Merge pull request #7915 from yoff/python/promote-xpath-injection

Python: promote XPath injection query

Author: RasmusWL

docs/codeql/support/reusables/frameworks.rst

@@ -206,3 +206,5 @@ Python built-in support
    pycryptodomex, Cryptography library
    rsa, Cryptography library
    MarkupSafe, Escaping Library
+   libxml2, XML processing library
+   lxml, XML processing library

python/ql/lib/semmle/python/Concepts.qll

@@ -334,6 +334,7 @@ module CodeExecution {
 
 /**
  * A data-flow node that constructs an SQL statement.
+ *
  * Often, it is worthy of an alert if an SQL statement is constructed such that
  * executing it would be a security risk.
  *
@@ -355,11 +356,14 @@ class SqlConstruction extends DataFlow::Node {
 module SqlConstruction {
   /**
    * A data-flow node that constructs an SQL statement.
+   *
    * Often, it is worthy of an alert if an SQL statement is constructed such that
    * executing it would be a security risk.
    *
+   * If it is important that the SQL statement is indeed executed, then use `SQLExecution`.
+   *
    * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `SqlExecution` instead.
+   * extend `SqlConstruction` instead.
    */
   abstract class Range extends DataFlow::Node {
     /** Gets the argument that specifies the SQL statements to be constructed. */
@@ -449,6 +453,105 @@ module RegexExecution {
   }
 }
 
+/** Provides classes for modeling XML-related APIs. */
+module XML {
+  /**
+   * A data-flow node that constructs an XPath expression.
+   *
+   * Often, it is worthy of an alert if an XPath expression is constructed such that
+   * executing it would be a security risk.
+   *
+   * If it is important that the XPath expression is indeed executed, then use `XPathExecution`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathConstruction::Range` instead.
+   */
+  class XPathConstruction extends DataFlow::Node {
+    XPathConstruction::Range range;
+
+    XPathConstruction() { this = range }
+
+    /** Gets the argument that specifies the XPath expressions to be constructed. */
+    DataFlow::Node getXPath() { result = range.getXPath() }
+
+    /**
+     * Gets the name of this XPath expression construction, typically the name of an executing method.
+     * This is used for nice alert messages and should include the module if possible.
+     */
+    string getName() { result = range.getName() }
+  }
+
+  /** Provides a class for modeling new XPath construction APIs. */
+  module XPathConstruction {
+    /**
+     * A data-flow node that constructs an XPath expression.
+     *
+     * Often, it is worthy of an alert if an XPath expression is constructed such that
+     * executing it would be a security risk.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathConstruction` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the argument that specifies the XPath expressions to be constructed. */
+      abstract DataFlow::Node getXPath();
+
+      /**
+       * Gets the name of this XPath expression construction, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
+  }
+
+  /**
+   * A data-flow node that executes a xpath expression.
+   *
+   * If the context of interest is such that merely constructing an XPath expression
+   * would be valuabe to report, then consider using `XPathConstruction`.
+   *
+   * Extend this class to refine existing API models. If you want to model new APIs,
+   * extend `XPathExecution::Range` instead.
+   */
+  class XPathExecution extends DataFlow::Node {
+    XPathExecution::Range range;
+
+    XPathExecution() { this = range }
+
+    /** Gets the data flow node for the XPath expression being executed by this node. */
+    DataFlow::Node getXPath() { result = range.getXPath() }
+
+    /**
+     * Gets the name of this XPath expression execution, typically the name of an executing method.
+     * This is used for nice alert messages and should include the module if possible.
+     */
+    string getName() { result = range.getName() }
+  }
+
+  /** Provides classes for modeling new regular-expression execution APIs. */
+  module XPathExecution {
+    /**
+     * A data-flow node that executes a XPath expression.
+     *
+     * If the context of interest is such that merely constructing an XPath expression
+     * would be valuabe to report, then consider using `XPathConstruction`.
+     *
+     * Extend this class to model new APIs. If you want to refine existing API models,
+     * extend `XPathExecution` instead.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets the data flow node for the XPath expression being executed by this node. */
+      abstract DataFlow::Node getXPath();
+
+      /**
+       * Gets the name of this xpath expression execution, typically the name of an executing method.
+       * This is used for nice alert messages and should include the module if possible.
+       */
+      abstract string getName();
+    }
+  }
+}
+
 /** Provides classes for modeling LDAP-related APIs. */
 module LDAP {
   /**

python/ql/lib/semmle/python/Frameworks.qll

@@ -24,6 +24,8 @@ private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.Jmespath
 private import semmle.python.frameworks.Ldap
 private import semmle.python.frameworks.Ldap3
+private import semmle.python.frameworks.Libxml2
+private import semmle.python.frameworks.Lxml
 private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql

python/ql/lib/semmle/python/frameworks/Libxml2.qll

@@ -0,0 +1,45 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `libxml2` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/libxml2-python3/
+ * - http://xmlsoft.org/python.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides classes modeling security-relevant aspects of the `libxml2` PyPI package
+ *
+ * See
+ * - https://pypi.org/project/libxml2-python3/
+ * - http://xmlsoft.org/python.html
+ */
+private module Libxml2 {
+  /**
+   * A call to the `xpathEval` method of a parsed document.
+   *
+   *    import libxml2
+   *    tree = libxml2.parseFile("file.xml")
+   *    r = tree.xpathEval('`sink`')
+   *
+   * See http://xmlsoft.org/python.html
+   */
+  class XpathEvalCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XpathEvalCall() {
+      this =
+        API::moduleImport("libxml2")
+            .getMember("parseFile")
+            .getReturn()
+            .getMember("xpathEval")
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArg(0) }
+
+    override string getName() { result = "libxml2" }
+  }
+}

python/ql/lib/semmle/python/frameworks/Lxml.qll

@@ -0,0 +1,88 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+private module Lxml {
+  /**
+   * A class constructor compiling an XPath expression.
+   *
+   *    from lxml import etree
+   *    find_text = etree.XPath("`sink`")
+   *    find_text = etree.ETXPath("`sink`")
+   *
+   * See
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XPath
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.ETXPath
+   */
+  private class XPathClassCall extends XML::XPathConstruction::Range, DataFlow::CallCfgNode {
+    XPathClassCall() {
+      this = API::moduleImport("lxml").getMember("etree").getMember(["XPath", "ETXPath"]).getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("path")] }
+
+    override string getName() { result = "lxml.etree" }
+  }
+
+  /**
+   * A call to the `xpath` method of a parsed document.
+   *
+   *    from lxml import etree
+   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
+   *    find_text = root.xpath("`sink`")
+   *
+   * See https://lxml.de/apidoc/lxml.etree.html#lxml.etree._ElementTree.xpath
+   * as well as
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.parse
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstring
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstringlist
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.HTML
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XML
+   */
+  class XPathCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XPathCall() {
+      this =
+        API::moduleImport("lxml")
+            .getMember("etree")
+            .getMember(["parse", "fromstring", "fromstringlist", "HTML", "XML"])
+            .getReturn()
+            .getMember("xpath")
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("_path")] }
+
+    override string getName() { result = "lxml.etree" }
+  }
+
+  class XPathEvaluatorCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    XPathEvaluatorCall() {
+      this =
+        API::moduleImport("lxml")
+            .getMember("etree")
+            .getMember("XPathEvaluator")
+            .getReturn()
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result = this.getArg(0) }
+
+    override string getName() { result = "lxml.etree" }
+  }
+}

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2836,6 +2836,70 @@ private module StdlibPrivate {
     override string getKind() { result = Escaping::getRegexKind() }
   }
 
+  // ---------------------------------------------------------------------------
+  // xml.etree.ElementTree
+  // ---------------------------------------------------------------------------
+  /**
+   * An instance of `xml.etree.ElementTree.ElementTree`.
+   *
+   * See https://docs.python.org/3.10/library/xml.etree.elementtree.html#xml.etree.ElementTree.ElementTree
+   */
+  private API::Node elementTreeInstance() {
+    //parse to a tree
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember("parse")
+          .getReturn()
+    or
+    // construct a tree without parsing
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember("ElementTree")
+          .getReturn()
+  }
+
+  /**
+   * An instance of `xml.etree.ElementTree.Element`.
+   *
+   * See https://docs.python.org/3.10/library/xml.etree.elementtree.html#xml.etree.ElementTree.Element
+   */
+  private API::Node elementInstance() {
+    // parse or go to the root of a tree
+    result = elementTreeInstance().getMember(["parse", "getroot"]).getReturn()
+    or
+    // parse directly to an element
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember(["fromstring", "fromstringlist", "XML"])
+          .getReturn()
+  }
+
+  /**
+   * A call to a find method on a tree or an element will execute an XPath expression.
+   */
+  private class ElementTreeFindCall extends XML::XPathExecution::Range, DataFlow::CallCfgNode {
+    string methodName;
+
+    ElementTreeFindCall() {
+      methodName in ["find", "findall", "findtext"] and
+      (
+        this = elementTreeInstance().getMember(methodName).getACall()
+        or
+        this = elementInstance().getMember(methodName).getACall()
+      )
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("match")] }
+
+    override string getName() { result = "xml.etree" }
+  }
+
   // ---------------------------------------------------------------------------
   // urllib
   // ---------------------------------------------------------------------------