Skip to content

XXE: Changes for review #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 44 commits into from
Mar 4, 2022
Merged

XXE: Changes for review #9

merged 44 commits into from
Mar 4, 2022

Conversation

RasmusWL
Copy link

@RasmusWL RasmusWL commented Mar 3, 2022

Update for github#6112

It turned out quite long... but also involved me writing some tests for what the actual behaviors of the parsing frameworks were.

I kept up with looking at the .expected file for quite a long time, too long I would say, but rewriting the tests to NOT use these (and instead inline expectations) was probably the best decision for this rewrite. I think I did this to try and keep your work as intact as possible... but in the end I think I had to break that.

This IS quite a mouthful. I think there are interesting things for you to learn from this, but I can also understand that it could take some time for you to process this. If you have not had time to review this within 1 week, I think I will just merge your PR, and apply this commits on top, so we can get your good work closer to being part of the default query suite (unless you object to this 1 week).

RasmusWL and others added 30 commits March 2, 2022 14:24
@RasmusWL
Python: Rewrite sax XML tests
500e0ac 
The tests for type-trackers were not that interesting, since they did
not have XML input in both cases, which is the problem we were trying
hard to solve.

I did keep the test-case of not-user-supplied url alive as well though
:+1:

I added OK/NOT OK annotations.

Notice that we report all 4 kinds of vulnerabilities on line 93
@RasmusWL
Python: XML: Expose vuln kind on sink
ee23c05
@RasmusWL
Python: Add XMLVulnerabilityKind
aaf55b2 
This gives some freedom in changing the name presented, and not worrying about whether you have made a typo that makes everything break :|
@RasmusWL
Python: Improve QLDoc for XML parsing/parsers
16e482b
@RasmusWL
Python: Only produce one alert per vulnerable XML sink
6dd776b 
This made it much easier to debug the current alerts on tests at least.

Notice that it's important that we have `strictconcat` and not just
`concat`, since `concat` will also allow flow to sinks that are not
vulnerable to any kind of XML vulnerability :|
@RasmusWL
Python: rewrite xml sax modeling
7f7758b
@RasmusWL
Python: Add lxml positive test
515b824
@RasmusWL
Python: Better handling of resolve_entities arg in lxml
661d8bf
@RasmusWL
Python: Add PoC for XML vulns
52891cb
@RasmusWL
Python: Model lxml.etree.get_default_parser in own class
3c321dd
@RasmusWL
Python: Expand lxml tests
124c03c 
And add annotations, see PoC.py for reference

Some of these needs fixing though
@RasmusWL
Python: Properly handle huge_tree in lxml
e295399
@RasmusWL
Python: Handle DTD retrieval vuln in lxml
703e3e8
@RasmusWL
Python: Properly model xml.etree
6129193
@RasmusWL
Python: Annotate xmltodict tests
3affa6c
@RasmusWL
Python: Expand XML PoC with minidom/pulldom/expat
c4d08db
@RasmusWL
Python: Annotate xml.dom tests
5a65248
@RasmusWL
Python: Fix vuln detection for xml.minidom with parser arg
9406a97
@RasmusWL
Python: Add separate query for SimpleXMLRPCServer
7cda901 
This was a rough quick-n-dirty query, and should get some qhelp as well at some point.
@RasmusWL
Python: Rename xml.sax test for consistency
4b03f5c
@RasmusWL
Python: Use concept tests for XML Parsing
faebaee 
I was loosing my mind from looking through those .expected files

Just going to take it one file at time, to make reviewing easier
@RasmusWL
Python: Port xml.dom tests
a7134ca
@RasmusWL
Python: Port xml.etree tests
5fb4c4d
@RasmusWL
Python: Port xml.sax tests
0b12d91
@RasmusWL
Python: Port xmltodict tests
c739ae4
@RasmusWL
Python: Move XML PoC to new test dir
2451123
@RasmusWL
Python: Handle more functions and kw-args
3278793
@RasmusWL
Python: Update XmlEntityInjection.expected
f72f673 
I had forgotten about this, but better late than never... also added a
small representative test
@RasmusWL
Python: Support feed method of lxml/xml.etree Parsers
33ebcdf
@RasmusWL
Python: Add test for XMLPullParser
46238d5 
But handling this in a nice way will require some restructuring
@github-actions github-actions bot added the Python label Mar 3, 2022
@jorgectf
Copy link
Owner

jorgectf commented Mar 4, 2022
edited
Loading

Outstanding rewrite 🤯. I've commited some qldocs' typos and made a very little polishing.

I think there are interesting things for you to learn from this

This PR is gold! I've made some notes on stuff to give a deeper look soon. Really liked the commit messages' explanations :)

Thank you! 😊

(I should have made a review instead of throwing simple comments 😳)

@jorgectf jorgectf self-assigned this Mar 4, 2022
@RasmusWL RasmusWL requested a review from jorgectf March 4, 2022 13:46
@jorgectf jorgectf merged commit 5552834 into jorgectf:jorgectf/python/deserialization Mar 4, 2022
@RasmusWL RasmusWL deleted the WIP branch March 4, 2022 16:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jorgectf jorgectf Awaiting requested review from jorgectf

Assignees

@jorgectf jorgectf

Labels
Python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@RasmusWL @jorgectf