Skip to content

Commit cee7aed

Browse files
MathiasVPMathiasVP
authored
Merge pull request #9142 from geoffw0/xxe8
C++: Fixes some typos and increases the XXE query precision.
2 parents 83f817c + 776857e commit cee7aed

File tree

2 files changed

+17
-13
lines changed

2 files changed

+17
-13
lines changed

cpp/ql/src/Security/CWE/CWE-611/XXE.ql

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
* @id cpp/external-entity-expansion
88
* @problem.severity warning
99
* @security-severity 9.1
10-
* @precision medium
10+
* @precision high
1111
* @tags security
1212
* external/cwe/cwe-611
1313
*/
@@ -30,7 +30,7 @@ abstract class XXEFlowState extends DataFlow::FlowState {
3030
* An `Expr` that changes the configuration of an XML object, transforming the
3131
* `XXEFlowState` that flows through it.
3232
*/
33-
abstract class XXEFlowStateTranformer extends Expr {
33+
abstract class XXEFlowStateTransformer extends Expr {
3434
/**
3535
* Gets the flow state that `flowstate` is transformed into.
3636
*
@@ -119,10 +119,10 @@ class XercesFlowState extends XXEFlowState {
119119
* `SAXParser.setDisableDefaultEntityResolution`. Transforms the flow
120120
* state through the qualifier according to the setting in the parameter.
121121
*/
122-
class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
122+
class DisableDefaultEntityResolutionTransformer extends XXEFlowStateTransformer {
123123
Expr newValue;
124124

125-
DisableDefaultEntityResolutionTranformer() {
125+
DisableDefaultEntityResolutionTransformer() {
126126
exists(Call call, Function f |
127127
call.getTarget() = f and
128128
(
@@ -154,10 +154,10 @@ class DisableDefaultEntityResolutionTranformer extends XXEFlowStateTranformer {
154154
* `AbstractDOMParser.setCreateEntityReferenceNodes`. Transforms the flow
155155
* state through the qualifier according to the setting in the parameter.
156156
*/
157-
class CreateEntityReferenceNodesTranformer extends XXEFlowStateTranformer {
157+
class CreateEntityReferenceNodesTransformer extends XXEFlowStateTransformer {
158158
Expr newValue;
159159

160-
CreateEntityReferenceNodesTranformer() {
160+
CreateEntityReferenceNodesTransformer() {
161161
exists(Call call, Function f |
162162
call.getTarget() = f and
163163
f.getClassAndName("setCreateEntityReferenceNodes") instanceof AbstractDOMParserClass and
@@ -195,10 +195,10 @@ class FeatureDisableDefaultEntityResolution extends Variable {
195195
* specifying the feature `XMLUni::fgXercesDisableDefaultEntityResolution`.
196196
* Transforms the flow state through the qualifier according to this setting.
197197
*/
198-
class SetFeatureTranformer extends XXEFlowStateTranformer {
198+
class SetFeatureTransformer extends XXEFlowStateTransformer {
199199
Expr newValue;
200200

201-
SetFeatureTranformer() {
201+
SetFeatureTransformer() {
202202
exists(Call call, Function f |
203203
call.getTarget() = f and
204204
f.getClassAndName("setFeature") instanceof Sax2XmlReader and
@@ -246,10 +246,10 @@ class DomConfigurationSetParameter extends Function {
246246
* `DOMConfiguration` pointer returned by `DOMLSParser.getDomConfig` - and it
247247
* is *that* qualifier we want to transform the flow state of.
248248
*/
249-
class DomConfigurationSetParameterTranformer extends XXEFlowStateTranformer {
249+
class DomConfigurationSetParameterTransformer extends XXEFlowStateTransformer {
250250
Expr newValue;
251251

252-
DomConfigurationSetParameterTranformer() {
252+
DomConfigurationSetParameterTransformer() {
253253
exists(FunctionCall getDomConfigCall, FunctionCall setParameterCall |
254254
// this is the qualifier of a call to `DOMLSParser.getDomConfig`.
255255
getDomConfigCall.getTarget() instanceof GetDomConfig and
@@ -429,15 +429,15 @@ class XXEConfiguration extends DataFlow::Configuration {
429429
override predicate isAdditionalFlowStep(
430430
DataFlow::Node node1, string state1, DataFlow::Node node2, string state2
431431
) {
432-
// create additional flow steps for `XXEFlowStateTranformer`s
433-
state2 = node2.asConvertedExpr().(XXEFlowStateTranformer).transform(state1) and
432+
// create additional flow steps for `XXEFlowStateTransformer`s
433+
state2 = node2.asConvertedExpr().(XXEFlowStateTransformer).transform(state1) and
434434
DataFlow::simpleLocalFlowStep(node1, node2)
435435
}
436436

437437
override predicate isBarrier(DataFlow::Node node, string flowstate) {
438438
// when the flowstate is transformed at a call node, block the original
439439
// flowstate value.
440-
node.asConvertedExpr().(XXEFlowStateTranformer).transform(flowstate) != flowstate
440+
node.asConvertedExpr().(XXEFlowStateTransformer).transform(flowstate) != flowstate
441441
}
442442
}
443443

cpp/ql/src/change-notes/2022-05-12-external-entity-expansion.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The "XML external entity expansion" (`cpp/external-entity-expansion`) query precision has been increased to `high`.

0 commit comments

Comments
 (0)