new capacity bits (#67)

tests/fixtures/xpath_injection/python/baseline_constant_xpath.py

@@ -0,0 +1,8 @@
+# Baseline: expression is a compile-time constant.  No taint reaches
+# `tree.xpath` so no XPATH_INJECTION finding fires.
+from lxml import etree
+
+
+def lookup():
+    tree = etree.parse("users.xml")
+    return tree.xpath("//user[@role='admin']")

tests/fixtures/xpath_injection/python/safe_xpath_query.py

@@ -0,0 +1,17 @@
+# Safe: user-supplied substring routed through the project-local
+# `escape_xpath` helper before being concatenated into the XPath expression.
+# The sanitizer clears the XPATH_INJECTION cap so the sink does not fire.
+from lxml import etree
+from flask import request
+
+
+def escape_xpath(raw):
+    return raw.replace("'", "'")
+
+
+def lookup():
+    tree = etree.parse("users.xml")
+    user = request.form["user"]
+    safe = escape_xpath(user)
+    expr = "//user[name='" + safe + "']"
+    return tree.xpath(expr)

tests/fixtures/xpath_injection/python/unsafe_xpath_query.py

@@ -0,0 +1,12 @@
+# Unsafe: tainted form data concatenated into an XPath expression and passed
+# to lxml's `tree.xpath()`.  Suffix matching on `xpath` catches the
+# bound-receiver call directly.
+from lxml import etree
+from flask import request
+
+
+def lookup():
+    tree = etree.parse("users.xml")
+    user = request.form["user"]
+    expr = "//user[name='" + user + "']"
+    return tree.xpath(expr)