Skip to content

Commit 75b3c96

Browse files
NapalysNapalys
committed
Removed libxmljs from being marked as sink for xml-bomb.
1 parent 19d6f66 commit 75b3c96

File tree

6 files changed

+11
-18
lines changed

6 files changed

+11
-18
lines changed

javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,7 @@ module XML {
5050

5151
override predicate resolvesEntities(EntityKind kind) {
5252
// internal entities are always resolved
53-
kind = InternalEntity()
54-
or
53+
not kind = InternalEntity() and
5554
// other entities are only resolved if the configuration option `noent` is set to `true`
5655
exists(JS::Expr noent |
5756
this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +125,9 @@ module XML {
126125
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
127126

128127
override predicate resolvesEntities(EntityKind kind) {
129-
// entities are resolved by default
130-
any()
128+
// SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
129+
kind = ExternalEntity(_) or
130+
kind = ParameterEntity(true)
131131
}
132132

133133
override DataFlow::Node getAResult() {
@@ -149,8 +149,9 @@ module XML {
149149
override JS::Expr getSourceArgument() { result = this.getArgument(0) }
150150

151151
override predicate resolvesEntities(EntityKind kind) {
152-
// entities are resolved by default
153-
any()
152+
// SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
153+
kind = ExternalEntity(_) or
154+
kind = ParameterEntity(true)
154155
}
155156

156157
override DataFlow::Node getAResult() {

javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -5,10 +5,6 @@
55
| domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
66
| expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
77
| jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
8-
| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
9-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
10-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
11-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
128
edges
139
| closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance | |
1410
| closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance | |
@@ -31,8 +27,4 @@ nodes
3127
| jquery.js:2:7:2:36 | src | semmle.label | src |
3228
| jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
3329
| jquery.js:4:14:4:16 | src | semmle.label | src |
34-
| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
35-
| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
36-
| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
37-
| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
3830
subpaths

javascript/ql/test/query-tests/Security/CWE-776/libxml.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default
5+
libxmljs.parseXml(req.param("some-xml"));
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@ const express = require('express');
22
const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
5-
libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion
5+
libxmljs.parseXml(req.param("some-xml"), { noent: true });
66
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxParser();
6-
parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.parseString(req.param("some-xml"));
77
});

javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
33

44
express().get('/some/path', function(req) {
55
const parser = new libxmljs.SaxPushParser();
6-
parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
6+
parser.push(req.param("some-xml"));
77
});

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy