Python: Port xml.dom tests

2026-05-04 05:05:12 +02:00 · 2022-03-03 20:39:56 +01:00
parent faebaee141
commit a7134cac2e
2 changed files with 19 additions and 43 deletions
--- a/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py
+++ b/python/ql/test/experimental/library-tests/frameworks/XML/xml_dom.py
@@ -0,0 +1,19 @@
+from io import StringIO
+import xml.dom.minidom
+import xml.dom.pulldom
+import xml.sax
+
+x = "some xml"
+
+# minidom
+xml.dom.minidom.parse(StringIO(x)) # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.minidom.parseString(x) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# pulldom
+xml.dom.pulldom.parse(StringIO(x))['START_DOCUMENT'][1] # $ input=StringIO(..) vuln='Billion Laughs' vuln='Quadratic Blowup'
+xml.dom.pulldom.parseString(x)['START_DOCUMENT'][1] # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+
+# These are based on SAX parses, and you can specify your own, so you can expose yourself to XXE (yay/)
+parser = xml.sax.make_parser()
+parser.setFeature(xml.sax.handler.feature_external_ges, True)
+xml.dom.minidom.parse(StringIO(x), parser=parser) # $ input=StringIO(..) vuln='Billion Laughs' vuln='DTD retrieval' vuln='Quadratic Blowup' vuln='XXE'
--- a/python/ql/test/experimental/query-tests/Security/CWE-611/xml_dom.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-611/xml_dom.py
@@ -1,43 +0,0 @@
-from flask import request, Flask
-from io import StringIO, BytesIO
-import xml.dom.minidom
-import xml.dom.pulldom
-import xml.sax
-
-app = Flask(__name__)
-
-# Parsing
-
-@app.route("/xml_minidom_parse")
-def xml_minidom_parse():
-    xml_content = request.args['xml_content']
-
-    return xml.dom.minidom.parse(StringIO(xml_content)).documentElement.childNodes # OK for XXE/DTD, NOT OK for billion laughs/quadratic
-
-@app.route("/xml_minidom_parseString")
-def xml_minidom_parseString():
-    xml_content = request.args['xml_content']
-
-    return xml.dom.minidom.parseString(xml_content).documentElement.childNodes # OK for XXE/DTD, NOT OK for billion laughs/quadratic
-
-@app.route("/xml_pulldom_parse")
-def xml_pulldom_parse():
-    xml_content = request.args['xml_content']
-
-    return xml.dom.pulldom.parse(StringIO(xml_content))['START_DOCUMENT'][1].documentElement.childNodes # OK for XXE/DTD, NOT OK for billion laughs/quadratic
-
-@app.route("/xml_pulldom_parseString")
-def xml_pulldom_parseString():
-    xml_content = request.args['xml_content']
-
-    return xml.dom.pulldom.parseString(xml_content)['START_DOCUMENT'][1].documentElement.childNodes # OK for XXE/DTD, NOT OK for billion laughs/quadratic
-
-# With parsers
-
-@app.route("/xml_minidom_parse_xml_sax_make_parser")
-def xml_minidom_parse_xml_sax_make_parser():
-    xml_content = request.args['xml_content']
-
-    parser = xml.sax.make_parser()
-    parser.setFeature(xml.sax.handler.feature_external_ges, True)
-    return xml.dom.minidom.parse(StringIO(xml_content), parser=parser).documentElement.childNodes # NOT OK for XXE/DTD, NOT OK for billion laughs/quadratic