Python: Fix huge_tree modeling

RasmusWL · RasmusWL · commit f0131afc5449 · 2022-03-04T10:16:28.000+01:00
diff --git a/python/ql/src/experimental/semmle/python/frameworks/Xml.qll b/python/ql/src/experimental/semmle/python/frameworks/Xml.qll
@@ -341,7 +341,8 @@ private module Lxml {
         )
         or
         (kind.isBillionLaughs() or kind.isQuadraticBlowup()) and
-        this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t)
+        this.getArgByName("huge_tree").getALocalSource().asExpr() = any(True t) and
+        not this.getArgByName("resolve_entities").getALocalSource().asExpr() = any(False t)
         or
         kind.isDtdRetrieval() and
         this.getArgByName("load_dtd").getALocalSource().asExpr() = any(True t) and
diff --git a/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py b/python/ql/test/experimental/library-tests/frameworks/XML/lxml_etree.py
@@ -47,7 +47,7 @@
 
 # Safe for both Billion laughs and XXE
 parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True)
-lxml.etree.fromstring(x, parser=parser) # $ input=x SPURIOUS: vuln='Billion Laughs' vuln='Quadratic Blowup'
+lxml.etree.fromstring(x, parser=parser) # $ input=x
 
 # DTD retrival vuln (also XXE)
 parser = lxml.etree.XMLParser(load_dtd=True, no_network=False)
