Add FP as a test case

joefarebrother · joefarebrother · commit 2fd5d26b1b27 · 2020-12-08T16:37:53.000Z
diff --git a/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java b/java/ql/test/query-tests/security/CWE-611/SAXParserTests.java
@@ -2,7 +2,7 @@
 
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
-
+import javax.xml.XMLConstants;
 import org.xml.sax.helpers.DefaultHandler;
 
 public class SAXParserTests {
@@ -72,4 +72,12 @@ public void misConfiguredParser3(Socket sock) throws Exception {
     SAXParser parser = factory.newSAXParser();
     parser.parse(sock.getInputStream(), new DefaultHandler()); //unsafe
   }
+
+  public void safeParser2(Socket sock) throws Exception {
+    SAXParserFactory factory = SAXParserFactory.newInstance();
+    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 
+    SAXParser parser = factory.newSAXParser();
+    parser.parse(sock.getInputStream(), new DefaultHandler()); //safe [FP]
+  }
 }
diff --git a/java/ql/test/query-tests/security/CWE-611/XXE.expected b/java/ql/test/query-tests/security/CWE-611/XXE.expected
@@ -71,6 +71,7 @@ nodes
 | SAXParserTests.java:55:18:55:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXParserTests.java:64:18:64:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXParserTests.java:73:18:73:38 | getInputStream(...) | semmle.label | getInputStream(...) |
+| SAXParserTests.java:81:18:81:38 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | semmle.label | getInputStream(...) |
 | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | semmle.label | getInputStream(...) |
@@ -213,6 +214,7 @@ nodes
 | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | SAXParserTests.java:55:18:55:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:55:18:55:38 | getInputStream(...) | user input |
 | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | SAXParserTests.java:64:18:64:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:64:18:64:38 | getInputStream(...) | user input |
 | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | SAXParserTests.java:73:18:73:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:73:18:73:38 | getInputStream(...) | user input |
+| SAXParserTests.java:81:18:81:38 | getInputStream(...) | SAXParserTests.java:81:18:81:38 | getInputStream(...) | SAXParserTests.java:81:18:81:38 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXParserTests.java:81:18:81:38 | getInputStream(...) | user input |
 | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:8:17:8:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:23:17:23:37 | getInputStream(...) | user input |
 | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | Unsafe parsing of XML file from $@. | SAXReaderTests.java:30:17:30:37 | getInputStream(...) | user input |
