Skip to content

JS: Improve XMLParsers #5675

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codeql-ci merged 1 commit into from
Apr 14, 2021
Merged

JS: Improve XMLParsers #5675

codeql-ci merged 1 commit into from
Apr 14, 2021

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Apr 14, 2021
edited
Loading

Inspired by CVE-2020-7750

I've refactored the libraries to use API::Node more, and added models for the return values from more XML-parsing libraries.

A simple evaluation looks OK.

@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Apr 14, 2021
@github-actions github-actions bot added the JS label Apr 14, 2021
@erik-krogh erik-krogh marked this pull request as ready for review April 14, 2021 16:11
@erik-krogh erik-krogh requested a review from a team as a code owner April 14, 2021 16:11
esbena
esbena approved these changes Apr 14, 2021
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Some minor thoughts about potential FPs in a test case.

javascript/ql/test/library-tests/TaintTracking/xml.js
sink(child.attr('foo').value()); // NOT OK

var child2 = xmlDoc.root().child()
sink(child2.attr('foo').name()); // NOT OK
Copy link
Contributor

@esbena esbena Apr 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. This is equivalent to sink("foo"), which is safe.. But it is probably OK for us to get a FP in this silly case: why would you ever do .attr(x).name()?

A less silly variant, of this is attr.name() for a document that has been checked with a schema. But that is probably extremely rare in practice.

Copy link
Contributor Author

@erik-krogh erik-krogh Apr 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, the example is silly, nicely spotted.
I think it's fine to keep anyway. The .name() method generally returns tainted values.

@codeql-ci codeql-ci merged commit 4be183c into github:main Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @esbena @codeql-ci