Merge pull request diffblue#546 from diffblue/add_XXE_rules_file_for_WebGoat

SEC-633: Added rules file for XXE issues in WebGoat.

Author: marek-trtik

benchmarks/GENUINE/WebGoatRulesXXE.json

@@ -0,0 +1,51 @@
+{
+  "namespace": "com.diffblue.security",
+  "rules":
+    [
+      {
+        "comment": "Obtaining tainted XML text.",
+        "class": "Main",
+        "method": "makeTainted:(Ljava/lang/String;)Ljava/lang/String;",
+        "result": {
+          "location": "returns",
+          "taint": "Tainted XML text"
+        }
+      },
+      {
+        "comment": "Obtaining tainted string reader from tainted XML text.",
+        "class": "java.io.StringReader",
+        "method": "<init>:(Ljava/lang/String;)V",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted XML text"
+        },
+        "result": {
+          "location": "this",
+          "taint": "Tainted reader"
+        }
+      },
+      {
+        "comment": "Obtaining XML stream reader with external entities enabled for tainted XML text.",
+        "class": "javax.xml.stream.DIFFBLUEXMLInputFactory",
+        "method": "createXXEVulnerableXMLStreamReader:(Ljava/io/Reader;)Ljavax/xml/stream/XMLStreamReader;",
+        "input": {
+          "location": "arg1",
+          "taint": "Tainted reader"
+        },
+        "result": {
+          "location": "returns",
+          "taint": "Reader of tainted XML with external entities enabled"
+        }
+      },
+      {
+        "comment": "Unmarshalling an object by reading tainted XML document with external entities enabled.",
+        "class": "javax.xml.bind.Unmarshaller",
+        "method": "unmarshal:(Ljavax/xml/stream/XMLStreamReader;)Ljava/lang/Object;",
+        "sinkTarget": {
+          "location": "arg1",
+          "vulnerability": "Reader of tainted XML with external entities enabled"
+        },
+        "message": "Unmarshalling an object by reading tainted XML document with external entities enabled."
+      }
+    ]
+}