feat(python): extend xxe rule

rules/python/lang/xml_external_entity_vulnerability.yml

@@ -1,10 +1,11 @@
 imports:
   - python_shared_common_external_input
+  - python_shared_lang_instance
   - python_shared_lang_import2
   - python_shared_lang_import3
 patterns:
   - pattern: |
-      $<XML_SAX>($<EXTERNAL_INPUT>)
+      $<XML_SAX>($<EXTERNAL_INPUT>$<...>)
     filters:
       - variable: XML_SAX
         detection: python_shared_lang_import2
@@ -18,12 +19,11 @@ patterns:
             values:
               - parse
               - parseString
-              - make_parser
       - variable: EXTERNAL_INPUT
         detection: python_shared_common_external_input
         scope: result
   - pattern: |
-      $<PULLDOM>($<EXTERNAL_INPUT>)
+      $<PULLDOM>($<EXTERNAL_INPUT>$<...>)
     filters:
       - variable: PULLDOM
         detection: python_shared_lang_import3

tests/python/lang/xml_external_entity_vulnerability/testdata/main.py

@@ -1,11 +1,16 @@
 # Use bearer:expected python_lang_xml_external_entity_vulnerability to flag expected findings
-from xml import sax, dom
+from xml import sax
+from xml.dom.pulldom import parse, parseString
 
 def bad(some_input):
   # bearer:expected python_lang_xml_external_entity_vulnerability
   sax.parse(some_input)
   # bearer:expected python_lang_xml_external_entity_vulnerability
-  dom.pulldom.parse(some_input)
+  parse(some_input)
+
+def bad2(some_input):
+  # bearer:expected python_lang_xml_external_entity_vulnerability
+  parseString(request.body.decode('utf-8'), parser=parser)
 
 def ok():
   sax.parse("known string")