Merge pull request #6112 from jorgectf/jorgectf/python/deserialization

Python: Port and extend XXE modeling

Author: RasmusWL

python/ql/src/experimental/Security/CWE-611/SimpleXmlRpcServer.ql

@@ -0,0 +1,25 @@
+/**
+ * @name SimpleXMLRPCServer DoS vulnerability
+ * @description SimpleXMLRPCServer is vulnerable to DoS attacks from untrusted user input
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id py/simple-xml-rpc-server-dos
+ * @tags security
+ *       external/cwe/cwe-776
+ */
+
+private import python
+private import experimental.semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+from DataFlow::CallCfgNode call, string kinds
+where
+  call = API::moduleImport("xmlrpc").getMember("server").getMember("SimpleXMLRPCServer").getACall() and
+  kinds =
+    strictconcat(ExperimentalXML::XMLVulnerabilityKind kind |
+      kind.isBillionLaughs() or kind.isQuadraticBlowup()
+    |
+      kind, ", "
+    )
+select call, "SimpleXMLRPCServer is vulnerable to: " + kinds + "."

python/ql/src/experimental/Security/CWE-611/XXE.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0"?>
+<!DOCTYPE dt [
+<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
+<test>&xxe;</test>

python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.py

@@ -0,0 +1,25 @@
+from flask import request, Flask
+import lxml.etree
+import xml.etree.ElementTree
+
+app = Flask(__name__)
+
+# BAD
+@app.route("/bad")
+def bad():
+    xml_content = request.args['xml_content']
+
+    parser = lxml.etree.XMLParser()
+    parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
+
+    return parsed_xml.text
+
+# GOOD
+@app.route("/good")
+def good():
+    xml_content = request.args['xml_content']
+
+    parser = lxml.etree.XMLParser(resolve_entities=False)
+    parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
+
+    return parsed_xml.text

python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.qhelp

@@ -0,0 +1,48 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Parsing untrusted XML files with a weakly configured XML parser may lead to attacks such as XML External Entity (XXE),
+Billion Laughs, Quadratic Blowup and DTD retrieval.
+This type of attack uses external entity references to access arbitrary files on a system, carry out denial of
+service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band
+data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out
+in this situation.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Use <a href="https://pypi.org/project/defusedxml/">defusedxml</a>, a Python package aimed
+to prevent any potentially malicious operation.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example calls <code>xml.etree.ElementTree.fromstring</code> using a parser (<code>lxml.etree.XMLParser</code>)
+that is not safely configured on untrusted data, and is therefore inherently unsafe.
+</p>
+<sample src="XmlEntityInjection.py"/>
+<p>
+Providing an input (<code>xml_content</code>) like the following XML content against /bad, the request response would contain the contents of
+<code>/etc/passwd</code>.
+</p>
+<sample src="XXE.xml"/>
+</example>
+
+<references>
+<li>Python 3 <a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities">XML Vulnerabilities</a>.</li>
+<li>Python 2 <a href="https://docs.python.org/2/library/xml.html#xml-vulnerabilities">XML Vulnerabilities</a>.</li>
+<li>Python <a href="https://www.edureka.co/blog/python-xml-parser-tutorial/">XML Parsing</a>.</li>
+<li>OWASP vulnerability description: <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.</li>
+<li>OWASP guidance on parsing xml files: <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python">XXE Prevention Cheat Sheet</a>.</li>
+<li>Paper by Timothy Morgen: <a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a></li>
+<li>Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013: <a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.</li>
+<li>Denial of service attack (Billion laughs): <a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a></li>
+</references>
+
+</qhelp>

python/ql/src/experimental/Security/CWE-611/XmlEntityInjection.ql

@@ -0,0 +1,31 @@
+/**
+ * @name XML Entity injection
+ * @description User input should not be parsed allowing the injection of entities.
+ * @kind path-problem
+ * @problem.severity error
+ * @id py/xml-entity-injection
+ * @tags security
+ *       external/cwe/cwe-611
+ *       external/cwe/cwe-776
+ *       external/cwe/cwe-827
+ */
+
+// determine precision above
+import python
+import experimental.semmle.python.security.dataflow.XmlEntityInjection
+import DataFlow::PathGraph
+
+from
+  XmlEntityInjection::XmlEntityInjectionConfiguration config, DataFlow::PathNode source,
+  DataFlow::PathNode sink, string kinds
+where
+  config.hasFlowPath(source, sink) and
+  kinds =
+    strictconcat(string kind |
+      kind = sink.getNode().(XmlEntityInjection::Sink).getVulnerableKind()
+    |
+      kind, ", "
+    )
+select sink.getNode(), source, sink,
+  "$@ XML input is constructed from a $@ and is vulnerable to: " + kinds + ".", sink.getNode(),
+  "This", source.getNode(), "user-provided value"

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -14,6 +14,74 @@ private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.TaintTracking
 private import experimental.semmle.python.Frameworks
 
+/**
+ * Since there is both XML module in normal and experimental Concepts,
+ * we have to rename the experimental module as this.
+ */
+module ExperimentalXML {
+  /**
+   * A kind of XML vulnerability.
+   *
+   * See https://pypi.org/project/defusedxml/#python-xml-libraries
+   */
+  class XMLVulnerabilityKind extends string {
+    XMLVulnerabilityKind() {
+      this in ["Billion Laughs", "Quadratic Blowup", "XXE", "DTD retrieval"]
+    }
+
+    /** Holds for Billion Laughs vulnerability kind. */
+    predicate isBillionLaughs() { this = "Billion Laughs" }
+
+    /** Holds for Quadratic Blowup vulnerability kind. */
+    predicate isQuadraticBlowup() { this = "Quadratic Blowup" }
+
+    /** Holds for XXE vulnerability kind. */
+    predicate isXxe() { this = "XXE" }
+
+    /** Holds for DTD retrieval vulnerability kind. */
+    predicate isDtdRetrieval() { this = "DTD retrieval" }
+  }
+
+  /**
+   * A data-flow node that parses XML.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `XMLParsing` instead.
+   */
+  class XMLParsing extends DataFlow::Node instanceof XMLParsing::Range {
+    /**
+     * Gets the argument containing the content to parse.
+     */
+    DataFlow::Node getAnInput() { result = super.getAnInput() }
+
+    /**
+     * Holds if this XML parsing is vulnerable to `kind`.
+     */
+    predicate vulnerableTo(XMLVulnerabilityKind kind) { super.vulnerableTo(kind) }
+  }
+
+  /** Provides classes for modeling XML parsing APIs. */
+  module XMLParsing {
+    /**
+     * A data-flow node that parses XML.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XMLParsing` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /**
+       * Gets the argument containing the content to parse.
+       */
+      abstract DataFlow::Node getAnInput();
+
+      /**
+       * Holds if this XML parsing is vulnerable to `kind`.
+       */
+      abstract predicate vulnerableTo(XMLVulnerabilityKind kind);
+    }
+  }
+}
+
 /** Provides classes for modeling LDAP query execution-related APIs. */
 module LdapQuery {
   /**

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -3,6 +3,7 @@
  */
 
 private import experimental.semmle.python.frameworks.Stdlib
+private import experimental.semmle.python.frameworks.Xml
 private import experimental.semmle.python.frameworks.Flask
 private import experimental.semmle.python.frameworks.Django
 private import experimental.semmle.python.frameworks.Werkzeug