Python: Add test showing misalignment of xml.etree modeling

RasmusWL · RasmusWL · commit db43d043c4cd · 2022-03-31T11:55:46.000+02:00
diff --git a/python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py b/python/ql/test/library-tests/frameworks/stdlib/XPathExecution.py
@@ -15,3 +15,8 @@
 tree.find(match, namespaces=ns)  # $ getXPath=match
 tree.findall(match, namespaces=ns)  # $ getXPath=match
 tree.findtext(match, default=None, namespaces=ns)  # $ getXPath=match
+
+parser = ET.XMLParser()
+parser.feed("<foo>bar</foo>") # $ decodeFormat=XML decodeInput="<foo>bar</foo>" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup'
+tree = parser.close() # $ decodeOutput=parser.close()
+tree.find(match, namespaces=ns)  # $ MISSING: getXPath=match
diff --git a/python/ql/test/library-tests/frameworks/stdlib/xml_etree.py b/python/ql/test/library-tests/frameworks/stdlib/xml_etree.py
@@ -22,6 +22,10 @@
 xml.etree.ElementTree.iterparse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=xml.etree.ElementTree.iterparse(..) getAPathArgument=StringIO(..)
 xml.etree.ElementTree.iterparse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=xml.etree.ElementTree.iterparse(..) getAPathArgument=StringIO(..)
 
+tree = xml.etree.ElementTree.ElementTree()
+tree.parse("file.xml") # $ MISSING: decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+tree.parse(source="file.xml") # $ MISSING: decodeFormat=XML decodeInput="file.xml" xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' decodeOutput=tree.parse(..) getAPathArgument="file.xml"
+
 
 # With parsers (no options available to disable/enable security features)
 parser = xml.etree.ElementTree.XMLParser()
