experimental.semmle.python.security.injection.Xpath
 
 from XpathInjection::XpathInjectionSink sink, TaintKind kind
 where sink.sinks(kind)
-select sink, kind
+select sink, kind

python/ql/test/query-tests/Security/lib/libxml2/__init__.py

@@ -0,0 +1,10 @@
+def parseFile(filename):
+    return xmlDoc(_obj=None)
+
+
+class xmlDoc(Object):
+    def __init__(self, _obj=None):
+        pass
+
+    def xpathEval(self, expr):
+        pass