Skip to content

GO - Add sink for libxml2 in go/xml/xpath-injection via XPath.qll #15181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Dec 24, 2023
Merged

GO - Add sink for libxml2 in go/xml/xpath-injection via XPath.qll #15181

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
2d33f86
Initial Push
felickz Dec 12, 2023
7a48152
Add Go Stubs for LibXML2
GeekMasher Dec 12, 2023
b02bac5
Test run
felickz Dec 15, 2023
4c46be1
Use 3 arg overload on Method for hasQualifiedName for Package/Name/Type
felickz Dec 21, 2023
6f3867d
stub the type Parser + the function New
felickz Dec 21, 2023
667861f
depstubber with latest change
felickz Dec 21, 2023
7c93a2c
Add const XMLParseNoEnt to stub
felickz Dec 21, 2023
cf25cc9
Add docs
felickz Dec 22, 2023
86c258d
mention sinks in changelog
felickz Dec 22, 2023
730f6ed
Merge branch 'main' into go-xxe-libxml2
felickz Dec 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.
13 changes: 13 additions & 0 deletions go/ql/lib/semmle/go/frameworks/XPath.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,19 @@ module XPath {
}
}

/**
* An XPath expression string used in an API function of the
* [lestrrat-go/libxml2](https://github.com/lestrrat-go/libxml2) package.
*/
private class LestratGoLibxml2XPathExpressionString extends Range {
LestratGoLibxml2XPathExpressionString() {
exists(Method m, string name | name.matches("Parse%") |
m.hasQualifiedName(package("github.com/lestrrat-go/libxml2", "parser"), "Parser", name) and
this = m.getACall().getArgument(0)
)
}
}

/**
* An XPath expression string used in an API function of the
* [xpathparser](https://github.com/santhosh-tekuri/xpathparser) package.
Expand Down
284 changes: 145 additions & 139 deletions go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 15 additions & 1 deletion go/ql/test/query-tests/Security/CWE-643/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
module main

go 1.14
go 1.21

require (
github.com/ChrisTrenkamp/goxpath v0.0.0-20190607011252-c5096ec8773d
Expand All @@ -10,5 +10,19 @@ require (
github.com/antchfx/xpath v1.1.5
github.com/go-xmlpath/xmlpath v0.0.0-20150820204837-860cbeca3ebc
github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
github.com/santhosh-tekuri/xpathparser v1.0.0
)

require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
github.com/stretchr/testify v1.8.4 // indirect
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 // indirect
gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
launchpad.net/gocheck v0.0.0-20140225173054-000000000087 // indirect
launchpad.net/xmlpath v0.0.0-20130614043138-000000000004 // indirect
)
12 changes: 12 additions & 0 deletions go/ql/test/query-tests/Security/CWE-643/tst.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ package main
//go:generate depstubber -vendor github.com/jbowtie/gokogiri/xml Node
//go:generate depstubber -vendor github.com/jbowtie/gokogiri/xpath "" Compile
//go:generate depstubber -vendor github.com/santhosh-tekuri/xpathparser "" Parse,MustParse
//go:generate depstubber -vendor github.com/lestrrat-go/libxml2/parser Parser New,XMLParseNoEnt

import (
"net/http"
Expand All @@ -22,6 +23,7 @@ import (
"github.com/go-xmlpath/xmlpath"
gokogiriXml "github.com/jbowtie/gokogiri/xml"
gokogiriXpath "github.com/jbowtie/gokogiri/xpath"
"github.com/lestrrat-go/libxml2/parser"
"github.com/santhosh-tekuri/xpathparser"
)

Expand Down Expand Up @@ -185,3 +187,13 @@ func testJbowtieGokogiri(r *http.Request, n gokogiriXml.Node) {
// OK: This is not flagged, since the creation of `xpath` is already flagged.
_ = n.EvalXPathAsBoolean(xpath, nil)
}

func testLestratGoLibxml2(r *http.Request) {
r.ParseForm()
username := r.Form.Get("username")

p := parser.New(parser.XMLParseNoEnt)

// BAD: User input used directly in an XPath expression
_, _ = p.ParseString("//users/user[login/text()='" + username + "']/home_dir/text()")
}
42 changes: 42 additions & 0 deletions go/ql/test/query-tests/Security/CWE-643/vendor/github.com/lestrrat-go/libxml2/parser/stub.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

33 changes: 33 additions & 0 deletions go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,39 @@ github.com/go-xmlpath/xmlpath
# github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
## explicit
github.com/jbowtie/gokogiri
# github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
## explicit
github.com/lestrrat-go/libxml2
# github.com/santhosh-tekuri/xpathparser v1.0.0
## explicit
github.com/santhosh-tekuri/xpathparser
# github.com/davecgh/go-spew v1.1.1
## explicit
github.com/davecgh/go-spew
# github.com/pkg/errors v0.9.1
## explicit
github.com/pkg/errors
# github.com/pmezard/go-difflib v1.0.0
## explicit
github.com/pmezard/go-difflib
# github.com/stretchr/objx v0.5.0
## explicit
github.com/stretchr/objx
# github.com/stretchr/testify v1.8.4
## explicit
github.com/stretchr/testify
# gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
## explicit
gopkg.in/check.v1
# gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7
## explicit
gopkg.in/xmlpath.v1
# gopkg.in/yaml.v3 v3.0.1
## explicit
gopkg.in/yaml.v3
# launchpad.net/gocheck v0.0.0-20140225173054-000000000087
## explicit
launchpad.net/gocheck
# launchpad.net/xmlpath v0.0.0-20130614043138-000000000004
## explicit
launchpad.net/xmlpath