C++: Add test cases for SAXParser.

cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp

@@ -4,8 +4,8 @@
 
 // ---
 
-class SecurityManager;
-class InputSource;
+
+
 
 class AbstractDOMParser {
 public:

cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.h

@@ -1,2 +1,4 @@
-// library functions for rule CWE-611
+// library/common functions for rule CWE-611
 
+class SecurityManager;
+class InputSource;

cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp

@@ -0,0 +1,46 @@
+// test cases for rule CWE-611
+
+#include "tests.h"
+
+// ---
+
+class SAXParser
+{
+public:
+	SAXParser();
+
+	void setDisableDefaultEntityResolution(bool); // default is false
+	void setSecurityManager(SecurityManager *const manager);
+	void parse(const InputSource &data);
+};
+
+// ---
+
+void test2_1(InputSource &data) {
+	SAXParser *p = new SAXParser();
+
+	p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
+}
+
+void test2_2(InputSource &data) {
+	SAXParser *p = new SAXParser();
+
+	p->setDisableDefaultEntityResolution(true);
+	p->parse(data); // GOOD
+}
+
+void test2_3(InputSource &data) {
+	SAXParser *p = new SAXParser();
+	bool v = false;
+
+	p->setDisableDefaultEntityResolution(v);
+	p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
+}
+
+void test2_4(InputSource &data) {
+	SAXParser *p = new SAXParser();
+	bool v = true;
+
+	p->setDisableDefaultEntityResolution(v);
+	p->parse(data); // GOOD
+}