Swift: Add AEXML sinks to XXE query #11138
Conversation
Only XMLParser sinks for the time being
Use an alert message consistent with the other languages
|
QHelp previews: swift/ql/src/queries/Security/CWE-611/XXE.qhelpResolving XML external entity in user-controlled dataParsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation. RecommendationThe easiest way to prevent XXE attacks is to disable external entity handling when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of ExampleThe following example uses the To guard against XXE attacks, the References
|
|
|
||
| /** An expression of type `AEXMLOptions.ParserSettings`. */ | ||
| class ParserSettings extends Expr { | ||
| pragma[inline] |
There was a problem hiding this comment.
These two pragma[inline]s are an attempt at avoiding fully computing these classes, which seemed to be potentially too big depending on the codebase. Hopefully inlining them where they are used should add the appropriate context to prevent it, while allowing us to reuse this code, but please let me know if this solution is not desirable performance-wise and/or there's a better alternative. I'll launch DCA in any case to see how this behaves.
There was a problem hiding this comment.
Yep, I agree we should do a DCA run to check how this does. Though I'm not overly concerned about Swift query performance - I think it will be more effective to do a review later on (when we have a full query suite and thus better data).
atorralba
force-pushed
the
atorralba/swift/xxe-query-aexml-sinks
branch
from
0ae7e52
to
bbf7bb3
Compare
| class AEXMLDocument { | ||
| init(root: AEXMLElement? = nil, options: AEXMLOptions) {} | ||
| init(xml: Data, options: AEXMLOptions = AEXMLOptions()) {} | ||
| init(xml: String, encoding: String.Encoding, options: AEXMLOptions) {} |
There was a problem hiding this comment.
The AEXML library itself has some defaults you don't specify here. Your test cases below obviously don't use them. Can you imagine it matters?
There was a problem hiding this comment.
The empty AEXMLOptions and String.Encoding = utf8 would hardly affect the results. At most, we could verify that we correctly have TNs when the default options: argument is used, but the test would look very similar to the ones explicitly setting an empty AEXMLOptions (i.e. the *safeImplicit test cases). I'm open to adding those additional cases nevertheless, if you think they are worth it.
There was a problem hiding this comment.
But if we decide not to, I could completely remove all defaults from the stubs, so that we are consistent and avoid potential confusion.
There was a problem hiding this comment.
I'm happy how it is. But I have wondered when implementing tests myself whether I should put effort into modelling and using default values accurately to how the libraries do it. I think you're right there isn't much difference between using a default and using a non-default value that's the same as it anyway. The query certainly doesn't care if a default is there / used.
Note this is built on top of #11086 and #11120 until those are merged (at which time this will rebased). If you want to review early, look at commit bbf7bb3 only (and potentially any other commit after that).
The caveat of these sinks is that they heavily rely on local data flow, and because of that we might have some FNs when tracking the unsafe option all the way to the actual sink requires global data flow instead.