Python: Align xml.etree.ElementTree modeling

RasmusWL · RasmusWL · commit 05bb0ef97688 · 2022-03-31T17:24:16.000+02:00
I didn't find a good way to actually share the stuff, so we kinda just
have 2 things that look very similar :|
diff --git a/python/ql/lib/semmle/python/frameworks/Stdlib.qll b/python/ql/lib/semmle/python/frameworks/Stdlib.qll
@@ -3153,6 +3153,15 @@ private module StdlibPrivate {
           .getMember("ElementTree")
           .getMember(["fromstring", "fromstringlist", "XML"])
           .getReturn()
+    or
+    result =
+      API::moduleImport("xml")
+          .getMember("etree")
+          .getMember("ElementTree")
+          .getMember("XMLParser")
+          .getReturn()
+          .getMember("close")
+          .getReturn()
   }
 
   /**
@@ -3255,6 +3264,7 @@ private module StdlibPrivate {
    * - `xml.etree.ElementTree.XMLID`
    * - `xml.etree.ElementTree.parse`
    * - `xml.etree.ElementTree.iterparse`
+   * - `parse` method on an `xml.etree.ElementTree.ElementTree` instance
    *
    * See
    * - https://docs.python.org/3/library/xml.etree.elementtree.html#xml.etree.ElementTree.fromstring
@@ -3272,6 +3282,8 @@ private module StdlibPrivate {
             .getMember("ElementTree")
             .getMember(["fromstring", "fromstringlist", "XML", "XMLID", "parse", "iterparse"])
             .getACall()
+      or
+      this = elementTreeInstance().getMember("parse").getACall()
     }
 
     override DataFlow::Node getAnInput() {
@@ -3321,6 +3333,8 @@ private module StdlibPrivate {
             .getMember("ElementTree")
             .getMember(["parse", "iterparse"])
             .getACall()
+      or
+      this = elementTreeInstance().getMember("parse").getACall()
       // I considered whether we should try to reduce FPs from people passing file-like
       // objects, which will not be a file system access (and couldn't cause a
       // path-injection).
diff --git a/python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py b/python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py
@@ -10,7 +10,7 @@
 root.findtext(match, default=None, namespaces=ns)  # $ getXPath=match
 
 tree = ET.ElementTree()
-tree.parse("index.xhtml")
+tree.parse("index.xhtml") # $ decodeFormat=XML decodeInput="index.xhtml" decodeOutput=tree.parse(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' getAPathArgument="index.xhtml"
 
 tree.find(match, namespaces=ns)  # $ getXPath=match
 tree.findall(match, namespaces=ns)  # $ getXPath=match
@@ -19,4 +19,4 @@
 parser = ET.XMLParser()
 parser.feed("<foo>bar</foo>") # $ decodeFormat=XML decodeInput="<foo>bar</foo>" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
 tree = parser.close() # $ decodeOutput=parser.close()
-tree.find(match, namespaces=ns)  # $ MISSING: getXPath=match
+tree.find(match, namespaces=ns)  # $ getXPath=match
diff --git a/python/ql/test/library-tests/frameworks/stdlib/xml_etree.py b/python/ql/test/library-tests/frameworks/stdlib/xml_etree.py
@@ -23,8 +23,8 @@
 xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=xml.etree.ElementTree.iterparse(..) getAPathArgument=StringIO(..)
 
 tree = xml.etree.ElementTree.ElementTree()
-tree.parse("file.xml") # $ MISSING: decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
-tree.parse(source="file.xml") # $ MISSING: decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+tree.parse("file.xml") # $ decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+tree.parse(source="file.xml") # $ decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
 
 
 # With parsers (no options available to disable/enable security features)
