|
| 1 | +id: libxml2-audit-parser-cpp |
| 2 | +language: Cpp |
| 3 | +severity: info |
| 4 | +message: >- |
| 5 | + The libxml2 library is used to parse XML. When auditing such code, make |
| 6 | + sure that either the document being parsed is trusted or that the parsing |
| 7 | + options are safe to consume untrusted documents. In such case make sure |
| 8 | + DTD or XInclude documents cannot be loaded and there is no network access. |
| 9 | +note: >- |
| 10 | + [CWE-611] Improper Restriction of XML External Entity Reference. |
| 11 | + [REFERENCES] |
| 12 | + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration |
| 13 | +rule: |
| 14 | + any: |
| 15 | + - pattern: xmlParseInNodeContext($CUR, $SRC, $DATALEN, $XML_OPTIONS, $LST) |
| 16 | + - pattern: xmlReadDoc($CUR, $SRC, $ENC, $XML_OPTIONS) |
| 17 | + - pattern: xmlReadFd($FD, $SRC, $ENC, $XML_OPTIONS) |
| 18 | + - pattern: xmlReadFile($SRC, $ENC, $XML_OPTIONS) |
| 19 | + - pattern: xmlReadIO($IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC, $XML_OPTIONS) |
| 20 | + - pattern: xmlReadMemory($SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) |
| 21 | + - pattern: xmlCtxtReadDoc($CTX, $CUR, $SRC, $ENC, $XML_OPTIONS) |
| 22 | + - pattern: xmlCtxtReadFd($CTX, $FD, $SRC, $ENC, $XML_OPTIONS) |
| 23 | + - pattern: xmlCtxtReadFile($CTX, $SRC, $ENC, $XML_OPTIONS) |
| 24 | + - pattern: xmlCtxtReadIO($CTX, $IO_READ, $IO_CLOSE, $IO_CTX, $SRC, $ENC,$XML_OPTIONS) |
| 25 | + - pattern: xmlCtxtReadMemory($CTX, $SRC, $SIZE, $URL, $ENC, $XML_OPTIONS) |
0 commit comments