adjust test case for XML entity expansion

erik-krogh · erik-krogh · commit 6163e6cf5f5d · 2020-09-24T09:53:06.000+02:00
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected b/javascript/ql/test/query-tests/Security/CWE-611/Xxe.expected
@@ -16,12 +16,12 @@ nodes
 | libxml.noent.js:14:27:14:47 | req.par ... e-xml") |
 | libxml.noent.js:14:27:14:47 | req.par ... e-xml") |
 | libxml.noent.js:14:27:14:47 | req.par ... e-xml") |
-| libxml.noent.js:16:26:16:34 | req.files |
-| libxml.noent.js:16:26:16:34 | req.files |
-| libxml.noent.js:16:26:16:43 | req.files.products |
-| libxml.noent.js:16:26:16:48 | req.fil ... ts.data |
-| libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') |
-| libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') |
+| libxml.noent.js:16:27:16:35 | req.files |
+| libxml.noent.js:16:27:16:35 | req.files |
+| libxml.noent.js:16:27:16:44 | req.files.products |
+| libxml.noent.js:16:27:16:49 | req.fil ... ts.data |
+| libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') |
+| libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') |
 | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
 | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
 | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
@@ -39,11 +39,11 @@ edges
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") |
 | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") |
 | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | libxml.noent.js:14:27:14:47 | req.par ... e-xml") |
-| libxml.noent.js:16:26:16:34 | req.files | libxml.noent.js:16:26:16:43 | req.files.products |
-| libxml.noent.js:16:26:16:34 | req.files | libxml.noent.js:16:26:16:43 | req.files.products |
-| libxml.noent.js:16:26:16:43 | req.files.products | libxml.noent.js:16:26:16:48 | req.fil ... ts.data |
-| libxml.noent.js:16:26:16:48 | req.fil ... ts.data | libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') |
-| libxml.noent.js:16:26:16:48 | req.fil ... ts.data | libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') |
+| libxml.noent.js:16:27:16:35 | req.files | libxml.noent.js:16:27:16:44 | req.files.products |
+| libxml.noent.js:16:27:16:35 | req.files | libxml.noent.js:16:27:16:44 | req.files.products |
+| libxml.noent.js:16:27:16:44 | req.files.products | libxml.noent.js:16:27:16:49 | req.fil ... ts.data |
+| libxml.noent.js:16:27:16:49 | req.fil ... ts.data | libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') |
+| libxml.noent.js:16:27:16:49 | req.fil ... ts.data | libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') |
 | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") |
 | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") |
 #select
@@ -52,6 +52,6 @@ edges
 | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:6:21:6:41 | req.par ... e-xml") | user-provided value |
 | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:11:21:11:41 | req.par ... e-xml") | user-provided value |
 | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:14:27:14:47 | req.par ... e-xml") | user-provided value |
-| libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') | libxml.noent.js:16:26:16:34 | req.files | libxml.noent.js:16:26:16:65 | req.fil ... 'utf8') | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:16:26:16:34 | req.files | user-provided value |
+| libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') | libxml.noent.js:16:27:16:35 | req.files | libxml.noent.js:16:27:16:66 | req.fil ... 'utf8') | A $@ is parsed as XML without guarding against external entity expansion. | libxml.noent.js:16:27:16:35 | req.files | user-provided value |
 | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.sax.js:6:22:6:42 | req.par ... e-xml") | user-provided value |
 | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | A $@ is parsed as XML without guarding against external entity expansion. | libxml.saxpush.js:6:15:6:35 | req.par ... e-xml") | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js b/javascript/ql/test/query-tests/Security/CWE-611/libxml.noent.js
@@ -11,7 +11,10 @@ express().post('/some/path', function(req, res) {
   libxmljs.parseXml(req.param("some-xml"), { noent: true });
 
   // NOT OK: unguarded entity expansion
-  libxmljs.parseXmlString(req.param("some-xml"), {noent:true,noblanks:true})
+  libxmljs.parseXmlString(req.param("some-xml"), {noent:true})
   // NOT OK: unguarded entity expansion
-	libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true})
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true})
+  
+  // OK - no entity expansion
+  libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:false})
 });
