Skip to content

Commit 24dc631

Browse files
Java: Fix false positive in XXE query
1 parent 2fd5d26 commit 24dc631

File tree

3 files changed

+5
-3
lines changed

3 files changed

+5
-3
lines changed

java/ql/src/semmle/code/java/security/XmlParsers.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -481,6 +481,10 @@ class SAXParserFactoryConfig extends ParserConfig {
481481
class SafeSAXParserFactory extends VarAccess {
482482
SafeSAXParserFactory() {
483483
exists(Variable v | v = this.getVariable() |
484+
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
485+
config.enables(singleSafeConfig())
486+
)
487+
or
484488
exists(SAXParserFactoryConfig config | config.getQualifier() = v.getAnAccess() |
485489
config
486490
.disables(any(ConstantStringExpr s |

java/ql/test/query-tests/security/CWE-611/SAXParserTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,6 @@ public void safeParser2(Socket sock) throws Exception {
7878
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
7979
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
8080
SAXParser parser = factory.newSAXParser();
81-
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe [FP]
81+
parser.parse(sock.getInputStream(), new DefaultHandler()); //safe
8282
}
8383
}

java/ql/test/query-tests/security/CWE-611/XXE.expected

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,6 @@ nodes
7171
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) |
7272
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) |
7373
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) |
74-
| SAXParserTests.java:81:18:81:38 | getInputStream(...) | semmle.label | getInputStream(...) |
7574
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) |
7675
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) |
7776
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) |
@@ -214,7 +213,6 @@ nodes
214213
| SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user input |
215214
| SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user input |
216215
| SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user input |
217-
| SAXParserTests.java:81:18:81:38 | getInputStream(...) | SAXParserTests.java:81:18:81:38 | getInputStream(...) | SAXParserTests.java:81:18:81:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:81:18:81:38 | getInputStream(...) | user input |
218216
| SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user input |
219217
| SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user input |
220218
| SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user input |

0 commit comments

Comments
 (0)