Merge pull request #10585 from github/nickrolfe/libxml-xxe

Ruby: detect uses of LibXML with entity substitution enabled by default

Author: nickrolfe

ruby/ql/lib/codeql/ruby/frameworks/XmlParsing.qll

@@ -45,6 +45,33 @@ private class NokogiriXmlParserCall extends XmlParserCall::Range, DataFlow::Call
   }
 }
 
+/**
+ * Holds if `assign` enables the `default_substitute_entities` option in
+ * libxml-ruby.
+ */
+private predicate enablesLibXmlDefaultEntitySubstitution(AssignExpr assign) {
+  // look for an assignment inside:
+  // XML.class_eval do
+  //   def self.default_substitute_entities
+  //     ...
+  //   end
+  // end
+  exists(MethodCall classEvalCall, SingletonMethod defaultSubstituteEntitiesMethod |
+    classEvalCall.getMethodName() = "class_eval" and
+    classEvalCall.getReceiver().(ConstantReadAccess).getName() = "XML" and
+    defaultSubstituteEntitiesMethod.getName() = "default_substitute_entities" and
+    defaultSubstituteEntitiesMethod.getEnclosingCallable() = classEvalCall.getBlock() and
+    defaultSubstituteEntitiesMethod = assign.getEnclosingMethod()
+  ) and
+  // that assignment should be to `default_substitute_entities`.
+  exists(MethodCall c | c = assign.getLeftOperand() |
+    c.getMethodName() = "default_substitute_entities" and
+    c.getReceiver().(ConstantReadAccess).getName() = "XML"
+  ) and
+  // and the right-hand side should be true
+  assign.getRightOperand().getConstantValue().isBoolean(true)
+}
+
 private class LibXmlRubyXmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
   LibXmlRubyXmlParserCall() {
     this =
@@ -66,9 +93,63 @@ private class LibXmlRubyXmlParserCall extends XmlParserCall::Range, DataFlow::Ca
           trackDisableFeature(TNONET())
         ].asExpr()
     )
+    or
+    // If the database contains a call to set `default_substitute_entities` to
+    // true, then we assume external entities are enabled for this call
+    exists(AssignExpr ae | enablesLibXmlDefaultEntitySubstitution(ae))
   }
 }
 
+/**
+ * Holds if `call` sets `ActiveSupport::XmlMini.backend` to `"LibXML"`.
+ */
+private predicate setsXmlMiniBackendToLibXml(DataFlow::CallNode call) {
+  call = API::getTopLevelMember("ActiveSupport").getMember("XmlMini").getAMethodCall("backend=") and
+  call.getArgument(0)
+      .asExpr()
+      .(CfgNodes::ExprNodes::AssignExprCfgNode)
+      .getRhs()
+      .getConstantValue()
+      .isString("LibXML")
+}
+
+/**
+ * Holds if the database contains a call that sets
+ * `ActiveSupport::XmlMini.backend` to `"LibXML"` as well as a call to enable
+ * LibXML's `default_substitute_entities`.
+ */
+private predicate xmlMiniEntitySubstitutionEnabled() {
+  setsXmlMiniBackendToLibXml(_) and
+  enablesLibXmlDefaultEntitySubstitution(_)
+}
+
+/**
+ * A call to `ActiveSupport::XmlMini.parse` considered as an `XmlParserCall`.
+ */
+private class XmlMiniXmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+  XmlMiniXmlParserCall() {
+    this = API::getTopLevelMember("ActiveSupport").getMember("XmlMini").getAMethodCall("parse")
+  }
+
+  override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+  override predicate externalEntitiesEnabled() { xmlMiniEntitySubstitutionEnabled() }
+}
+
+/**
+ * A call to `Hash.from_xml` or `Hash.from_trusted_xml` considered as an
+ * `XmlParserCall`.
+ */
+private class HashFromXmlXmlParserCall extends XmlParserCall::Range, DataFlow::CallNode {
+  HashFromXmlXmlParserCall() {
+    this = API::getTopLevelMember("Hash").getAMethodCall(["from_xml", "from_trusted_xml"])
+  }
+
+  override DataFlow::Node getInput() { result = this.getArgument(0) }
+
+  override predicate externalEntitiesEnabled() { xmlMiniEntitySubstitutionEnabled() }
+}
+
 private newtype TFeature =
   TNOENT() or
   TNONET() or

ruby/ql/src/change-notes/2022-09-27-libxml-xxe.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* The `rb/xxe` query has been updated to add the following sinks for XML external entity expansion:
+    1. Calls to parse XML using `LibXML` when its `default_substitute_entities` option is enabled.
+    2. Uses of the Rails methods `ActiveSupport::XmlMini.parse`, `Hash.from_xml`, and `Hash.from_trusted_xml` when `ActiveSupport::XmlMini` is configured to use `LibXML` as its backend, and its `default_substitute_entities` option is enabled.

ruby/ql/test/query-tests/security/cwe-611/libxml-backend/LibXmlBackend.rb

@@ -0,0 +1,23 @@
+require 'xml'
+require 'libxml'
+
+# Change the ActiveSupport XML backend from REXML to LibXML
+ActiveSupport::XmlMini.backend = 'LibXML'
+
+# Allow entity replacement in LibXML parsing
+LibXML::XML.class_eval do
+  def self.default_substitute_entities
+    XML.default_substitute_entities = true
+  end
+end
+
+class LibXmlRubyXXE < ApplicationController
+  def foo
+    content = params[:xml]
+
+    LibXML::XML::Parser.file(content, { options: 2048 })
+    Hash.from_xml(content)
+    Hash.from_trusted_xml(content)
+    ActiveSupport::XmlMini.parse(content)
+  end
+end

ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected

@@ -0,0 +1,19 @@
+edges
+| LibXmlBackend.rb:16:15:16:20 | call to params :  | LibXmlBackend.rb:16:15:16:26 | ...[...] :  |
+| LibXmlBackend.rb:16:15:16:26 | ...[...] :  | LibXmlBackend.rb:18:30:18:36 | content |
+| LibXmlBackend.rb:16:15:16:26 | ...[...] :  | LibXmlBackend.rb:19:19:19:25 | content |
+| LibXmlBackend.rb:16:15:16:26 | ...[...] :  | LibXmlBackend.rb:20:27:20:33 | content |
+| LibXmlBackend.rb:16:15:16:26 | ...[...] :  | LibXmlBackend.rb:21:34:21:40 | content |
+nodes
+| LibXmlBackend.rb:16:15:16:20 | call to params :  | semmle.label | call to params :  |
+| LibXmlBackend.rb:16:15:16:26 | ...[...] :  | semmle.label | ...[...] :  |
+| LibXmlBackend.rb:18:30:18:36 | content | semmle.label | content |
+| LibXmlBackend.rb:19:19:19:25 | content | semmle.label | content |
+| LibXmlBackend.rb:20:27:20:33 | content | semmle.label | content |
+| LibXmlBackend.rb:21:34:21:40 | content | semmle.label | content |
+subpaths
+#select
+| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params :  | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
+| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params :  | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
+| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params :  | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
+| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params :  | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |

ruby/ql/test/query-tests/security/cwe-611/Xxe.qlref renamed to ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.qlref

@@ -13,4 +13,8 @@ class LibXmlRubyXXE < ApplicationController
 
     LibXML::XML::Parser.file(content, { options: 2048 }) # OK
 
+    Hash.from_xml(content) # OK - entity substitution is disabled by default
+    Hash.from_trusted_xml(content) # OK - entity substitution is disabled by default
+    ActiveSupport::XmlMini.parse(content) # OK - entity substitution is disabled by default
+
 end

ruby/ql/test/query-tests/security/cwe-611/LibXmlRuby.rb renamed to ruby/ql/test/query-tests/security/cwe-611/xxe/LibXmlRuby.rb

@@ -0,0 +1 @@
+queries/security/cwe-611/Xxe.ql