python: model (etree from) lxml

python/ql/lib/semmle/python/Frameworks.qll

@@ -22,6 +22,7 @@ private import semmle.python.frameworks.FlaskSqlAlchemy
 private import semmle.python.frameworks.Idna
 private import semmle.python.frameworks.Invoke
 private import semmle.python.frameworks.Jmespath
+private import semmle.python.frameworks.Lxml
 private import semmle.python.frameworks.MarkupSafe
 private import semmle.python.frameworks.Multidict
 private import semmle.python.frameworks.Mysql

python/ql/lib/semmle/python/frameworks/Lxml.qll

@@ -0,0 +1,77 @@
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package.
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+
+private import python
+private import semmle.python.dataflow.new.DataFlow
+private import semmle.python.Concepts
+private import semmle.python.ApiGraphs
+
+/**
+ * Provides classes modeling security-relevant aspects of the `lxml` PyPI package
+ *
+ * See
+ * - https://pypi.org/project/lxml/
+ * - https://lxml.de/tutorial.html
+ */
+private module Lxml {
+  /**
+   * A class constructor compiling an XPath expression.
+   *
+   *    from lxml import etree
+   *    root = etree.XML("<xmlContent>")
+   *    find_text = etree.XPath("`sink`")
+   *    find_text = etree.ETXPath("`sink`")
+   *
+   * See
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XPath
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.ETXPath
+   */
+  private class XPathClassCall extends XPathConstruction::Range, DataFlow::CallCfgNode {
+    XPathClassCall() {
+      this = API::moduleImport("lxml").getMember("etree").getMember(["XPath", "ETXPath"]).getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("path")] }
+
+    override string getName() { result = "Lxml.etree" }
+  }
+
+  /**
+   * A call to the `xpath` method of a parsed document.
+   *
+   *    from lxml import etree
+   *    root =  etree.fromstring(file(XML_DB).read(), XMLParser())
+   *    find_text = root.xpath("`sink`")
+   *
+   * See https://lxml.de/apidoc/lxml.etree.html#lxml.etree._ElementTree.xpath
+   * as well as
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.parse
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstring
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.fromstringlist
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.HTML
+   * - https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XML
+   */
+  class XPathCall extends XPathExecution::Range, DataFlow::CallCfgNode {
+    XPathCall() {
+      this =
+        API::moduleImport("lxml")
+            .getMember("etree")
+            .getMember(["parse", "fromstring", "fromstringlist", "HTML", "XML"])
+            .getReturn()
+            .getMember("xpath")
+            .getACall()
+    }
+
+    override DataFlow::Node getXPath() { result in [this.getArg(0), this.getArgByName("_path")] }
+
+    // TODO: implement when we get call nodes
+    override DataFlow::Node getTree() { none() }
+
+    override string getName() { result = "Lxml.etree" }
+  }
+}