Skip to content

Commit 1851deb

Browse files
NapalysNapalys
committed
Removed libxmljs from being marked as sink for xml-bomb.
1 parent 19d6f66 commit 1851deb

File tree

6 files changed

+11
-19
lines changed

6 files changed

+11
-19
lines changed

javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -49,9 +49,7 @@ module XML {
4949
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
5050

5151
override predicate resolvesEntities(EntityKind kind) {
52-
// internal entities are always resolved
53-
kind = InternalEntity()
54-
or
52+
not kind = InternalEntity() and
5553
// other entities are only resolved if the configuration option `noent` is set to `true`
5654
exists(JS::Expr noent |
5755
this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +124,9 @@ module XML {
126124
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
127125

128126
override predicate resolvesEntities(EntityKind kind) {
129-
// entities are resolved by default
130-
any()
127+
// SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
128+
kind = ExternalEntity(_) or
129+
kind = ParameterEntity(true)
131130
}
132131

133132
override DataFlow::Node getAResult() {
@@ -149,8 +148,9 @@ module XML {
149148
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
150149

151150
override predicate resolvesEntities(EntityKind kind) {
152-
// entities are resolved by default
153-
any()
151+
// SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
152+
kind = ExternalEntity(_) or
153+
kind = ParameterEntity(true)
154154
}
155155

156156
override DataFlow::Node getAResult() {

javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,6 @@
55
| domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
66
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
77
| jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
8-
| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
9-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
10-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
11-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
128
edges
139
| closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance | |
1410
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance | |
@@ -31,8 +27,4 @@ nodes
3127
| jquery.js:2:7:2:36 | src | semmle.label | src |
3228
| jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
3329
| jquery.js:4:14:4:16 | src | semmle.label | src |
34-
| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
35-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
36-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
37-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
3830
subpaths

javascript/ql/test/query-tests/Security/CWE-776/libxml.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default
5+
libxmljs.parseXml(req.param("some-xml"));
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion
5+
libxmljs.parseXml(req.param("some-xml"), { noent: true });
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxParser();
6-
parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.parseString(req.param("some-xml"));
77
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxPushParser();
6-
parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.push(req.param("some-xml"));
77
});

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy