Merge pull request diffblue#563 from diffblue/add_test_xxe02

SEC-633: Added XXE regression test which uses XXE models library.

Author: marek-trtik

regression/end_to_end/xxe02/build.xml

@@ -0,0 +1,17 @@
+<project name="Main" basedir="." default="compile">
+
+  <property name="root.dir"      value="./"/>
+  <property name="src.dir"       value="${root.dir}/src"/>
+  <property name="classes.dir"   value="${root.dir}/build"/>
+
+  <target name="compile">
+    <antcall target="clean" />
+    <mkdir dir="${classes.dir}"/>
+    <javac srcdir="${src.dir}" destdir="${classes.dir}" includeantruntime="false" debug="on" />
+  </target>
+
+  <target name="clean">
+    <delete dir="${classes.dir}"/>
+  </target>
+
+</project>

regression/end_to_end/xxe02/rules.json

@@ -0,0 +1,52 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Obtaining tainted XML text.",
+        "class": "xxe02.Main",
+        "method": "make_tainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted XML text"
+        }
+      },
+      {
+        "comment": "Obtaining tainted string reader from tainted XML text.",
+        "class": "java.io.StringReader",
+        "method": "<init>:(Ljava/lang/String;)V",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted XML text"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted reader"
+        }
+      },
+      {
+        "comment": "Obtaining XML stream reader with external entities enabled for tainted XML text.",
+        "class": "javax.xml.stream.DIFFBLUEXMLInputFactory",
+        "method": "createXXEVulnerableXMLStreamReader:(Ljava/io/Reader;)Ljavax/xml/stream/XMLStreamReader;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted reader"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Reader of tainted XML with external entities enabled"
+        }
+      },
+      {
+        "comment": "Unmarshalling an object by reading tainted XML document with external entities enabled.",
+        "class": "xxe02.Unmarshaller",
+        "method": "unmarshal:(Ljavax/xml/stream/XMLStreamReader;)Ljava/lang/Object;",
+        "sinkTarget": {
+          "location": "arg1",
+          "vulnerability": "Reader of tainted XML with external entities enabled"
+        },
+        "message": "Unmarshalling an object by reading tainted XML document with external entities enabled."
+      }
+    ]
+}
+

regression/end_to_end/xxe02/src/JAXBContext.java

@@ -0,0 +1,13 @@
+package xxe02;
+
+
+class JAXBContext {
+    public static JAXBContext newInstance(String s) {
+        return new JAXBContext();
+    }
+    
+    public Unmarshaller createUnmarshaller() {
+        return new Unmarshaller();
+    }
+}
+

regression/end_to_end/xxe02/src/Main.java

@@ -0,0 +1,51 @@
+package xxe02;
+import java.io.StringReader;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+
+
+public class Main {
+
+    private static String make_tainted(String s) {
+        return s;
+    }
+
+    public static void no_xxe_issue(String input) {
+        String xml_from_attacker = make_tainted(input);
+
+        try {
+            JAXBContext jc = JAXBContext.newInstance("xxe02.MyClass");
+            XMLInputFactory xif = XMLInputFactory.newFactory();
+            xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml_from_attacker));
+            Unmarshaller unmarshaller = jc.createUnmarshaller();
+            MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+        } catch (Exception e) {
+        }
+    }
+
+    public static void xxe_issue(String input) {
+        String xml_from_attacker = make_tainted(input);
+
+        try {
+            JAXBContext jc = JAXBContext.newInstance("xxe02.MyClass");
+            XMLInputFactory xif = XMLInputFactory.newFactory();
+            xif.setProperty("javax.xml.stream.isSupportingExternalEntities", true);
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml_from_attacker));
+            Unmarshaller unmarshaller = jc.createUnmarshaller();
+            MyClass myClass = (MyClass)unmarshaller.unmarshal(xsr);
+        } catch (Exception e) {
+        }
+    }
+
+    public static void main(String[] args) {
+        if (args.length < 1)
+            return;
+
+        String xml_from_attacker = make_tainted(args[0]);
+
+        no_xxe_issue(xml_from_attacker);
+        xxe_issue(xml_from_attacker);
+    }
+}
+

regression/end_to_end/xxe02/src/MyClass.java

@@ -0,0 +1,7 @@
+package xxe02;
+
+
+// This is user's class to be unmarshaled from XML data.
+class MyClass {
+}
+

regression/end_to_end/xxe02/src/Unmarshaller.java

@@ -0,0 +1,9 @@
+package xxe02;
+
+
+class Unmarshaller {
+    public Object unmarshal(javax.xml.stream.XMLStreamReader xsr) {
+        return new MyClass();
+    }
+}
+

regression/end_to_end/xxe02/test_xxe02.py

@@ -0,0 +1,39 @@
+import fasteners
+import os
+import subprocess
+import pytest
+
+from regression.end_to_end.driver import run_security_analyser_pipeline
+import regression.utils as utils
+
+
+@pytest.mark.xfail(strict=True)
+@fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
+def test_xxe02_no_xxe_issue(load_strategy):
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call(["ant"])
+    with run_security_analyser_pipeline(
+            "build",
+            "rules.json",
+            os.path.realpath(os.path.dirname(__file__)),
+            "xxe02.Main.no_xxe_issue",
+            load_strategy,
+            extra_args=["--use-xxe-models-library"]) as traces:
+        assert traces.count_traces() == 0
+
+
+@fasteners.interprocess_locked(os.path.join(os.path.dirname(__file__), ".build_lock"))
+def test_xxe02_xxe_issue(load_strategy):
+    with utils.working_dir(os.path.abspath(os.path.dirname(__file__))):
+        subprocess.call(["ant"])
+    with run_security_analyser_pipeline(
+            "build",
+            "rules.json",
+            os.path.realpath(os.path.dirname(__file__)),
+            "xxe02.Main.xxe_issue",
+            load_strategy,
+            extra_args=["--use-xxe-models-library"]) as traces:
+        assert traces.count_traces() == 1
+        assert traces.trace_exists(
+            "java::xxe02.Main.xxe_issue:(Ljava/lang/String;)V", 36)
+