Write (String|Bytes)IO additional taint step

python/ql/src/experimental/semmle/python/security/XXE.qll

@@ -4,6 +4,7 @@ import semmle.python.dataflow.new.DataFlow
 import semmle.python.dataflow.new.TaintTracking
 import semmle.python.dataflow.new.RemoteFlowSources
 import semmle.python.dataflow.new.BarrierGuards
+import semmle.python.ApiGraphs
 
 /**
  * A taint-tracking configuration for detecting XML External entities abuse.
@@ -23,4 +24,12 @@ class XXEFlowConfig extends TaintTracking::Configuration {
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
     guard instanceof StringConstCompare
   }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeIn) {
+    exists(DataFlow::CallCfgNode ioCalls |
+      ioCalls = API::moduleImport("io").getMember(["StringIO", "BytesIO"]).getACall() and
+      nodeFrom = ioCalls and
+      nodeIn = ioCalls.getArg(0)
+    )
+  }
 }

python/ql/test/experimental/query-tests/Security/CWE-611/general.py

@@ -12,8 +12,6 @@ TO-DO
 
 Extend tests
 Model xmltodict and xml.dom
-Write StringIO/BytesIO additional tain steps
-
 
 XML Parsers:
   xml.etree.ElementTree.XMLParser() - no options, vuln by default
@@ -35,6 +33,8 @@ XML Parsing:
     xml.dom.(mini|pull)dom.parse(String)
 '''
 
+app = Flask(__name__)
+
 
 @app.route("/XMLParser-Empty&xml.etree.ElementTree.fromstring")
 def test1():

python/ql/test/experimental/query-tests/Security/CWE-611/xml_sax_make_parser.py

@@ -1,6 +1,10 @@
+from flask import request, Flask
 from io import StringIO
 import xml.sax
 
+
+app = Flask(__name__)
+
 # https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges