codeql/rust/ql/src/queries/security/CWE-611/Xxe.ql at 975843889ad70a7e42cf5c87203d69894816933c · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/**
 * @name XML external entity expansion
 * @description Parsing user-controlled XML with external entity expansion
 *              enabled may lead to disclosure of confidential data or
 *              server-side request forgery.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.1
 * @precision high
 * @id rust/xxe
 * @tags security
 *       external/cwe/cwe-611
 *       external/cwe/cwe-776
 *       external/cwe/cwe-827
 */

import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
import codeql.rust.security.XxeExtensions

/**
 * A taint configuration for user-controlled data reaching an XML parser with
 * external entity expansion enabled.
 */
module XxeConfig implements DataFlow::ConfigSig {
  import Xxe

  predicate isSource(DataFlow::Node node) { node instanceof Source }

  predicate isSink(DataFlow::Node node) { node instanceof Sink }

  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }

  predicate observeDiffInformedIncrementalMode() { any() }
}

module XxeFlow = TaintTracking::Global<XxeConfig>;

import XxeFlow::PathGraph

from XxeFlow::PathNode sourceNode, XxeFlow::PathNode sinkNode
where XxeFlow::flowPath(sourceNode, sinkNode)
select sinkNode.getNode(), sourceNode, sinkNode,
  "XML parsing depends on a $@ without guarding against external entity expansion.",
  sourceNode.getNode(), "user-provided value"