Merge pull request #15181 from felickz/go-xxe-libxml2

owen-mc · web-flow · commit 19c5d1fd1dff · 2023-12-24T22:04:46.000Z
GO - Add sink for libxml2 in go/xml/xpath-injection via XPath.qll
diff --git a/go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md b/go/ql/lib/change-notes/2023-12-22-minor-analysis-xpath-libxml2.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.
diff --git a/go/ql/lib/semmle/go/frameworks/XPath.qll b/go/ql/lib/semmle/go/frameworks/XPath.qll
@@ -142,6 +142,19 @@ module XPath {
       }
     }
 
+    /**
+     * An XPath expression string used in an API function of the
+     * [lestrrat-go/libxml2](https://github.com/lestrrat-go/libxml2) package.
+     */
+    private class LestratGoLibxml2XPathExpressionString extends Range {
+      LestratGoLibxml2XPathExpressionString() {
+        exists(Method m, string name | name.matches("Parse%") |
+          m.hasQualifiedName(package("github.com/lestrrat-go/libxml2", "parser"), "Parser", name) and
+          this = m.getACall().getArgument(0)
+        )
+      }
+    }
+
     /**
      * An XPath expression string used in an API function of the
      * [xpathparser](https://github.com/santhosh-tekuri/xpathparser) package.
diff --git a/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected b/go/ql/test/query-tests/Security/CWE-643/XPathInjection.expected
diff --git a/go/ql/test/query-tests/Security/CWE-643/go.mod b/go/ql/test/query-tests/Security/CWE-643/go.mod
@@ -1,6 +1,6 @@
 module main
 
-go 1.14
+go 1.21
 
 require (
 	github.com/ChrisTrenkamp/goxpath v0.0.0-20190607011252-c5096ec8773d
@@ -10,5 +10,19 @@ require (
 	github.com/antchfx/xpath v1.1.5
 	github.com/go-xmlpath/xmlpath v0.0.0-20150820204837-860cbeca3ebc
 	github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
+	github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
 	github.com/santhosh-tekuri/xpathparser v1.0.0
 )
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/testify v1.8.4 // indirect
+	gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 // indirect
+	gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	launchpad.net/gocheck v0.0.0-20140225173054-000000000087 // indirect
+	launchpad.net/xmlpath v0.0.0-20130614043138-000000000004 // indirect
+)
diff --git a/go/ql/test/query-tests/Security/CWE-643/tst.go b/go/ql/test/query-tests/Security/CWE-643/tst.go
@@ -10,6 +10,7 @@ package main
 //go:generate depstubber -vendor github.com/jbowtie/gokogiri/xml Node
 //go:generate depstubber -vendor github.com/jbowtie/gokogiri/xpath "" Compile
 //go:generate depstubber -vendor github.com/santhosh-tekuri/xpathparser "" Parse,MustParse
+//go:generate depstubber -vendor github.com/lestrrat-go/libxml2/parser Parser New,XMLParseNoEnt
 
 import (
 	"net/http"
@@ -22,6 +23,7 @@ import (
 	"github.com/go-xmlpath/xmlpath"
 	gokogiriXml "github.com/jbowtie/gokogiri/xml"
 	gokogiriXpath "github.com/jbowtie/gokogiri/xpath"
+	"github.com/lestrrat-go/libxml2/parser"
 	"github.com/santhosh-tekuri/xpathparser"
 )
 
@@ -185,3 +187,13 @@ func testJbowtieGokogiri(r *http.Request, n gokogiriXml.Node) {
 	// OK: This is not flagged, since the creation of `xpath` is already flagged.
 	_ = n.EvalXPathAsBoolean(xpath, nil)
 }
+
+func testLestratGoLibxml2(r *http.Request) {
+	r.ParseForm()
+	username := r.Form.Get("username")
+
+	p := parser.New(parser.XMLParseNoEnt)
+
+	// BAD: User input used directly in an XPath expression
+	_, _ = p.ParseString("//users/user[login/text()='" + username + "']/home_dir/text()")
+}
diff --git a/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/lestrrat-go/libxml2/parser/stub.go b/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/lestrrat-go/libxml2/parser/stub.go
diff --git a/go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt b/go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt
@@ -19,6 +19,39 @@ github.com/go-xmlpath/xmlpath
 # github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
 ## explicit
 github.com/jbowtie/gokogiri
+# github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
+## explicit
+github.com/lestrrat-go/libxml2
 # github.com/santhosh-tekuri/xpathparser v1.0.0
 ## explicit
 github.com/santhosh-tekuri/xpathparser
+# github.com/davecgh/go-spew v1.1.1
+## explicit
+github.com/davecgh/go-spew
+# github.com/pkg/errors v0.9.1
+## explicit
+github.com/pkg/errors
+# github.com/pmezard/go-difflib v1.0.0
+## explicit
+github.com/pmezard/go-difflib
+# github.com/stretchr/objx v0.5.0
+## explicit
+github.com/stretchr/objx
+# github.com/stretchr/testify v1.8.4
+## explicit
+github.com/stretchr/testify
+# gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405
+## explicit
+gopkg.in/check.v1
+# gopkg.in/xmlpath.v1 v1.0.0-20140413065638-a146725ea6e7
+## explicit
+gopkg.in/xmlpath.v1
+# gopkg.in/yaml.v3 v3.0.1
+## explicit
+gopkg.in/yaml.v3
+# launchpad.net/gocheck v0.0.0-20140225173054-000000000087
+## explicit
+launchpad.net/gocheck
+# launchpad.net/xmlpath v0.0.0-20130614043138-000000000004
+## explicit
+launchpad.net/xmlpath

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The XPath library, which is used for the XPath injection query (`go/xml/xpath-injection`), now includes support for `Parser` sinks from the [libxml2](https://github.com/lestrrat-go/libxml2) package.