Java: Add XXE sink model for Woodstox WstxInputFactory

Salah Baddou · Salah Baddou · commit 21ee364905ac · 2026-04-16T04:14:41.000Z
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
diff --git a/java/ql/lib/semmle/code/java/frameworks/woodstox/WoodstoxXml.qll b/java/ql/lib/semmle/code/java/frameworks/woodstox/WoodstoxXml.qll
@@ -0,0 +1,93 @@
+/** Provides definitions related to XML parsing in the Woodstox StAX library. */
+overlay[local?]
+module;
+
+import java
+private import semmle.code.java.security.XmlParsers
+
+/**
+ * The class `com.ctc.wstx.stax.WstxInputFactory` or its abstract supertype
+ * `org.codehaus.stax2.XMLInputFactory2`.
+ */
+private class WstxInputFactory extends RefType {
+  WstxInputFactory() {
+    this.hasQualifiedName("com.ctc.wstx.stax", "WstxInputFactory") or
+    this.hasQualifiedName("org.codehaus.stax2", "XMLInputFactory2")
+  }
+}
+
+/** A call to `WstxInputFactory.createXMLStreamReader`. */
+private class WstxInputFactoryStreamReader extends XmlParserCall {
+  WstxInputFactoryStreamReader() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType() instanceof WstxInputFactory and
+      m.hasName("createXMLStreamReader")
+    )
+  }
+
+  override Expr getSink() {
+    if this.getMethod().getParameterType(0) instanceof TypeString
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+
+  override predicate isSafe() {
+    SafeWstxInputFactoryFlow::flowsTo(DataFlow::exprNode(this.getQualifier()))
+  }
+}
+
+/** A call to `WstxInputFactory.createXMLEventReader`. */
+private class WstxInputFactoryEventReader extends XmlParserCall {
+  WstxInputFactoryEventReader() {
+    exists(Method m |
+      this.getMethod() = m and
+      m.getDeclaringType() instanceof WstxInputFactory and
+      m.hasName("createXMLEventReader")
+    )
+  }
+
+  override Expr getSink() {
+    if this.getMethod().getParameterType(0) instanceof TypeString
+    then result = this.getArgument(1)
+    else result = this.getArgument(0)
+  }
+
+  override predicate isSafe() {
+    SafeWstxInputFactoryFlow::flowsTo(DataFlow::exprNode(this.getQualifier()))
+  }
+}
+
+/** A `ParserConfig` specific to `WstxInputFactory`. */
+private class WstxInputFactoryConfig extends ParserConfig {
+  WstxInputFactoryConfig() {
+    exists(Method m |
+      m = this.getMethod() and
+      m.getDeclaringType() instanceof WstxInputFactory and
+      m.hasName("setProperty")
+    )
+  }
+}
+
+/**
+ * A safely configured `WstxInputFactory`.
+ */
+private class SafeWstxInputFactory extends VarAccess {
+  SafeWstxInputFactory() {
+    exists(Variable v |
+      v = this.getVariable() and
+      exists(WstxInputFactoryConfig config | config.getQualifier() = v.getAnAccess() |
+        config.disables(configOptionIsSupportingExternalEntities())
+      ) and
+      exists(WstxInputFactoryConfig config | config.getQualifier() = v.getAnAccess() |
+        config.disables(configOptionSupportDtd())
+      )
+    )
+  }
+}
+
+private predicate safeWstxInputFactoryNode(DataFlow::Node src) {
+  src.asExpr() instanceof SafeWstxInputFactory
+}
+
+private module SafeWstxInputFactoryFlow = DataFlow::SimpleGlobal<safeWstxInputFactoryNode/1>;
diff --git a/java/ql/lib/semmle/code/java/security/XmlParsers.qll b/java/ql/lib/semmle/code/java/security/XmlParsers.qll
@@ -12,6 +12,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.javase.Beans
   private import semmle.code.java.frameworks.mdht.MdhtXml
   private import semmle.code.java.frameworks.rundeck.RundeckXml
+  private import semmle.code.java.frameworks.woodstox.WoodstoxXml
 }
 
 /**
diff --git a/java/ql/src/change-notes/2026-04-16-woodstox-xxe.md b/java/ql/src/change-notes/2026-04-16-woodstox-xxe.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.
diff --git a/java/ql/test/query-tests/security/CWE-611/WstxInputFactoryTests.java b/java/ql/test/query-tests/security/CWE-611/WstxInputFactoryTests.java
@@ -0,0 +1,44 @@
+import java.net.Socket;
+
+import javax.xml.stream.XMLInputFactory;
+
+import com.ctc.wstx.stax.WstxInputFactory;
+
+public class WstxInputFactoryTests {
+
+  public void unconfiguredFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+
+  public void safeFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+    factory.createXMLStreamReader(sock.getInputStream()); // safe
+    factory.createXMLEventReader(sock.getInputStream()); // safe
+  }
+
+  public void safeFactoryStringProperties(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty("javax.xml.stream.supportDTD", false);
+    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    factory.createXMLStreamReader(sock.getInputStream()); // safe
+    factory.createXMLEventReader(sock.getInputStream()); // safe
+  }
+
+  public void misConfiguredFactory(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+
+  public void misConfiguredFactory2(Socket sock) throws Exception {
+    WstxInputFactory factory = new WstxInputFactory();
+    factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    factory.createXMLStreamReader(sock.getInputStream()); // $ Alert
+    factory.createXMLEventReader(sock.getInputStream()); // $ Alert
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected
@@ -89,6 +89,12 @@
 | TransformerTests.java:141:21:141:73 | new SAXSource(...) | TransformerTests.java:141:51:141:71 | getInputStream(...) : InputStream | TransformerTests.java:141:21:141:73 | new SAXSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | TransformerTests.java:141:51:141:71 | getInputStream(...) | user-provided value |
 | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | UnmarshallerTests.java:29:18:29:38 | getInputStream(...) | user-provided value |
 | ValidatorTests.java:22:28:22:33 | source | ValidatorTests.java:17:49:17:72 | getInputStream(...) : ServletInputStream | ValidatorTests.java:22:28:22:33 | source | XML parsing depends on a $@ without guarding against external entity expansion. | ValidatorTests.java:17:49:17:72 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | user-provided value |
+| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | XML parsing depends on a $@ without guarding against external entity expansion. | WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | user-provided value |
 | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | XMLDecoderTests.java:18:9:18:18 | xmlDecoder | XML parsing depends on a $@ without guarding against external entity expansion. | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) | user-provided value |
 | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XMLReaderTests.java:16:34:16:54 | getInputStream(...) : InputStream | XMLReaderTests.java:16:18:16:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:16:34:16:54 | getInputStream(...) | user-provided value |
 | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XMLReaderTests.java:56:34:56:54 | getInputStream(...) : InputStream | XMLReaderTests.java:56:18:56:55 | new InputSource(...) | XML parsing depends on a $@ without guarding against external entity expansion. | XMLReaderTests.java:56:34:56:54 | getInputStream(...) | user-provided value |
@@ -390,6 +396,12 @@ nodes
 | ValidatorTests.java:21:31:21:66 | new StreamSource(...) : StreamSource | semmle.label | new StreamSource(...) : StreamSource |
 | ValidatorTests.java:21:48:21:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
 | ValidatorTests.java:22:28:22:33 | source | semmle.label | source |
+| WstxInputFactoryTests.java:11:35:11:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:12:34:12:54 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:34:35:34:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:35:34:35:54 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:41:35:41:55 | getInputStream(...) | semmle.label | getInputStream(...) |
+| WstxInputFactoryTests.java:42:34:42:54 | getInputStream(...) | semmle.label | getInputStream(...) |
 | XMLDecoderTests.java:16:49:16:72 | getInputStream(...) : ServletInputStream | semmle.label | getInputStream(...) : ServletInputStream |
 | XMLDecoderTests.java:17:33:17:66 | new XMLDecoder(...) : XMLDecoder | semmle.label | new XMLDecoder(...) : XMLDecoder |
 | XMLDecoderTests.java:17:48:17:65 | servletInputStream : ServletInputStream | semmle.label | servletInputStream : ServletInputStream |
diff --git a/java/ql/test/query-tests/security/CWE-611/options b/java/ql/test/query-tests/security/CWE-611/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/:${testdir}/../../../stubs/woodstox-core-6.4.0
diff --git a/java/ql/test/stubs/woodstox-core-6.4.0/com/ctc/wstx/stax/WstxInputFactory.java b/java/ql/test/stubs/woodstox-core-6.4.0/com/ctc/wstx/stax/WstxInputFactory.java
diff --git a/java/ql/test/stubs/woodstox-core-6.4.0/org/codehaus/stax2/XMLInputFactory2.java b/java/ql/test/stubs/woodstox-core-6.4.0/org/codehaus/stax2/XMLInputFactory2.java

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ private module Frameworks {`
`12`	`12`	`private import semmle.code.java.frameworks.javase.Beans`
`13`	`13`	`private import semmle.code.java.frameworks.mdht.MdhtXml`
`14`	`14`	`private import semmle.code.java.frameworks.rundeck.RundeckXml`
	`15`	`+ private import semmle.code.java.frameworks.woodstox.WoodstoxXml`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`/**`
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The queries "Resolving XML external entity in user-controlled data" (`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (`java/xxe-local`) now recognize sinks in the Woodstox StAX library when `com.ctc.wstx.stax.WstxInputFactory` or `org.codehaus.stax2.XMLInputFactory2` are used directly.
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/`
	`1`	+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jdom-1.1.3:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/simple-xml-2.7.1:${testdir}/../../../stubs/jaxb-api-2.3.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-digester3-3.2:${testdir}/../../../stubs/servlet-api-2.4/:${testdir}/../../../stubs/rundeck-api-java-client-13.2:${testdir}/../../../stubs/springframework-5.8.x/:${testdir}/../../../stubs/mdht-1.2.0/:${testdir}/../../../stubs/woodstox-core-6.4.0