@@ -182,26 +182,35 @@ private module Xml {
182182 }
183183
184184 /**
185- * Gets a call to:
186- * * `lxml.etree.XMLParser`
187- * * `lxml.etree.get_default_parser`
188- *
189- * Given the following example:
185+ * A call to `lxml.etree.get_default_parser`.
190186 *
191- * ```py
192- * lxml.etree.XMLParser()
193- * ```
187+ * See https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.get_default_parser
188+ */
189+ private class LXMLDefaultParser extends DataFlow:: CallCfgNode , XML:: XMLParser:: Range {
190+ LXMLDefaultParser ( ) {
191+ this = API:: moduleImport ( "lxml" ) .getMember ( "etree" ) .getMember ( "get_default_parser" ) .getACall ( )
192+ }
193+
194+ override DataFlow:: Node getAnInput ( ) { none ( ) }
195+
196+ override predicate vulnerable ( XML:: XMLVulnerabilityKind kind ) {
197+ // as highlighted by
198+ // https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
199+ // by default XXE is allow. so as long as the default parser has not been
200+ // overridden, the result is also vuln to XXE.
201+ kind .isXxe ( )
202+ // TODO: take into account that you can override the default parser with `lxml.etree.get_default_parser`.
203+ }
204+ }
205+
206+ /**
207+ * A call to `lxml.etree.XMLParser`.
194208 *
195- * * `this` would be `lxml.etree.XMLParser(resolve_entities=False)`.
196- * * `vulnerable(kind)`'s `kind` would be `XXE`
209+ * See https://lxml.de/apidoc/lxml.etree.html?highlight=xmlparser#lxml.etree.XMLParser
197210 */
198211 private class LXMLParser extends DataFlow:: CallCfgNode , XML:: XMLParser:: Range {
199212 LXMLParser ( ) {
200- this =
201- API:: moduleImport ( "lxml" )
202- .getMember ( "etree" )
203- .getMember ( [ "XMLParser" , "get_default_parser" ] )
204- .getACall ( )
213+ this = API:: moduleImport ( "lxml" ) .getMember ( "etree" ) .getMember ( "XMLParser" ) .getACall ( )
205214 }
206215
207216 override DataFlow:: Node getAnInput ( ) { none ( ) }
0 commit comments