Merge pull request #9019 from geoffw0/xxe4

MathiasVP · web-flow · commit 6f9752ead1d6 · 2022-05-05T10:59:40.000+01:00
C++: More XXE Tests
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-611/XXE.expected
@@ -1,33 +1,32 @@
 edges
 | tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p |
 | tests2.cpp:33:17:33:31 | SAXParser output argument | tests2.cpp:37:2:37:2 | p |
-| tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p |
-| tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p |
-| tests.cpp:53:19:53:19 | VariableAddress [post update] | tests.cpp:55:2:55:2 | p |
-| tests.cpp:53:23:53:43 | XercesDOMParser output argument | tests.cpp:53:19:53:19 | VariableAddress [post update] |
+| tests.cpp:15:23:15:43 | XercesDOMParser output argument | tests.cpp:17:2:17:2 | p |
+| tests.cpp:28:23:28:43 | XercesDOMParser output argument | tests.cpp:31:2:31:2 | p |
+| tests.cpp:35:19:35:19 | VariableAddress [post update] | tests.cpp:37:2:37:2 | p |
+| tests.cpp:35:23:35:43 | XercesDOMParser output argument | tests.cpp:35:19:35:19 | VariableAddress [post update] |
+| tests.cpp:37:2:37:2 | p | tests.cpp:38:2:38:2 | p |
+| tests.cpp:38:2:38:2 | p | tests.cpp:39:2:39:2 | p |
+| tests.cpp:51:19:51:19 | VariableAddress [post update] | tests.cpp:53:2:53:2 | p |
+| tests.cpp:51:23:51:43 | XercesDOMParser output argument | tests.cpp:51:19:51:19 | VariableAddress [post update] |
+| tests.cpp:53:2:53:2 | p | tests.cpp:54:2:54:2 | p |
+| tests.cpp:54:2:54:2 | p | tests.cpp:55:2:55:2 | p |
+| tests.cpp:55:2:55:2 | p | tests.cpp:56:2:56:2 | p |
 | tests.cpp:55:2:55:2 | p | tests.cpp:56:2:56:2 | p |
 | tests.cpp:56:2:56:2 | p | tests.cpp:57:2:57:2 | p |
-| tests.cpp:69:19:69:19 | VariableAddress [post update] | tests.cpp:71:2:71:2 | p |
-| tests.cpp:69:23:69:43 | XercesDOMParser output argument | tests.cpp:69:19:69:19 | VariableAddress [post update] |
-| tests.cpp:71:2:71:2 | p | tests.cpp:72:2:72:2 | p |
-| tests.cpp:72:2:72:2 | p | tests.cpp:73:2:73:2 | p |
-| tests.cpp:73:2:73:2 | p | tests.cpp:74:2:74:2 | p |
-| tests.cpp:73:2:73:2 | p | tests.cpp:74:2:74:2 | p |
-| tests.cpp:74:2:74:2 | p | tests.cpp:75:2:75:2 | p |
-| tests.cpp:75:2:75:2 | p | tests.cpp:76:2:76:2 | p |
-| tests.cpp:76:2:76:2 | p | tests.cpp:77:2:77:2 | p |
-| tests.cpp:77:2:77:2 | p | tests.cpp:78:2:78:2 | p |
-| tests.cpp:84:23:84:43 | XercesDOMParser output argument | tests.cpp:87:2:87:2 | p |
-| tests.cpp:91:23:91:43 | XercesDOMParser output argument | tests.cpp:98:2:98:2 | p |
-| tests.cpp:103:24:103:44 | XercesDOMParser output argument | tests.cpp:106:3:106:3 | q |
-| tests.cpp:118:24:118:44 | XercesDOMParser output argument | tests.cpp:122:3:122:3 | q |
-| tests.cpp:130:39:130:39 | p | tests.cpp:131:2:131:2 | p |
-| tests.cpp:134:39:134:39 | p | tests.cpp:135:2:135:2 | p |
-| tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:144:18:144:18 | q |
-| tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:146:18:146:18 | q |
-| tests.cpp:144:18:144:18 | q | tests.cpp:130:39:130:39 | p |
-| tests.cpp:146:18:146:18 | q | tests.cpp:134:39:134:39 | p |
-| tests.cpp:150:19:150:32 | call to createLSParser | tests.cpp:152:2:152:2 | p |
+| tests.cpp:57:2:57:2 | p | tests.cpp:58:2:58:2 | p |
+| tests.cpp:58:2:58:2 | p | tests.cpp:59:2:59:2 | p |
+| tests.cpp:59:2:59:2 | p | tests.cpp:60:2:60:2 | p |
+| tests.cpp:66:23:66:43 | XercesDOMParser output argument | tests.cpp:69:2:69:2 | p |
+| tests.cpp:73:23:73:43 | XercesDOMParser output argument | tests.cpp:80:2:80:2 | p |
+| tests.cpp:85:24:85:44 | XercesDOMParser output argument | tests.cpp:88:3:88:3 | q |
+| tests.cpp:100:24:100:44 | XercesDOMParser output argument | tests.cpp:104:3:104:3 | q |
+| tests.cpp:112:39:112:39 | p | tests.cpp:113:2:113:2 | p |
+| tests.cpp:116:39:116:39 | p | tests.cpp:117:2:117:2 | p |
+| tests.cpp:122:23:122:43 | XercesDOMParser output argument | tests.cpp:126:18:126:18 | q |
+| tests.cpp:122:23:122:43 | XercesDOMParser output argument | tests.cpp:128:18:128:18 | q |
+| tests.cpp:126:18:126:18 | q | tests.cpp:112:39:112:39 | p |
+| tests.cpp:128:18:128:18 | q | tests.cpp:116:39:116:39 | p |
 nodes
 | tests2.cpp:20:17:20:31 | SAXParser output argument | semmle.label | SAXParser output argument |
 | tests2.cpp:22:2:22:2 | p | semmle.label | p |
@@ -38,43 +37,41 @@ nodes
 | tests4.cpp:46:34:46:68 | ... \| ... | semmle.label | ... \| ... |
 | tests4.cpp:77:34:77:38 | flags | semmle.label | flags |
 | tests4.cpp:130:39:130:55 | (int)... | semmle.label | (int)... |
-| tests.cpp:33:23:33:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:35:2:35:2 | p | semmle.label | p |
-| tests.cpp:46:23:46:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:49:2:49:2 | p | semmle.label | p |
-| tests.cpp:53:19:53:19 | VariableAddress [post update] | semmle.label | VariableAddress [post update] |
-| tests.cpp:53:23:53:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:15:23:15:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:17:2:17:2 | p | semmle.label | p |
+| tests.cpp:28:23:28:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:31:2:31:2 | p | semmle.label | p |
+| tests.cpp:35:19:35:19 | VariableAddress [post update] | semmle.label | VariableAddress [post update] |
+| tests.cpp:35:23:35:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:37:2:37:2 | p | semmle.label | p |
+| tests.cpp:38:2:38:2 | p | semmle.label | p |
+| tests.cpp:39:2:39:2 | p | semmle.label | p |
+| tests.cpp:51:19:51:19 | VariableAddress [post update] | semmle.label | VariableAddress [post update] |
+| tests.cpp:51:23:51:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:53:2:53:2 | p | semmle.label | p |
+| tests.cpp:54:2:54:2 | p | semmle.label | p |
 | tests.cpp:55:2:55:2 | p | semmle.label | p |
 | tests.cpp:56:2:56:2 | p | semmle.label | p |
+| tests.cpp:56:2:56:2 | p | semmle.label | p |
 | tests.cpp:57:2:57:2 | p | semmle.label | p |
-| tests.cpp:69:19:69:19 | VariableAddress [post update] | semmle.label | VariableAddress [post update] |
-| tests.cpp:69:23:69:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:71:2:71:2 | p | semmle.label | p |
-| tests.cpp:72:2:72:2 | p | semmle.label | p |
-| tests.cpp:73:2:73:2 | p | semmle.label | p |
-| tests.cpp:74:2:74:2 | p | semmle.label | p |
-| tests.cpp:74:2:74:2 | p | semmle.label | p |
-| tests.cpp:75:2:75:2 | p | semmle.label | p |
-| tests.cpp:76:2:76:2 | p | semmle.label | p |
-| tests.cpp:77:2:77:2 | p | semmle.label | p |
-| tests.cpp:78:2:78:2 | p | semmle.label | p |
-| tests.cpp:84:23:84:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:87:2:87:2 | p | semmle.label | p |
-| tests.cpp:91:23:91:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:98:2:98:2 | p | semmle.label | p |
-| tests.cpp:103:24:103:44 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:106:3:106:3 | q | semmle.label | q |
-| tests.cpp:118:24:118:44 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:122:3:122:3 | q | semmle.label | q |
-| tests.cpp:130:39:130:39 | p | semmle.label | p |
-| tests.cpp:131:2:131:2 | p | semmle.label | p |
-| tests.cpp:134:39:134:39 | p | semmle.label | p |
-| tests.cpp:135:2:135:2 | p | semmle.label | p |
-| tests.cpp:140:23:140:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
-| tests.cpp:144:18:144:18 | q | semmle.label | q |
-| tests.cpp:146:18:146:18 | q | semmle.label | q |
-| tests.cpp:150:19:150:32 | call to createLSParser | semmle.label | call to createLSParser |
-| tests.cpp:152:2:152:2 | p | semmle.label | p |
+| tests.cpp:58:2:58:2 | p | semmle.label | p |
+| tests.cpp:59:2:59:2 | p | semmle.label | p |
+| tests.cpp:60:2:60:2 | p | semmle.label | p |
+| tests.cpp:66:23:66:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:69:2:69:2 | p | semmle.label | p |
+| tests.cpp:73:23:73:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:80:2:80:2 | p | semmle.label | p |
+| tests.cpp:85:24:85:44 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:88:3:88:3 | q | semmle.label | q |
+| tests.cpp:100:24:100:44 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:104:3:104:3 | q | semmle.label | q |
+| tests.cpp:112:39:112:39 | p | semmle.label | p |
+| tests.cpp:113:2:113:2 | p | semmle.label | p |
+| tests.cpp:116:39:116:39 | p | semmle.label | p |
+| tests.cpp:117:2:117:2 | p | semmle.label | p |
+| tests.cpp:122:23:122:43 | XercesDOMParser output argument | semmle.label | XercesDOMParser output argument |
+| tests.cpp:126:18:126:18 | q | semmle.label | q |
+| tests.cpp:128:18:128:18 | q | semmle.label | q |
 subpaths
 #select
 | tests2.cpp:22:2:22:2 | p | tests2.cpp:20:17:20:31 | SAXParser output argument | tests2.cpp:22:2:22:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests2.cpp:20:17:20:31 | SAXParser output argument | XML parser |
@@ -84,15 +81,14 @@ subpaths
 | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | tests4.cpp:46:34:46:68 | ... \| ... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:46:34:46:68 | ... \| ... | XML parser |
 | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | tests4.cpp:77:34:77:38 | flags | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:77:34:77:38 | flags | XML parser |
 | tests4.cpp:130:39:130:55 | (int)... | tests4.cpp:130:39:130:55 | (int)... | tests4.cpp:130:39:130:55 | (int)... | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests4.cpp:130:39:130:55 | (int)... | XML parser |
-| tests.cpp:35:2:35:2 | p | tests.cpp:33:23:33:43 | XercesDOMParser output argument | tests.cpp:35:2:35:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:33:23:33:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:49:2:49:2 | p | tests.cpp:46:23:46:43 | XercesDOMParser output argument | tests.cpp:49:2:49:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:46:23:46:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:57:2:57:2 | p | tests.cpp:53:23:53:43 | XercesDOMParser output argument | tests.cpp:57:2:57:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:53:23:53:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:74:2:74:2 | p | tests.cpp:69:23:69:43 | XercesDOMParser output argument | tests.cpp:74:2:74:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:69:23:69:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:78:2:78:2 | p | tests.cpp:69:23:69:43 | XercesDOMParser output argument | tests.cpp:78:2:78:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:69:23:69:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:87:2:87:2 | p | tests.cpp:84:23:84:43 | XercesDOMParser output argument | tests.cpp:87:2:87:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:84:23:84:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:98:2:98:2 | p | tests.cpp:91:23:91:43 | XercesDOMParser output argument | tests.cpp:98:2:98:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:91:23:91:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:106:3:106:3 | q | tests.cpp:103:24:103:44 | XercesDOMParser output argument | tests.cpp:106:3:106:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:103:24:103:44 | XercesDOMParser output argument | XML parser |
-| tests.cpp:122:3:122:3 | q | tests.cpp:118:24:118:44 | XercesDOMParser output argument | tests.cpp:122:3:122:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:118:24:118:44 | XercesDOMParser output argument | XML parser |
-| tests.cpp:131:2:131:2 | p | tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:131:2:131:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:140:23:140:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:135:2:135:2 | p | tests.cpp:140:23:140:43 | XercesDOMParser output argument | tests.cpp:135:2:135:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:140:23:140:43 | XercesDOMParser output argument | XML parser |
-| tests.cpp:152:2:152:2 | p | tests.cpp:150:19:150:32 | call to createLSParser | tests.cpp:152:2:152:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:150:19:150:32 | call to createLSParser | XML parser |
+| tests.cpp:17:2:17:2 | p | tests.cpp:15:23:15:43 | XercesDOMParser output argument | tests.cpp:17:2:17:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:15:23:15:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:31:2:31:2 | p | tests.cpp:28:23:28:43 | XercesDOMParser output argument | tests.cpp:31:2:31:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:28:23:28:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:39:2:39:2 | p | tests.cpp:35:23:35:43 | XercesDOMParser output argument | tests.cpp:39:2:39:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:35:23:35:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:56:2:56:2 | p | tests.cpp:51:23:51:43 | XercesDOMParser output argument | tests.cpp:56:2:56:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:60:2:60:2 | p | tests.cpp:51:23:51:43 | XercesDOMParser output argument | tests.cpp:60:2:60:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:51:23:51:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:69:2:69:2 | p | tests.cpp:66:23:66:43 | XercesDOMParser output argument | tests.cpp:69:2:69:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:66:23:66:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:80:2:80:2 | p | tests.cpp:73:23:73:43 | XercesDOMParser output argument | tests.cpp:80:2:80:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:73:23:73:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:88:3:88:3 | q | tests.cpp:85:24:85:44 | XercesDOMParser output argument | tests.cpp:88:3:88:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:85:24:85:44 | XercesDOMParser output argument | XML parser |
+| tests.cpp:104:3:104:3 | q | tests.cpp:100:24:100:44 | XercesDOMParser output argument | tests.cpp:104:3:104:3 | q | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:100:24:100:44 | XercesDOMParser output argument | XML parser |
+| tests.cpp:113:2:113:2 | p | tests.cpp:122:23:122:43 | XercesDOMParser output argument | tests.cpp:113:2:113:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | XercesDOMParser output argument | XML parser |
+| tests.cpp:117:2:117:2 | p | tests.cpp:122:23:122:43 | XercesDOMParser output argument | tests.cpp:117:2:117:2 | p | This $@ is not configured to prevent an XML external entity (XXE) attack. | tests.cpp:122:23:122:43 | XercesDOMParser output argument | XML parser |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.cpp
@@ -1,32 +1,14 @@
-// test cases for rule CWE-611
+// test cases for rule CWE-611 (XercesDOMParser)
 
 #include "tests.h"
 
 // ---
 
-
-
-
-class AbstractDOMParser {
-public:
-	AbstractDOMParser();
-
-	void setDisableDefaultEntityResolution(bool); // default is false
-	void setCreateEntityReferenceNodes(bool); // default is true
-	void setSecurityManager(SecurityManager *const manager);
-	void parse(const InputSource &data);
-};
-
 class XercesDOMParser: public AbstractDOMParser {
 public:
 	XercesDOMParser();
 };
 
-class DOMLSParser : public AbstractDOMParser {
-};
-
-DOMLSParser *createLSParser();
-
 // ---
 
 void test1(InputSource &data) {
@@ -145,26 +127,3 @@ void test10(InputSource &data) {
 	test10_doParseC(p, data);
 	test10_doParseC(q, data);
 }
-
-void test11(InputSource &data) {
-	DOMLSParser *p = createLSParser();
-
-	p->parse(data); // BAD (parser not correctly configured)
-}
-
-void test12(InputSource &data) {
-	DOMLSParser *p = createLSParser();
-
-	p->setDisableDefaultEntityResolution(true);
-	p->parse(data); // GOOD
-}
-
-DOMLSParser *g_p1 = createLSParser();
-DOMLSParser *g_p2 = createLSParser();
-InputSource *g_data;
-
-void test13() {
-	g_p1->setDisableDefaultEntityResolution(true);
-	g_p1->parse(*g_data); // GOOD
-	g_p2->parse(*g_data); // BAD (parser not correctly configured) [NOT DETECTED]
-}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.h b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests.h
@@ -1,6 +1,25 @@
 // library/common functions for rule CWE-611
 
+#define NULL (0)
+
 class SecurityManager;
 class InputSource;
 
-#define NULL (0)
+class AbstractDOMParser {
+public:
+	AbstractDOMParser();
+
+	void setDisableDefaultEntityResolution(bool); // default is false
+	void setCreateEntityReferenceNodes(bool); // default is true
+	void setSecurityManager(SecurityManager *const manager);
+	void parse(const InputSource &data);
+};
+
+typedef unsigned int XMLCh;
+
+class XMLUni
+{
+public:
+	static const XMLCh fgXercesDisableDefaultEntityResolution[];
+};
+
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests2.cpp
@@ -1,4 +1,4 @@
-// test cases for rule CWE-611
+// test cases for rule CWE-611 (SAXParser)
 
 #include "tests.h"
 
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests3.cpp
@@ -0,0 +1,57 @@
+// test cases for rule CWE-611 (SAX2XMLReader)
+
+#include "tests.h"
+
+// ---
+
+class SAX2XMLReader
+{
+public:
+	void setFeature(const XMLCh *feature, bool value);
+	void parse(const InputSource &data);
+};
+
+class XMLReaderFactory
+{
+public:
+	static SAX2XMLReader *createXMLReader();
+};
+
+// ---
+
+void test3_1(InputSource &data) {
+	SAX2XMLReader *p = XMLReaderFactory::createXMLReader();
+
+	p->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
+}
+
+void test3_2(InputSource &data) {
+	SAX2XMLReader *p = XMLReaderFactory::createXMLReader();
+
+	p->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
+	p->parse(data); // GOOD
+}
+
+SAX2XMLReader *p_3_3 = XMLReaderFactory::createXMLReader();
+
+void test3_3(InputSource &data) {
+	p_3_3->parse(data); // BAD (parser not correctly configured) [NOT DETECTED]
+}
+
+SAX2XMLReader *p_3_4 = XMLReaderFactory::createXMLReader();
+
+void test3_4(InputSource &data) {
+	p_3_4->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
+	p_3_4->parse(data); // GOOD
+}
+
+SAX2XMLReader *p_3_5 = XMLReaderFactory::createXMLReader();
+
+void test3_5_init() {
+	p_3_5->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);
+}
+
+void test3_5(InputSource &data) {
+	test3_5_init();
+	p_3_5->parse(data); // GOOD
+}
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-611/tests5.cpp

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// test cases for rule CWE-611`
	`1`	`+// test cases for rule CWE-611 (SAXParser)`
`2`	`2`
`3`	`3`	`#include "tests.h"`
`4`	`4`