C++: Turns out DOMLSParser is not an AbstractDOMParser and works a little differently than I'd thought.

Author: geoffw0

cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected

@@ -1,7 +1,6 @@
 edges
 | tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p |
 | tests2.cpp:33:17:33:31 | SAXParser output argument | tests2.cpp:37:2:37:2 | p |
-| tests5.cpp:18:25:18:38 | call to createLSParser | tests5.cpp:20:2:20:2 | p |
 | tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p |
 | tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p |
 | tests.cpp:53:19:53:19 | VariableAddress [post update] | tests.cpp:55:2:55:2 | p |
@@ -33,8 +32,6 @@ nodes
 | tests2.cpp:22:2:22:2 | p | semmle.label | p |
 | tests2.cpp:33:17:33:31 | SAXParser output argument | semmle.label | SAXParser output argument |
 | tests2.cpp:37:2:37:2 | p | semmle.label | p |
-| tests5.cpp:18:25:18:38 | call to createLSParser | semmle.label | call to createLSParser |
-| tests5.cpp:20:2:20:2 | p | semmle.label | p |
 | tests.cpp:33:23:33:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
 | tests.cpp:35:2:35:2 | p | semmle.label | p |
 | tests.cpp:46:23:46:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
@@ -74,7 +71,6 @@ subpaths
 #select
 | tests2.cpp:22:2:22:2 | p | tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | SAXParser output argument | XML parser |
 | tests2.cpp:37:2:37:2 | p | tests2.cpp:33:17:33:31 | SAXParser output argument | tests2.cpp:37:2:37:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:33:17:33:31 | SAXParser output argument | XML parser |
-| tests5.cpp:20:2:20:2 | p | tests5.cpp:18:25:18:38 | call to createLSParser | tests5.cpp:20:2:20:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests5.cpp:18:25:18:38 | call to createLSParser | XML parser |
 | tests.cpp:35:2:35:2 | p | tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:33:23:33:43 | XercesDOMParser output argument | XML parser |
 | tests.cpp:49:2:49:2 | p | tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:46:23:46:43 | XercesDOMParser output argument | XML parser |
 | tests.cpp:57:2:57:2 | p | tests.cpp:53:23:53:43 | XercesDOMParser output argument | tests.cpp:57:2:57:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:53:23:53:43 | XercesDOMParser output argument | XML parser |

cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp

@@ -4,7 +4,16 @@
 
 // ---
 
-class DOMLSParser : public AbstractDOMParser {
+class DOMConfiguration {
+public:
+	void setParameter(const XMLCh *parameter, bool value);
+};
+
+class DOMLSParser {
+public:
+	DOMConfiguration *getDomConfig();
+
+	void parse(const InputSource &data);
 };
 
 class DOMImplementationLS {
@@ -17,13 +26,13 @@ class DOMImplementationLS {
 void test5_1(DOMImplementationLS *impl, InputSource &data) {
 	DOMLSParser *p = impl->createLSParser();
 
-	p->parse(data); // BAD (parser not correctly configured)
+	p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
 }
 
 void test5_2(DOMImplementationLS *impl, InputSource &data) {
 	DOMLSParser *p = impl->createLSParser();
 
-	p->setDisableDefaultEntityResolution(true);
+	p->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true);
 	p->parse(data); // GOOD
 }
 
@@ -33,7 +42,7 @@ InputSource *g_data;
 
 void test5_3_init() {
 	g_p1 = g_impl->createLSParser();
-	g_p1->setDisableDefaultEntityResolution(true);
+	g_p1->getDomConfig()->setParameter(XMLUni::fgXercesDisableDefaultEntityResolution, true);
 
 	g_p2 = g_impl->createLSParser();
 }