Python: huge_tree tests were wrong

Nice spotted @jorgectf!

Author: RasmusWL

python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py

@@ -45,9 +45,9 @@
 parser = lxml.etree.XMLParser(huge_tree=True)
 lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup' vuln='XXE'
 
-# Billion laughs, but not XXE
+# Safe for both Billion laughs and XXE
 parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x vuln='Billion Laughs' vuln='Quadratic Blowup'
+lxml.etree.fromstring(x, parser=parser) # $ input=x SPURIOUS: vuln='Billion Laughs' vuln='Quadratic Blowup'
 
 # DTD retrival vuln (also XXE)
 parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)

python/ql/test/experimental/library-tests/frameworks/XML/poc/PoC.py

@@ -318,11 +318,21 @@ def test_billion_laughs_manually_enabled():
     @expects_timeout
     def test_quadratic_blowup_manually_enabled():
         parser = lxml.etree.XMLParser(huge_tree=True)
-        try:
-            _root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
-            assert False
-        except lxml.etree.XMLSyntaxError as e:
-            assert "Detected an entity reference loop" in str(e)
+        root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
+
+    @staticmethod
+    def test_billion_laughs_huge_tree_not_enough():
+        parser = lxml.etree.XMLParser(huge_tree=True, resolve_entities=False)
+        root = lxml.etree.fromstring(billion_laughs, parser=parser)
+        assert root.tag == "lolz"
+        assert root.text == None
+
+    @staticmethod
+    def test_quadratic_blowup_huge_tree_not_enough():
+        parser = lxml.etree.XMLParser(huge_tree=True, resolve_entities=False)
+        root = lxml.etree.fromstring(quadratic_blowup, parser=parser)
+        assert root.tag == "foo"
+        assert root.text == None
 
     @staticmethod
     def test_ok_xml():