codeql/python/ql/src/experimental/Security/CWE-643/XpathInjectionCustomizations.qll at 3416f074e8365ea250e5b3abcb1dae4e8a10dc96 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/**
 * Provides class and predicates to track external data that
 * may represent malicious xpath query objects.
 *
 * This module is intended to be imported into a taint-tracking query.
 */

private import python
private import semmle.python.Concepts
private import semmle.python.dataflow.new.TaintTracking
private import semmle.python.Concepts
private import semmle.python.ApiGraphs
private import semmle.python.dataflow.new.RemoteFlowSources
private import semmle.python.dataflow.new.BarrierGuards

/** Models Xpath Injection related classes and functions */
module XpathInjection {
  /**
   * A data flow source for "XPath injection" vulnerabilities.
   */
  abstract class Source extends DataFlow::Node { }

  /**
   * A data flow sink for "XPath injection" vulnerabilities.
   */
  abstract class Sink extends DataFlow::Node { }

  /**
   * A sanitizer for "XPath injection" vulnerabilities.
   */
  abstract class Sanitizer extends DataFlow::Node { }

  /**
   * A sanitizer guard for "XPath injection" vulnerabilities.
   */
  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }

  /**
   * A source of remote user input, considered as a flow source.
   */
  class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }

  /** Returns an API node referring to `lxml.etree` */
  API::Node etree() { result = API::moduleImport("lxml").getMember("etree") }

  /** Returns an API node referring to `lxml.etree` */
  API::Node etreeFromString() { result = etree().getMember("fromstring") }

  /** Returns an API node referring to `lxml.etree.parse` */
  API::Node etreeParse() { result = etree().getMember("parse") }

  /** Returns an API node referring to `lxml.etree.parse` */
  API::Node libxml2parseFile() { result = API::moduleImport("libxml2").getMember("parseFile") }

  /**
   * A Sink representing an argument to `etree.XPath` or `etree.ETXPath` call.
   *
   *    from lxml import etree
   *    root = etree.XML("<xmlContent>")
   *    find_text = etree.XPath("`sink`")
   *    find_text = etree.ETXPath("`sink`")
   */
  private class EtreeXpathArgument extends Sink {
    EtreeXpathArgument() { this = etree().getMember(["XPath", "ETXPath"]).getACall().getArg(0) }
  }

  /**
   * A Sink representing an argument to the `etree.XPath` call.
   *
   *    from lxml import etree
   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
   *    find_text = root.xpath("`sink`")
   */
  private class EtreeFromstringXpathArgument extends Sink {
    EtreeFromstringXpathArgument() {
      this = etreeFromString().getReturn().getMember("xpath").getACall().getArg(0)
    }
  }

  /**
   * A Sink representing an argument to the `xpath` call to a parsed xml document.
   *
   *    from lxml import etree
   *    from io import StringIO
   *    f = StringIO('<foo><bar></bar></foo>')
   *    tree = etree.parse(f)
   *    r = tree.xpath('`sink`')
   */
  private class ParseXpathArgument extends Sink {
    ParseXpathArgument() { this = etreeParse().getReturn().getMember("xpath").getACall().getArg(0) }
  }

  /**
   * A Sink representing an argument to the `xpathEval` call to a parsed libxml2 document.
   *
   *    import libxml2
   *    tree = libxml2.parseFile("file.xml")
   *    r = tree.xpathEval('`sink`')
   */
  private class ParseFileXpathEvalArgument extends Sink {
    ParseFileXpathEvalArgument() {
      this = libxml2parseFile().getReturn().getMember("xpathEval").getACall().getArg(0)
    }
  }
}