SONARPY-1726 Create rule S6377 XML signatures should be validated securely (#199)

GitOrigin-RevId: 54594a66480dbe7e997ff38b126db64553c27aaf

Author: ghislainpiot

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -70,6 +70,7 @@
 import org.sonar.python.checks.hotspots.StrongCryptographicKeysCheck;
 import org.sonar.python.checks.hotspots.UnsafeHttpMethodsCheck;
 import org.sonar.python.checks.hotspots.UnverifiedHostnameCheck;
+import org.sonar.python.checks.hotspots.XMLSignatureValidationCheck;
 import org.sonar.python.checks.regex.AnchorPrecedenceCheck;
 import org.sonar.python.checks.regex.DuplicatesInCharacterClassCheck;
 import org.sonar.python.checks.regex.EmptyAlternativeCheck;
@@ -407,6 +408,7 @@ public Stream<Class<?>> getChecks() {
       WildcardImportCheck.class,
       WrongAssignmentOperatorCheck.class,
       XMLParserXXEVulnerableCheck.class,
+      XMLSignatureValidationCheck.class,
       DjangoModelFormFieldsCheck.class,
       DjangoReceiverDecoratorCheck.class,
       DjangoModelStringFieldCheck.class,

python-checks/src/main/java/org/sonar/python/checks/hotspots/CommonValidationUtils.java

@@ -24,6 +24,7 @@
 import org.sonar.plugins.python.api.tree.Name;
 import org.sonar.plugins.python.api.tree.NumericLiteral;
 import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.StringLiteral;
 import org.sonar.plugins.python.api.tree.Tree;
 import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.TreeUtils;
@@ -70,6 +71,15 @@ static boolean isEqualTo(Expression expression, int number) {
     }
   }
 
+  static String singleAssignedString(Expression expression) {
+    if (expression instanceof Name name) {
+      return Expressions.singleAssignedNonNameValue(name)
+        .map(CommonValidationUtils::singleAssignedString)
+        .orElse("");
+    }
+    return expression.is(Tree.Kind.STRING_LITERAL) ? ((StringLiteral) expression).trimmedQuotesValue() : "";
+  }
+
   interface CallValidator {
     void validate(SubscriptionContext ctx, CallExpression callExpression);
   }

python-checks/src/main/java/org/sonar/python/checks/hotspots/FastHashingOrPlainTextCheck.java

@@ -39,7 +39,6 @@
 import org.sonar.plugins.python.api.types.v2.TriBool;
 import org.sonar.python.checks.hotspots.CommonValidationUtils.ArgumentValidator;
 import org.sonar.python.checks.hotspots.CommonValidationUtils.CallValidator;
-import org.sonar.python.checks.utils.Expressions;
 import org.sonar.python.tree.TreeUtils;
 import org.sonar.python.types.v2.TypeCheckBuilder;
 import org.sonar.python.types.v2.TypeCheckMap;
@@ -310,7 +309,7 @@ private static boolean subscriptionIsFlaskBcryptConfig(Expression expression, Ty
     var subscriptMatch = subscription.subscripts().expressions()
       .stream()
       .findFirst()
-      .filter(expr -> "BCRYPT_LOG_ROUNDS".equals(singleAssignedString(expr)));
+      .filter(expr -> "BCRYPT_LOG_ROUNDS".equals(CommonValidationUtils.singleAssignedString(expr)));
     return subscriptMatch.isPresent();
   }
 
@@ -350,15 +349,6 @@ private void checkCallExpr(SubscriptionContext subscriptionContext) {
     }
   }
 
-  private static String singleAssignedString(Expression expression) {
-    if (expression.is(Tree.Kind.NAME)) {
-      return Expressions.singleAssignedNonNameValue(((Name) expression))
-        .map(FastHashingOrPlainTextCheck::singleAssignedString)
-        .orElse("");
-    }
-    return expression.is(Tree.Kind.STRING_LITERAL) ? ((StringLiteral) expression).trimmedQuotesValue() : "";
-  }
-
   record PBKDF2Validator(
     int algoPosition,
     String algoKeyword,
@@ -371,7 +361,7 @@ public void validate(SubscriptionContext ctx, CallExpression callExpression) {
         nthArgumentOrKeywordOptional(algoPosition, algoKeyword, callExpression.arguments());
       var algoString = algoArgument
         .map(RegularArgument::expression)
-        .map(FastHashingOrPlainTextCheck::singleAssignedString)
+        .map(CommonValidationUtils::singleAssignedString)
         .orElse("");
       if (!PBKDF2_ALGOS.contains(algoString)) {
         return;

python-checks/src/main/java/org/sonar/python/checks/hotspots/XMLSignatureValidationCheck.java

@@ -0,0 +1,207 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.hotspots;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.DictionaryLiteral;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.ExpressionList;
+import org.sonar.plugins.python.api.tree.KeyValuePair;
+import org.sonar.plugins.python.api.tree.ListLiteral;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.plugins.python.api.tree.UnpackingExpression;
+import org.sonar.plugins.python.api.types.v2.TriBool;
+import org.sonar.python.checks.utils.Expressions;
+import org.sonar.python.tree.TreeUtils;
+import org.sonar.python.types.v2.TypeCheckBuilder;
+import org.sonar.python.types.v2.TypeCheckMap;
+
+import static org.sonar.python.checks.hotspots.CommonValidationUtils.singleAssignedString;
+
+@Rule(key = "S6377")
+public class XMLSignatureValidationCheck extends PythonSubscriptionCheck {
+
+  private static final List<String> VERIFY_REQUIRED_ONE_OF = List.of(
+    "x509_cert",
+    "cert_subject_name",
+    "cert_resolver",
+    "ca_pem_file",
+    "ca_path",
+    "hmac_key"
+  );
+  private static final String MESSAGE = "Change this code to only accept signatures computed from a trusted party.";
+  private static final String MESSAGE_SECONDARY = "Unsafe parameter set here";
+
+  private TypeCheckBuilder xmlVerifierVerifyTypeChecker;
+  private TypeCheckBuilder dictTypeChecker;
+  private TypeCheckBuilder signatureConfigurationTypeChecker;
+  private TypeCheckMap<Boolean> signatureMethodTypeCheckMap;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, this::registerTypeCheckers);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::checkCallExpr);
+  }
+
+  private void registerTypeCheckers(SubscriptionContext subscriptionContext) {
+    xmlVerifierVerifyTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.XMLVerifier");
+    dictTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithName("dict");
+    signatureConfigurationTypeChecker = subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureConfiguration");
+    signatureMethodTypeCheckMap = TypeCheckMap.ofEntries(
+      Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA224"), true),
+      Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA256"), true),
+      Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA384"), true),
+      Map.entry(subscriptionContext.typeChecker().typeCheckBuilder().isTypeWithFqn("signxml.SignatureMethod.HMAC_SHA512"), true)
+    );
+  }
+
+  private void checkCallExpr(SubscriptionContext subscriptionContext) {
+    var callExpression = ((CallExpression) subscriptionContext.syntaxNode());
+    var qualifiedExprCallee = Optional.of(callExpression)
+      .map(CallExpression::callee)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(QualifiedExpression.class))
+      .orElse(null);
+    if (qualifiedExprCallee == null) {
+      return;
+    }
+    var ok = qualifiedExpressionIsVerifyCall(qualifiedExprCallee);
+    if (!ok) {
+      return;
+    }
+    Map<String, Tree> argToTree = new HashMap<>();
+    for (var arg : callExpression.arguments()) {
+      if (arg instanceof RegularArgument regularArgument) {
+        String argumentName = Optional.ofNullable(regularArgument.keywordArgument()).map(Name::name).orElse("");
+        argToTree.put(argumentName, regularArgument.expression());
+      } else {
+        var keys = TreeUtils.toOptionalInstanceOf(UnpackingExpression.class, arg)
+          .map(UnpackingExpression::expression)
+          .flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class))
+          .flatMap(Expressions::singleAssignedNonNameValue)
+          .map(this::keysInUnpacking)
+          .orElseGet(Map::of);
+        argToTree.putAll(keys);
+      }
+    }
+
+    if (Collections.disjoint(argToTree.keySet(), VERIFY_REQUIRED_ONE_OF)) {
+      subscriptionContext.addIssue(callExpression.callee(), MESSAGE);
+    }
+
+    var expectConfigValue = argToTree.get("expect_config");
+    if (expectConfigValue != null) {
+      checkExpectConfig(subscriptionContext, expectConfigValue, callExpression);
+    }
+  }
+
+  private void checkExpectConfig(SubscriptionContext subscriptionContext, Tree expectConfigValue, CallExpression verifyCallExpression) {
+    expectConfigValue = replaceBySingleAssigned(expectConfigValue);
+    if (expectConfigValue instanceof CallExpression callExpression
+      && signatureConfigurationTypeChecker.check(callExpression.callee().typeV2()) == TriBool.TRUE) {
+      TreeUtils.nthArgumentOrKeywordOptional(0, "require_x509", callExpression.arguments())
+        .filter(arg -> Expressions.isFalsy(arg.expression()))
+        .ifPresent(arg -> subscriptionContext.addIssue(verifyCallExpression, MESSAGE).secondary(arg, MESSAGE_SECONDARY));
+
+      TreeUtils.nthArgumentOrKeywordOptional(3, "signature_methods", callExpression.arguments())
+        .map(this::getOffendingInList)
+        .filter(list -> !list.isEmpty())
+        .ifPresent(list -> {
+          var issue = subscriptionContext.addIssue(verifyCallExpression, MESSAGE);
+          list.forEach(secondary -> issue.secondary(secondary, MESSAGE_SECONDARY));
+        });
+    }
+  }
+
+  private static Tree replaceBySingleAssigned(Tree expectConfigValue) {
+    if (expectConfigValue.is(Tree.Kind.NAME)) {
+      expectConfigValue = Expressions.singleAssignedNonNameValue((Name) expectConfigValue).orElse(null);
+    }
+    return expectConfigValue;
+  }
+
+  private List<Expression> getOffendingInList(RegularArgument regularArgument) {
+    var expression = replaceBySingleAssigned(regularArgument.expression());
+    return TreeUtils.toOptionalInstanceOf(ListLiteral.class, expression)
+      .map(ListLiteral::elements)
+      .map(ExpressionList::expressions)
+      .stream()
+      .flatMap(Collection::stream)
+      .filter(e -> signatureMethodTypeCheckMap.getOptionalForType(e.typeV2()).isEmpty())
+      .toList();
+  }
+
+
+  private Map<String, Tree> keysInUnpacking(Expression expression) {
+    if (expression instanceof CallExpression callExpression && dictTypeChecker.check(callExpression.callee().typeV2()) == TriBool.TRUE) {
+      return callExpression.arguments().stream()
+        .flatMap(TreeUtils.toStreamInstanceOfMapper(RegularArgument.class))
+        .filter(regularArgument -> regularArgument.keywordArgument() != null)
+        .collect(Collectors.toMap(
+          regularArgument -> regularArgument.keywordArgument().name(),
+          RegularArgument::expression
+        ));
+    }
+    if (expression instanceof DictionaryLiteral dictionaryLiteral) {
+      var output = new HashMap<String, Tree>();
+      for (var element : dictionaryLiteral.elements()) {
+        if (element instanceof KeyValuePair keyValuePair) {
+
+          var key = singleAssignedString(keyValuePair.key());
+          if (!key.isEmpty()) {
+            output.put(key, keyValuePair.value());
+          }
+        } else {
+          var unpackedKeys = TreeUtils.toOptionalInstanceOf(UnpackingExpression.class, element)
+            .map(UnpackingExpression::expression)
+            .flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class))
+            .flatMap(Expressions::singleAssignedNonNameValue)
+            .map(this::keysInUnpacking)
+            .orElseGet(Map::of);
+          output.putAll(unpackedKeys);
+        }
+      }
+      return output;
+    }
+    return Map.of();
+  }
+
+  private boolean qualifiedExpressionIsVerifyCall(QualifiedExpression qualifiedExprCallee) {
+    if (qualifiedExprCallee.qualifier() instanceof CallExpression callExpression) {
+      return xmlVerifierVerifyTypeChecker.check(callExpression.callee().typeV2()) == TriBool.TRUE;
+    }
+    if (qualifiedExprCallee.qualifier() instanceof Name name) {
+      // This check can never be true because we don't have stubs for signxml.
+      // Currently, if we try to instantiate the XMLVerifier and then call the verify method on the variable,
+      // the name will have an unknown type.
+      return xmlVerifierVerifyTypeChecker.check(name.typeV2()) == TriBool.TRUE;
+    }
+    return false;
+  }
+}

python-checks/src/main/java/org/sonar/python/checks/utils/Expressions.java

@@ -61,7 +61,7 @@ private Expressions() {
   }
 
   // https://docs.python.org/3/library/stdtypes.html#truth-value-testing
-  public static boolean isFalsy(@Nullable Expression expression) {
+  private static boolean isFalsyInternal(@Nullable Expression expression) {
     if (expression == null) {
       return false;
     }
@@ -77,8 +77,18 @@ public static boolean isFalsy(@Nullable Expression expression) {
     };
   }
 
+  public static boolean isFalsy(@Nullable Expression expression) {
+    if (expression instanceof Name name) {
+      if (Expressions.isFalsyInternal(expression)) {
+        return true;
+      }
+      return Optional.ofNullable(Expressions.singleAssignedValue(name)).map(Expressions::isFalsyInternal).orElse(false);
+    }
+    return Expressions.isFalsyInternal(expression);
+  }
+
   // https://docs.python.org/3/library/stdtypes.html#truth-value-testing
-  public static boolean isTruthy(@Nullable Expression expression) {
+  private static boolean isTruthyInternal(@Nullable Expression expression) {
     if (expression == null) {
       return false;
     }
@@ -89,6 +99,16 @@ public static boolean isTruthy(@Nullable Expression expression) {
     };
   }
 
+  public static boolean isTruthy(@Nullable Expression expression) {
+    if (expression instanceof Name name) {
+      if (Expressions.isTruthyInternal(expression)) {
+        return true;
+      }
+      return Optional.ofNullable(Expressions.singleAssignedValue(name)).map(Expressions::isTruthyInternal).orElse(false);
+    }
+    return Expressions.isTruthyInternal(expression);
+  }
+
   @CheckForNull
   public static Expression singleAssignedValue(Name name) {
     return singleAssignedValue(name, new HashSet<>());

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6377.html

@@ -0,0 +1,56 @@
+<p>XML signatures are a method used to ensure the integrity and authenticity of XML documents. However, if XML signatures are not validated securely,
+it can lead to potential vulnerabilities.</p>
+<h2>Why is this an issue?</h2>
+<p>XML can be used for a wide variety of purposes. Using a signature on an XML message generally indicates this message requires authenticity and
+integrity. However, if the signature validation is not properly implemented this authenticity can not be guaranteed.</p>
+<h3>What is the potential impact?</h3>
+<p>By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections.</p>
+<h3>Increased Vulnerability to Signature Spoofing</h3>
+<p>By disabling secure validation, the application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the
+XML signature in a way that bypasses the validation process, allowing them to forge or tamper with the signature. This can lead to the acceptance of
+invalid or maliciously modified signatures, compromising the integrity and authenticity of the XML documents.</p>
+<h3>Risk of Injection Attacks</h3>
+<p>Disabling secure validation can expose the application to injection attacks. Attackers can inject malicious code or entities into the XML document,
+taking advantage of the weakened validation process. In some cases, it can also expose the application to denial-of-service attacks. Attackers can
+exploit vulnerabilities in the validation process to cause excessive resource consumption or system crashes, leading to service unavailability or
+disruption.</p>
+<h2>How to fix it in SignXML</h2>
+<h3>Code examples</h3>
+<p>The following noncompliant code example verifies an XML signature without providing a trusted signing authority. This code will accept any
+signature created from a generally trusted certificate, for example, a Let’s encrypt one.</p>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+from lxml import etree
+from signxml import XMLVerifier
+
+xml_file = open("signed.xml", "rb")
+xml = etree.parse(xml_file)
+
+XMLVerifier().verify(xml) # Noncompliant
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+from lxml import etree
+from signxml import XMLVerifier
+
+xml_file = open("signed.xml", "rb")
+xml = etree.parse(xml_file)
+
+cert_file = open("cert.pem", "rb")
+cert = cert_file.read()
+XMLVerifier().verify(xml, x509_cert=cert)
+</pre>
+<h3>How does this work?</h3>
+<p>Here, the compliant solution provides a trusted certificate to the signature validation function. This will ensure only signatures computed with
+the private key associated with the provided certificate will be accepted.</p>
+<h2>Resources</h2>
+<h3>Standards</h3>
+<ul>
+  <li> OWASP - <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">Top 10:2021 A02:2021 - Cryptographic Failures</a> </li>
+  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">Top 10 2017 Category A3 - Sensitive Data
+  Exposure</a> </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/347">CWE-347 - Improper Verification of Cryptographic Signature</a> </li>
+  <li> STIG Viewer - <a href="https://stigviewer.com/stig/application_security_and_development/2023-06-08/finding/V-222608">Application Security and
+  Development: V-222608</a> - The application must not be vulnerable to XML-oriented attacks. </li>
+</ul>
+