Removed libxmljs from being marked as sink for xml-bomb.

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/XmlParsers.qll

@@ -50,8 +50,7 @@ module XML {
 
     override predicate resolvesEntities(EntityKind kind) {
       // internal entities are always resolved
-      kind = InternalEntity()
-      or
+      not kind = InternalEntity() and
       // other entities are only resolved if the configuration option `noent` is set to `true`
       exists(JS::Expr noent |
         this.hasOptionArgument(1, "noent", noent) and
@@ -126,8 +125,9 @@ module XML {
     override JS::Expr getSourceArgument() { result = this.getArgument(0) }
 
     override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
     }
 
     override DataFlow::Node getAResult() {
@@ -149,8 +149,9 @@ module XML {
     override JS::Expr getSourceArgument() { result = this.getArgument(0) }
 
     override predicate resolvesEntities(EntityKind kind) {
-      // entities are resolved by default
-      any()
+      // SAX push parsers in libxmljs also inherit libxml2's protection against XML bombs
+      kind = ExternalEntity(_) or
+      kind = ParameterEntity(true)
     }
 
     override DataFlow::Node getAResult() {

javascript/ql/test/query-tests/Security/CWE-776/XmlBomb.expected

@@ -5,10 +5,6 @@
 | domparser.js:11:57:11:59 | src | domparser.js:2:13:2:36 | documen ... .search | domparser.js:11:57:11:59 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | domparser.js:2:13:2:36 | documen ... .search | user-provided value |
 | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | expat.js:6:16:6:36 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | expat.js:6:16:6:36 | req.par ... e-xml") | user-provided value |
 | jquery.js:4:14:4:16 | src | jquery.js:2:13:2:36 | documen ... .search | jquery.js:4:14:4:16 | src | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | jquery.js:2:13:2:36 | documen ... .search | user-provided value |
-| libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | libxml.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
-| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.noent.js:5:21:5:41 | req.par ... e-xml") | user-provided value |
-| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
-| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | XML parsing depends on a $@ without guarding against uncontrolled entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
 edges
 | closure.js:2:7:2:36 | src | closure.js:3:24:3:26 | src | provenance |  |
 | closure.js:2:13:2:36 | documen ... .search | closure.js:2:7:2:36 | src | provenance |  |
@@ -31,8 +27,4 @@ nodes
 | jquery.js:2:7:2:36 | src | semmle.label | src |
 | jquery.js:2:13:2:36 | documen ... .search | semmle.label | documen ... .search |
 | jquery.js:4:14:4:16 | src | semmle.label | src |
-| libxml.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.noent.js:5:21:5:41 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.sax.js:6:22:6:42 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
-| libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | semmle.label | req.par ... e-xml") |
 subpaths

javascript/ql/test/query-tests/Security/CWE-776/libxml.js

@@ -2,5 +2,5 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  libxmljs.parseXml(req.param("some-xml")); // $ Alert - libxml expands internal general entities by default
+  libxmljs.parseXml(req.param("some-xml"));
 });

javascript/ql/test/query-tests/Security/CWE-776/libxml.noent.js

@@ -2,5 +2,5 @@ const express = require('express');
 const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
-  libxmljs.parseXml(req.param("some-xml"), { noent: true }); // $ Alert - unguarded entity expansion
+  libxmljs.parseXml(req.param("some-xml"), { noent: true });
 });

javascript/ql/test/query-tests/Security/CWE-776/libxml.sax.js

@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
   const parser = new libxmljs.SaxParser();
-  parser.parseString(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
+  parser.parseString(req.param("some-xml"));
 });

javascript/ql/test/query-tests/Security/CWE-776/libxml.saxpush.js

@@ -3,5 +3,5 @@ const libxmljs = require('libxmljs');
 
 express().get('/some/path', function(req) {
   const parser = new libxmljs.SaxPushParser();
-  parser.push(req.param("some-xml")); // $ Alert - the SAX parser expands external entities by default
+  parser.push(req.param("some-xml"));
 });