Python XXE

[GeekMasher]

There is both a remote flow query but also a simple "parser is insecure" query

[jorgectf]

I think you might want to check this PR out for some inspiration :)

[GeekMasher]

@jorgectf That is some awesome work and I must have missed it because it wasn't merged when I started creating this. Yours is FAR more evolved than my queries. I will be closing this once I have tested yours to make sure it covers my cases (which from a glance it will).

[zbazztian]

@GeekMasher Looks like you might be gravitating towards the queries Jorge wrote, so let me know if you still want this reviewed.

[GeekMasher]

As @zbazztian and I found out, the query by @jorgectf is still not released so we'll have to wait until the new version of CodeQL has the new query bundled in it.

[jorgectf]

Oh, I see it hasn't made it to lgtm.com branch yet. Anyway, it is still under experimental/, but I believe @RasmusWL (who did an outstanding work in the query) and the team is planning to promote it soon :)

[jorgectf]

FYI github/codeql#8634

[jorgectf]

https://lgtm.com/rules/1515394699817/ & https://lgtm.com/rules/1515368549707/ 🎉

[RasmusWL]

@GeekMasher I did not add the "parsing is insecure" query, but it should be very easy to create one using the vulnerableTo member-predicate of the XmlParsing concept👍

[aegilops]

Do we want to continue with this?

Using this query could result in FPs unless we can detect an old version of Python in use.

Modern versions of the underlying XML parsing library aren't vulnerable to this, and neither are modern versions of Python modules. The Pydoc around XML explains the situation.

[GeekMasher]

Closing this PR now