Skip to content
This repository was archived by the owner on Apr 4, 2025. It is now read-only.

Commit d59520e

Browse files
author
Keith Hoodlet
committed
Add query with passing tests; May need one update
1 parent 2d336ff commit d59520e

5 files changed

Lines changed: 41 additions & 15 deletions

File tree

java/CWE-611/XXELocal.ql

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ import java
1717
import semmle.code.java.security.XmlParsers
1818
import semmle.code.java.dataflow.FlowSources
1919
import semmle.code.java.dataflow.TaintTracking2
20-
import DataFlow::PathGraph
20+
//import DataFlow::PathGraph
2121
import github.LocalSources
2222

2323
class SafeSAXSourceFlowConfig extends TaintTracking2::Configuration {
@@ -42,15 +42,16 @@ class UnsafeXxeSink extends DataFlow::ExprNode {
4242
}
4343
}
4444

45-
class XxeConfig extends TaintTracking::Configuration {
46-
XxeConfig() { this = "XXE.ql::XxeConfig" }
45+
module XXELocalConfig implements DataFlow::ConfigSig {
46+
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
4747

48-
override predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
49-
50-
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
48+
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeXxeSink }
5149
}
5250

53-
from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
54-
where conf.hasFlowPath(source, sink)
51+
module XXELocalFlow = TaintTracking::Global<XXELocalConfig>;
52+
import XXELocalFlow::PathGraph
53+
54+
from XXELocalFlow::PathNode source, XXELocalFlow::PathNode sink
55+
where XXELocalFlow::flowPath(source, sink)
5556
select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
5657
"user input"

tests/java-tests/CWE-611/XXELocal$MyHandler.class

679 Bytes
Binary file not shown.

tests/java-tests/CWE-611/XXELocal.class

1.07 KB
Binary file not shown.

tests/java-tests/CWE-611/XXELocal.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
edges
2+
| XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | XXELocal.java:16:51:16:61 | inputStream : FileInputStream |
3+
| XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource | XXELocal.java:24:25:24:35 | inputSource |
4+
| XXELocal.java:16:51:16:61 | inputStream : FileInputStream | XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource |
5+
nodes
6+
| XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | semmle.label | new FileInputStream(...) : FileInputStream |
7+
| XXELocal.java:16:35:16:62 | new InputSource(...) : InputSource | semmle.label | new InputSource(...) : InputSource |
8+
| XXELocal.java:16:51:16:61 | inputStream : FileInputStream | semmle.label | inputStream : FileInputStream |
9+
| XXELocal.java:24:25:24:35 | inputSource | semmle.label | inputSource |
10+
subpaths
11+
#select
12+
| XXELocal.java:24:25:24:35 | inputSource | XXELocal.java:15:39:15:63 | new FileInputStream(...) : FileInputStream | XXELocal.java:24:25:24:35 | inputSource | Unsafe parsing of XML file from $@. | XXELocal.java:15:39:15:63 | new FileInputStream(...) | user input |

tests/java-tests/CWE-611/XXELocal.java

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,10 @@
22
import java.io.FileInputStream;
33
import javax.xml.parsers.SAXParser;
44
import javax.xml.parsers.SAXParserFactory;
5+
import org.xml.sax.Attributes;
56
import org.xml.sax.InputSource;
7+
import org.xml.sax.SAXException;
8+
import org.xml.sax.helpers.DefaultHandler;
69
import org.xml.sax.XMLReader;
710

811
public class XXELocal {
@@ -18,20 +21,30 @@ public static void main(String[] args) throws Exception {
1821
// Parse XML
1922
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
2023
SAXParser saxParser = saxParserFactory.newSAXParser();
21-
saxParser.parse(inputSource, xmlReader);
24+
saxParser.parse(inputSource, new MyHandler());
2225
}
2326

2427
private static XMLReader getXMLReader() throws Exception {
25-
// Create XML reader
2628
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
2729
SAXParser saxParser = saxParserFactory.newSAXParser();
2830
XMLReader xmlReader = saxParser.getXMLReader();
31+
return xmlReader;
32+
}
2933

30-
// Set properties for XML reader
31-
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
32-
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
33-
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
34+
private static class MyHandler extends DefaultHandler {
35+
@Override
36+
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
37+
// Handle start element
38+
}
3439

35-
return xmlReader;
40+
@Override
41+
public void endElement(String uri, String localName, String qName) throws SAXException {
42+
// Handle end element
43+
}
44+
45+
@Override
46+
public void characters(char[] ch, int start, int length) throws SAXException {
47+
// Handle character data
48+
}
3649
}
3750
}

0 commit comments

Comments
 (0)