Python: Properly handle huge_tree in lxml

2026-04-30 11:15:13 +02:00 · 2022-03-03 14:43:37 +01:00
parent 124c03c15c
commit e295399f70
2 changed files with 2 additions and 4 deletions
--- a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
+++ b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -226,10 +226,7 @@ private module Xml {
      )
      or
      (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
-      (
-        this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t) and
-        not this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False f)
-      )
+      this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t)
    }
  }