Skip to content

Commit 61e873d

Browse files
committed
Polish tests
1 parent 0d2646f commit 61e873d

2 files changed

Lines changed: 39 additions & 29 deletions

File tree

python/ql/test/experimental/query-tests/Security/CWE-611/general.py

Lines changed: 37 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -10,49 +10,64 @@
1010

1111
app = Flask(__name__)
1212

13+
# xml_content = '<?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>'
1314

14-
@app.route("/XMLParser-Empty&xml.etree.ElementTree.fromstring")
15-
def test1():
16-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
15+
16+
@app.route("/lxml.etree.fromstring")
17+
def lxml_fromstring():
1718
xml_content = request.args['xml_content']
1819

19-
parser = lxml.etree.XMLParser()
20-
# 'root...'
21-
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
20+
return lxml.etree.fromstring(xml_content).text
21+
22+
23+
@app.route("/lxml.etree.XML")
24+
def lxml_XML():
25+
xml_content = request.args['xml_content']
26+
27+
return lxml.etree.XML(xml_content).text
28+
29+
30+
@app.route("/lxml.etree.parse")
31+
def lxml_parse():
32+
xml_content = request.args['xml_content']
33+
34+
return lxml.etree.parse(StringIO(xml_content)).text
2235

2336

24-
@app.route("/XMLParser-Empty&xml.etree.ElementTree.parse")
37+
@app.route("/xmltodict.parse")
38+
def xmltodict_parse():
39+
xml_content = request.args['xml_content']
40+
41+
return xmltodict.parse(xml_content, disable_entities=False)
42+
43+
44+
@app.route("/lxml.etree.XMLParser+lxml.etree.fromstring")
2545
def test1():
26-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
2746
xml_content = request.args['xml_content']
2847

2948
parser = lxml.etree.XMLParser()
30-
# 'jorgectf'
31-
return xml.etree.ElementTree.parse(StringIO(xml_content), parser=parser).getroot().text
49+
return lxml.etree.fromstring(xml_content, parser=parser).text
3250

3351

34-
@app.route("/XMLParser-Empty&lxml.etree.fromstring")
52+
@app.route("/lxml.etree.get_default_parser+lxml.etree.fromstring")
3553
def test1():
36-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
3754
xml_content = request.args['xml_content']
3855

39-
parser = lxml.etree.XMLParser()
40-
return lxml.etree.fromstring(xml_content, parser=parser).text # 'jorgectf'
56+
parser = lxml.etree.get_default_parser()
57+
return lxml.etree.fromstring(xml_content, parser=parser).text
4158

4259

43-
@app.route("/XMLParser-Empty&xml.etree.parse")
60+
@app.route("/lxml.etree.XMLParser+xml.etree.ElementTree.fromstring")
4461
def test1():
45-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
4662
xml_content = request.args['xml_content']
4763

4864
parser = lxml.etree.XMLParser()
49-
# 'jorgectf'
50-
return lxml.etree.parse(StringIO(xml_content), parser=parser).getroot().text
65+
return xml.etree.ElementTree.fromstring(xml_content, parser=parser).text
5166

5267

53-
@app.route("/xmltodict-disable_entities_False")
54-
def test2():
55-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
68+
@app.route("/lxml.etree.XMLParser+xml.etree.ElementTree.parse")
69+
def test1():
5670
xml_content = request.args['xml_content']
5771

58-
return xmltodict.parse(xml_content, disable_entities=False)
72+
parser = lxml.etree.XMLParser()
73+
return xml.etree.ElementTree.parse(StringIO(xml_content), parser=parser).getroot().text

python/ql/test/experimental/query-tests/Security/CWE-611/xml_sax_make_parser.py

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,10 @@
22
from io import StringIO
33
import xml.sax
44

5+
# xml_content = '<?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>'
56

67
app = Flask(__name__)
78

8-
# https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
9-
109

1110
class MainHandler(xml.sax.ContentHandler):
1211
def __init__(self):
@@ -24,15 +23,13 @@ def parse(self, f):
2423

2524
@app.route("/MainHandler")
2625
def test1():
27-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
2826
xml_content = request.args['xml_content']
2927

3028
return MainHandler().parse(StringIO(xml_content))
3129

3230

3331
@app.route("/xml.sax.make_parser()+MainHandler")
3432
def test1():
35-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
3633
xml_content = request.args['xml_content']
3734

3835
BadHandler = MainHandler()
@@ -44,12 +41,12 @@ def test1():
4441

4542
@app.route("/xml.sax.make_parser()+MainHandler-xml.sax.handler.feature_external_ges_False")
4643
def test1():
47-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
4844
xml_content = request.args['xml_content']
4945

5046
BadHandler = MainHandler()
5147
parser = xml.sax.make_parser()
5248
parser.setContentHandler(BadHandler)
49+
# https://docs.python.org/3/library/xml.sax.handler.html#xml.sax.handler.feature_external_ges
5350
parser.setFeature(xml.sax.handler.feature_external_ges, False)
5451
parser.parse(StringIO(xml_content))
5552
return BadHandler._result
@@ -59,7 +56,6 @@ def test1():
5956

6057
@app.route("/xml.sax.make_parser()+MainHandler-xml.sax.handler.feature_external_ges_True")
6158
def test1():
62-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
6359
xml_content = request.args['xml_content']
6460

6561
GoodHandler = MainHandler()
@@ -72,7 +68,6 @@ def test1():
7268

7369
@app.route("/xml.sax.make_parser()+xml.dom.minidom.parse-xml.sax.handler.feature_external_ges_True")
7470
def test1():
75-
# <?xml version="1.0"?><!DOCTYPE dt [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>
7671
xml_content = request.args['xml_content']
7772

7873
parser = xml.sax.make_parser()

0 commit comments

Comments
 (0)