Python: Use concept tests for XML Parsing

I was loosing my mind from looking through those .expected files

Just going to take it one file at time, to make reviewing easier

Author: RasmusWL

python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.expected

@@ -0,0 +1,33 @@
+import python
+import experimental.semmle.python.Concepts
+import experimental.semmle.python.frameworks.Xml
+import semmle.python.dataflow.new.DataFlow
+import TestUtilities.InlineExpectationsTest
+private import semmle.python.dataflow.new.internal.PrintNode
+
+class XmlParsingTest extends InlineExpectationsTest {
+  XmlParsingTest() { this = "XmlParsingTest" }
+
+  override string getARelevantTag() { result in ["input", "vuln"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    exists(location.getFile().getRelativePath()) and
+    exists(XML::XMLParsing parsing |
+      exists(DataFlow::Node input |
+        input = parsing.getAnInput() and
+        location = input.getLocation() and
+        element = input.toString() and
+        value = prettyNodeForInlineTest(input) and
+        tag = "input"
+      )
+      or
+      exists(XML::XMLVulnerabilityKind kind |
+        parsing.vulnerable(kind) and
+        location = parsing.getLocation() and
+        element = parsing.toString() and
+        value = "'" + kind + "'" and
+        tag = "vuln"
+      )
+    )
+  }
+}

python/ql/test/experimental/library-tests/frameworks/XML/ExperimentalXmlConceptsTests.ql

@@ -0,0 +1,40 @@
+from io import StringIO
+import lxml.etree
+
+x = "some xml"
+
+# different parsing methods
+lxml.etree.fromstring(x) # $ input=x vuln='XXE'
+
+lxml.etree.fromstringlist([x]) # $ input=List vuln='XXE'
+
+lxml.etree.XML(x) # $ input=x vuln='XXE'
+
+lxml.etree.parse(StringIO(x)).getroot() # $ input=StringIO(..) vuln='XXE'
+
+# With default parsers (nothing changed)
+parser = lxml.etree.XMLParser()
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+
+parser = lxml.etree.get_default_parser()
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+
+# XXE-safe
+parser = lxml.etree.XMLParser(resolve_entities=False)
+lxml.etree.fromstring(x, parser=parser) # $ input=x
+
+# XXE-vuln
+parser = lxml.etree.XMLParser(resolve_entities=True)
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='XXE'
+
+# Billion laughs vuln (also XXE)
+parser = lxml.etree.XMLParser(huge_tree=True)
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup' vuln='XXE'
+
+# Billion laughs, but not XXE
+parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# DTD retrival vuln (also XXE)
+parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
+lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='DTD retrieval' vuln='XXE'