Python: Port xml.etree tests

2026-05-01 11:45:14 +02:00 · 2022-03-03 20:50:45 +01:00
parent a7134cac2e
commit 5fb4c4d152
3 changed files with 36 additions and 64 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xml_etree.py
@@ -0,0 +1,19 @@
+from io import StringIO
+import xml.etree.ElementTree
+
+x = "some xml"
+
+# Parsing in different ways
+xml.etree.ElementTree.fromstring(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.fromstringlist(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.XML(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.etree.ElementTree.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# With parsers (no options available to disable/enable security features)
+parser = xml.etree.ElementTree.XMLParser()
+xml.etree.ElementTree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# note: it's technically possible to use the thing wrapper func `fromstring` with an
+# `lxml` parser, and thereby change what vulnerabilities you are exposed to.. but it
+# seems very unlikely that anyone would do this, so we have intentionally not added any
+# tests for this.
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/dont_extract/PoC.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/dont_extract/PoC.py
@@ -250,6 +250,23 @@ class TestEtree:
        assert root.tag == "test"
        assert root.text == "hello world"

+    @staticmethod
+    def test_ok_xml_sax_parser():
+        # you _can_ pass a SAX parser to xml.etree... but it doesn't give you the output :|
+        parser = xml.sax.make_parser()
+        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
+        assert root == None
+
+    @staticmethod
+    def test_ok_xml_lxml_parser():
+        # this is technically possible, since parsers follow the same API, and the
+        # `fromstring` function is just a thin wrapper... seems very unlikely that
+        # anyone would do this though :|
+        parser = lxml.etree.XMLParser()
+        root = xml.etree.ElementTree.fromstring(ok_xml, parser=parser)
+        assert root.tag == "test"
+        assert root.text == "hello world"
+
    @staticmethod
    def test_xxe_not_possible():
        parser = xml.etree.ElementTree.XMLParser()
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/xml_etree.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/xml_etree.py
@@ -1,64 +0,0 @@
-from flask import request, Flask
-from io import StringIO, BytesIO
-import xml.etree
-import xml.etree.ElementTree
-import lxml.etree
-
-app = Flask(__name__)
-
-# Parsing
-
-@app.route("/xml_etree_fromstring")
-def xml_etree_fromstring():
-    xml_content = request.args['xml_content']
-
-    return xml.etree.ElementTree.fromstring(xml_content).text
-
-@app.route("/xml_etree_fromstringlist")
-def xml_etree_fromstringlist():
-    xml_content = request.args['xml_content']
-
-    return xml.etree.ElementTree.fromstringlist(xml_content).text
-
-@app.route("/xml_etree_XML")
-def xml_etree_XML():
-    xml_content = request.args['xml_content']
-
-    return xml.etree.ElementTree.XML(xml_content).text
-
-@app.route("/xml_etree_parse")
-def xml_etree_parse():
-    xml_content = request.args['xml_content']
-
-    return xml.etree.ElementTree.parse(StringIO(xml_content)).getroot().text
-
-# With parsers
-
-@app.route("/xml_etree_fromstring-xml_etree_XMLParser")
-def xml_parser_1():
-    xml_content = request.args['xml_content']
-
-    parser = xml.etree.ElementTree.XMLParser()
-    return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
-
-@app.route("/xml_etree_fromstring-lxml_etree_XMLParser")
-def xml_parser_2():
-    xml_content = request.args['xml_content']
-
-    parser = lxml.etree.XMLParser()
-    return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
-
-@app.route("/xml_etree_fromstring-lxml_get_default_parser")
-def xml_parser_3():
-    xml_content = request.args['xml_content']
-
-    parser = lxml.etree.get_default_parser()
-    return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
-
-@app.route("/xml_etree_fromstring-lxml_get_default_parser")
-def xml_parser_4():
-    xml_content = request.args['xml_content']
-
-    parser = xml.sax.make_parser()
-    parser.setFeature(xml.sax.handler.feature_external_ges, True)
-    return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text