Merge pull request #9176 from geoffw0/xxe9

C++: Clean up the XXE query QL.

Author: geoffw0

cpp/ql/src/Security/CWE/CWE-611/Libxml2.qll

@@ -0,0 +1,78 @@
+/**
+ * Models the libxml2 XML library.
+ */
+
+import cpp
+import XML
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+
+/**
+ * A call to a `libxml2` function that parses XML.
+ */
+class Libxml2ParseCall extends FunctionCall {
+  int optionsArg;
+
+  Libxml2ParseCall() {
+    exists(string fname | this.getTarget().getName() = fname |
+      fname = "xmlCtxtUseOptions" and optionsArg = 1
+      or
+      fname = "xmlReadFile" and optionsArg = 2
+      or
+      fname = ["xmlCtxtReadFile", "xmlParseInNodeContext", "xmlReadDoc", "xmlReadFd"] and
+      optionsArg = 3
+      or
+      fname = ["xmlCtxtReadDoc", "xmlCtxtReadFd", "xmlReadMemory"] and optionsArg = 4
+      or
+      fname = ["xmlCtxtReadMemory", "xmlReadIO"] and optionsArg = 5
+      or
+      fname = "xmlCtxtReadIO" and optionsArg = 6
+    )
+  }
+
+  /**
+   * Gets the argument that specifies `xmlParserOption`s.
+   */
+  Expr getOptions() { result = this.getArgument(optionsArg) }
+}
+
+/**
+ * An `xmlParserOption` for `libxml2` that is considered unsafe.
+ */
+class Libxml2BadOption extends EnumConstant {
+  Libxml2BadOption() { this.getName() = ["XML_PARSE_NOENT", "XML_PARSE_DTDLOAD"] }
+}
+
+/**
+ * The libxml2 XML library.
+ */
+class LibXml2Library extends XmlLibrary {
+  LibXml2Library() { this = "LibXml2Library" }
+
+  override predicate configurationSource(DataFlow::Node node, string flowstate) {
+    // source is an `options` argument on a libxml2 parse call that specifies
+    // at least one unsafe option.
+    //
+    // note: we don't need to track an XML object for libxml2, so we don't
+    // really need data flow. Nevertheless we jam it into this configuration,
+    // with matching sources and sinks. This allows results to be presented by
+    // the same query, in a consistent way as other results with flow paths.
+    exists(Libxml2ParseCall call, Expr options |
+      options = call.getOptions() and
+      node.asExpr() = options and
+      flowstate = "libxml2" and
+      exists(Libxml2BadOption opt |
+        globalValueNumber(options).getAnExpr().getValue().toInt().bitAnd(opt.getValue().toInt()) !=
+          0
+      )
+    )
+  }
+
+  override predicate configurationSink(DataFlow::Node node, string flowstate) {
+    // sink is the `options` argument on a `libxml2` parse call.
+    exists(Libxml2ParseCall call, Expr options |
+      options = call.getOptions() and
+      node.asExpr() = options and
+      flowstate = "libxml2"
+    )
+  }
+}

cpp/ql/src/Security/CWE/CWE-611/XML.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides a abstract classes for modeling XML libraries. This design is
+ * currently specialized for the purposes of the XXE query.
+ */
+
+import cpp
+import semmle.code.cpp.ir.dataflow.DataFlow
+import Xerces
+import Libxml2
+
+/**
+ * A flow state representing a possible configuration of an XML object.
+ */
+abstract class XxeFlowState extends DataFlow::FlowState {
+  bindingset[this]
+  XxeFlowState() { any() } // required characteristic predicate
+}
+
+/**
+ * An XML library or interface.
+ */
+abstract class XmlLibrary extends string {
+  bindingset[this]
+  XmlLibrary() { any() } // required characteristic predicate
+
+  /**
+   * Holds if `node` is the source node for a potentially unsafe configuration
+   * object for this XML library, along with `flowstate` representing its
+   * initial state.
+   */
+  abstract predicate configurationSource(DataFlow::Node node, string flowstate);
+
+  /**
+   * Holds if `node` is  the sink node where an unsafe configuration object is
+   * used to interpret XML.
+   */
+  abstract predicate configurationSink(DataFlow::Node node, string flowstate);
+}
+
+/**
+ * An `Expr` that changes the configuration of an XML object, transforming the
+ * `XxeFlowState` that flows through it.
+ */
+abstract class XxeFlowStateTransformer extends Expr {
+  /**
+   * Gets the flow state that `flowstate` is transformed into.
+   *
+   * Due to limitations of the implementation the transformation defined by this
+   * predicate must be idempotent, that is, for any input `x` it must be that:
+   * ```
+   * transform(transform(x)) = transform(x)
+   * ```
+   */
+  abstract XxeFlowState transform(XxeFlowState flowstate);
+}