Apply .getALocalSource() and fix xmltodict's vulnerable predicate

jorgectf · jorgectf · commit 01ad25f3f067 · 2022-02-08T17:51:09.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -163,12 +163,16 @@ private module Xml {
     override DataFlow::Node getAnInput() { none() }
 
     override predicate vulnerable(string kind) {
-      kind = "XXE" and not this.getArgByName("resolve_entities").asExpr() = any(False f)
+      kind = "XXE" and
+      not (
+        exists(this.getArgByName("resolve_entities")) or
+        this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)
+      )
       or
       kind = ["Billion Laughs", "Quadratic Blowup"] and
       (
-        this.getArgByName("huge_tree").asExpr() = any(True t) and
-        not this.getArgByName("resolve_entities").asExpr() = any(False f)
+        this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t) and
+        not this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)
       )
     }
   }
@@ -231,7 +235,7 @@ private module Xml {
 
     override predicate vulnerable(string kind) {
       kind = ["Billion Laughs", "Quadratic Blowup"] and
-      this.getAMethodCall("disable_entities").asExpr() = any(False f)
+      this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -163,12 +163,16 @@ private module Xml {`
`163`	`163`	`override DataFlow::Node getAnInput() { none() }`
`164`	`164`
`165`	`165`	`override predicate vulnerable(string kind) {`
`166`		`- kind = "XXE" and not this.getArgByName("resolve_entities").asExpr() = any(False f)`
	`166`	`+ kind = "XXE" and`
	`167`	`+ not (`
	`168`	`+ exists(this.getArgByName("resolve_entities")) or`
	`169`	`+ this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)`
	`170`	`+ )`
`167`	`171`	`or`
`168`	`172`	`kind = ["Billion Laughs", "Quadratic Blowup"] and`
`169`	`173`	`(`
`170`		`- this.getArgByName("huge_tree").asExpr() = any(True t) and`
`171`		`- not this.getArgByName("resolve_entities").asExpr() = any(False f)`
	`174`	`+ this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t) and`
	`175`	`+ not this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)`
`172`	`176`	`)`
`173`	`177`	`}`
`174`	`178`	`}`
`@@ -231,7 +235,7 @@ private module Xml {`
`231`	`235`
`232`	`236`	`override predicate vulnerable(string kind) {`
`233`	`237`	`kind = ["Billion Laughs", "Quadratic Blowup"] and`
`234`		`- this.getAMethodCall("disable_entities").asExpr() = any(False f)`
	`238`	`+ this.getArgByName("disable_entities").getALocalSource().asExpr() = any(False f)`
`235`	`239`	`}`
`236`	`240`	`}`
`237`	`241`