hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
8f9cd168067a4c4d56d12d20a9e926bb05142f19
codeql/python/ql/test/experimental/query-tests/Security/CWE-611/xml_etree.py
jorgectf 8f9cd16806 Update
2022-02-08 17:23:18 +01:00

66 lines
2.0 KiB
Python
Raw Blame History

from flask import request, Flask
from io import StringIO, BytesIO
import xml.etree
import xml.etree.ElementTree
import lxml.etree
app = Flask(__name__)
# xxe = '<?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>'
# Parsing
@app.route("/xml_etree_fromstring")
def xml_etree_fromstring():
xml_content = request.args['xml_content']
return xml.etree.ElementTree.fromstring(xml_content).text
@app.route("/xml_etree_fromstringlist")
def xml_etree_fromstringlist():
xml_content = request.args['xml_content']
return xml.etree.ElementTree.fromstringlist(xml_content).text
@app.route("/xml_etree_XML")
def xml_etree_XML():
xml_content = request.args['xml_content']
return xml.etree.ElementTree.XML(xml_content).text
@app.route("/xml_etree_parse")
def xml_etree_parse():
xml_content = request.args['xml_content']
return xml.etree.ElementTree.parse(StringIO(xml_content)).getroot().text
# With parsers
@app.route("/xml_etree_fromstring-xml_etree_XMLParser")
def xml_parser_1():
xml_content = request.args['xml_content']
parser = xml.etree.ElementTree.XMLParser()
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
@app.route("/xml_etree_fromstring-lxml_etree_XMLParser")
def xml_parser_2():
xml_content = request.args['xml_content']
parser = lxml.etree.XMLParser()
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
@app.route("/xml_etree_fromstring-lxml_get_default_parser")
def xml_parser_3():
xml_content = request.args['xml_content']
parser = lxml.etree.get_default_parser()
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
@app.route("/xml_etree_fromstring-lxml_get_default_parser")
def xml_parser_4():
xml_content = request.args['xml_content']
parser = xml.sax.make_parser()
parser.setFeature(xml.sax.handler.feature_external_ges, True)
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
Reference in New Issue View Git Blame Copy Permalink