Python: Port xml.etree tests

RasmusWL · RasmusWL · commit 5fb4c4d1524f · 2022-03-03T20:51:02.000+01:00
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py b/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
@@ -0,0 +1,19 @@
+from io import StringIO
+import xml.etree.ElementTree
+
+x = "some xml"
+
+# Parsing in different ways
+xml.etree.ElementTree.fromstring(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstringlist(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XML(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# With parsers (no options available to disable/enable security features)
+parser = xml.etree.ElementTree.XMLParser()
+xml.etree.ElementTree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# note: it's technically possible to use the thing wrapper func `fromstring` with an
+# `lxml` parser, and thereby change what vulnerabilities you are exposed to.. but it
+# seems very unlikely that anyone would do this, so we have intentionally not added any
+# tests for this.
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-611/dont_extract/PoC.py b/python/ql/test/experimental/query-tests/Security/CWE-611/dont_extract/PoC.py
@@ -250,6 +250,23 @@ def test_ok_xml():
         assert root.tag == "test"
         assert root.text == "hello world"
 
+    @staticmethod
+    def test_ok_xml_sax_parser():
+        # you _can_ pass a SAX parser to xml.etree... but it doesn't give you the output :|
+        parser = xml.sax.make_parser()
+        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
+        assert root == None
+
+    @staticmethod
+    def test_ok_xml_lxml_parser():
+        # this is technically possible, since parsers follow the same API, and the
+        # `fromstring` function is just a thin wrapper... seems very unlikely that
+        # anyone would do this though :|
+        parser = lxml.etree.XMLParser()
+        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
+        assert root.tag == "test"
+        assert root.text == "hello world"
+
     @staticmethod
     def test_xxe_not_possible():
         parser = xml.etree.ElementTree.XMLParser()
diff --git a/python/ql/test/experimental/query-tests/Security/CWE-611/xml_etree.py b/python/ql/test/experimental/query-tests/Security/CWE-611/xml_etree.py
