From a7a5e62169fd6a826a3f626d99d6f8f1464bcbf0 Mon Sep 17 00:00:00 2001
From: Joe Farebrother <joefarebrother@github.com>
Date: Wed, 4 Dec 2024 11:08:49 +0000
Subject: [PATCH] Add missing qldoc

---
 python/ql/lib/semmle/python/frameworks/Lxml.qll   | 15 +++++++++++++--
 .../ext/supported-threat-models.model.yml         |  1 +
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/python/ql/lib/semmle/python/frameworks/Lxml.qll b/python/ql/lib/semmle/python/frameworks/Lxml.qll
index 056e1d6b68a32..4ff97867c5087 100644
--- a/python/ql/lib/semmle/python/frameworks/Lxml.qll
+++ b/python/ql/lib/semmle/python/frameworks/Lxml.qll
@@ -387,6 +387,15 @@ module Lxml {
   module ElementTree {
     API::Node classRef() { result = etreeRef().getMember("ElementTree") }
 
+    /**
+     * A source of instances of `lxml.etree.ElementTree` instances, extend this class to model new instances.
+     *
+     * This can include instantiations of the class, return values from function
+     * calls, or a special parameter that will be set when functions are called by an external
+     * library.
+     *
+     * Use the predicate `ElementTree::instance()` to get references to instances of `lxml.etree.ElementTree` instances.
+     */
     abstract class InstanceSource extends DataFlow::LocalSourceNode { }
 
     /** Gets a reference to an `lxml.etree.ElementTree` instance.` */
@@ -397,7 +406,7 @@ module Lxml {
       exists(DataFlow::TypeTracker t2 | result = instance(t2).track(t2, t))
     }
 
-    /** Gets a reference to an `lxml.etree.ElementTree` parsers instance. */
+    /** Gets a reference to an `lxml.etree.ElementTree` instance. */
     DataFlow::Node instance() { instance(DataFlow::TypeTracker::end()).flowsTo(result) }
 
     /** An `ElementTree` instantiated directly. */
@@ -439,7 +448,9 @@ module Lxml {
 
   /** A call to serialise xml to a string */
   private class XmlEncoding extends Encoding::Range, DataFlow::CallCfgNode {
-    XmlEncoding() { this = etreeRef().getMember("tostring").getACall() }
+    XmlEncoding() {
+      this = etreeRef().getMember(["tostring", "tostringlist", "tounicode"]).getACall()
+    }
 
     override DataFlow::Node getAnInput() {
       result = [this.getArg(0), this.getArgByName("element_or_tree")]
diff --git a/shared/threat-models/ext/supported-threat-models.model.yml b/shared/threat-models/ext/supported-threat-models.model.yml
index 59589f50f3864..dd20a30d7c97f 100644
--- a/shared/threat-models/ext/supported-threat-models.model.yml
+++ b/shared/threat-models/ext/supported-threat-models.model.yml
@@ -4,3 +4,4 @@ extensions:
       extensible: threatModelConfiguration
     data:
       - ["default", true, -2147483648] # The "default" threat model is included by default
+      - ["all", true, 1]
\ No newline at end of file