Build generic XSS remediator (#410)

Also included some Semgrep maintenance to make this easier to test in
downstream projects.

Author: nahsra

core-codemods/src/main/resources/io/codemodder/codemods/JSPScriptletXSSCodemod/description.md

@@ -12,7 +12,7 @@ Our changes introduce an HTML-encoding mechanism that look something like this:
 
 ```diff
 - Welcome to our site <%= request.getParameter("name") %>
-+ Welcome to our site <%= io.github.pixee.security.HtmlEncoder.encode(request.getParameter("name")) %>
++ Welcome to our site <%= org.owasp.encoder.Encode.forHtml(request.getParameter("name")) %>
 ```
 
 This change neutralizes the control characters that attackers would use to execute code. Depending on the context in which the scriptlet is rendered (e.g., inside HTML tags, HTML attributes, in JavaScript, quoted contexts, etc.), you may need to use another encoder. Check out the [OWASP XSS Prevention CheatSheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) to learn more about these cases and other controls you may need.

framework/codemodder-base/src/main/java/io/codemodder/remediation/GenericRemediationMetadata.java

@@ -6,6 +6,7 @@
 /** Reporter strategies that are useful without mentioning specific APIs. */
 public enum GenericRemediationMetadata {
   XXE("xxe"),
+  XSS("xss"),
   JNDI("jndi-injection"),
   HEADER_INJECTION("header-injection"),
   REFLECTION_INJECTION("reflection-injection"),

framework/codemodder-base/src/main/java/io/codemodder/remediation/RemediationMessages.java

@@ -12,4 +12,6 @@ public interface RemediationMessages {
   /** Multiple calls found at the given location and that may cause confusion */
   String multipleCallsFound =
       "Multiple calls found at the given location and that may cause confusion";
+
+  String ambiguousCodeShape = "Ambiguous code shape";
 }

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/DefaultXSSRemediator.java

@@ -0,0 +1,124 @@
+package io.codemodder.remediation.xss;
+
+import static java.util.stream.Collectors.groupingBy;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.CodemodChange;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.DependencyGAV;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import io.codemodder.codetf.UnfixedFinding;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
+
+final class DefaultXSSRemediator implements XSSRemediator {
+
+  private final List<XSSCodeShapeFixer> javaFixers;
+
+  DefaultXSSRemediator() {
+    this.javaFixers = List.of(new PrintingMethodFixer(), new NakedVariableReturnFixer());
+  }
+
+  @Override
+  public <T> CodemodFileScanningResult remediateJava(
+      final CompilationUnit cu,
+      final String path,
+      final DetectorRule detectorRule,
+      final List<T> issuesForFile,
+      final Function<T, String> getKey,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+
+    List<XSSFixGroup<T>> fixGroups = createFixGroups(issuesForFile, getLine, getColumn);
+
+    List<UnfixedFinding> unfixedFindings = new ArrayList<>();
+    List<CodemodChange> changes = new ArrayList<>();
+
+    for (XSSFixGroup<T> fixGroup : fixGroups) {
+      boolean foundResponsibleFixer = false;
+      for (XSSCodeShapeFixer javaFixer : javaFixers) {
+        XSSCodeShapeFixResult fixResult =
+            javaFixer.fixCodeShape(
+                cu, path, detectorRule, fixGroup.issues(), getKey, getLine, getColumn);
+        if (fixResult.isResponsibleFixer()) {
+          foundResponsibleFixer = true;
+          if (fixResult.isFixed()) {
+            List<FixedFinding> fixes =
+                fixGroup.issues().stream()
+                    .map(fix -> new FixedFinding(getKey.apply(fix), detectorRule))
+                    .toList();
+            changes.add(
+                CodemodChange.from(
+                    fixResult.line(), List.of(DependencyGAV.OWASP_XSS_JAVA_ENCODER), fixes));
+          } else {
+            List<UnfixedFinding> unfixed =
+                fixGroup.issues().stream()
+                    .map(
+                        fix ->
+                            new UnfixedFinding(
+                                getKey.apply(fix),
+                                detectorRule,
+                                path,
+                                fixResult.line(),
+                                fixResult.reasonNotFixed()))
+                    .toList();
+            unfixedFindings.addAll(unfixed);
+          }
+          // if this was the responsible fixer, no need to continue
+          break;
+        }
+      }
+      if (!foundResponsibleFixer) {
+        unfixedFindings.addAll(
+            fixGroup.issues().stream()
+                .map(
+                    fix ->
+                        new UnfixedFinding(
+                            getKey.apply(fix),
+                            detectorRule,
+                            path,
+                            getLine.apply(fix),
+                            "Couldn't fix that shape of code"))
+                .toList());
+      }
+    }
+    return CodemodFileScanningResult.from(changes, unfixedFindings);
+  }
+
+  /** Split the issues into fix groups that all have the same location. */
+  private <T> List<XSSFixGroup<T>> createFixGroups(
+      final List<T> issuesForFile,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+    List<XSSFixGroup<T>> fixGroups = new ArrayList<>();
+
+    Map<Integer, List<T>> fixesPerLine = issuesForFile.stream().collect(groupingBy(getLine));
+
+    // now further separate the fixes by column if it's available
+    for (Map.Entry<Integer, List<T>> entry : fixesPerLine.entrySet()) {
+      Map<Integer, List<T>> fixesPerColumn =
+          entry.getValue().stream().collect(groupingBy(getColumn));
+      for (List<T> columnFixes : fixesPerColumn.values()) {
+        fixGroups.add(new XSSFixGroup<>(columnFixes));
+      }
+    }
+
+    return List.copyOf(fixGroups);
+  }
+
+  @Override
+  public <T> CodemodFileScanningResult remediateJSP(
+      final Path filePath,
+      final String path,
+      final DetectorRule detectorRule,
+      final List<T> issuesForFile,
+      final Function<T, String> getKey,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+    return CodemodFileScanningResult.none();
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/NakedVariableReturnFixer.java

@@ -0,0 +1,54 @@
+package io.codemodder.remediation.xss;
+
+import static io.codemodder.javaparser.JavaParserTransformer.wrap;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.stmt.ReturnStmt;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.remediation.RemediationMessages;
+import java.util.List;
+import java.util.function.Function;
+
+/**
+ * Fixes a return statement that returns a {@link String} expression.
+ *
+ * <pre>{@code
+ * return foo; // should become return Encode.forHtml(foo)
+ * }</pre>
+ */
+final class NakedVariableReturnFixer implements XSSCodeShapeFixer {
+
+  @Override
+  public <T> XSSCodeShapeFixResult fixCodeShape(
+      final CompilationUnit cu,
+      final String path,
+      final DetectorRule detectorRule,
+      final List<T> issues,
+      final Function<T, String> getKey,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+    int line = getLine.apply(issues.get(0));
+    Integer column = getColumn.apply(issues.get(0));
+
+    List<ReturnStmt> matchingStatements =
+        cu.findAll(ReturnStmt.class).stream()
+            .filter(rs -> rs.getRange().isPresent())
+            .filter(rs -> rs.getRange().get().begin.line == line)
+            .filter(rs -> column == null || rs.getRange().get().begin.column == column)
+            .filter(rs -> rs.getExpression().isPresent())
+            .filter(rs -> rs.getExpression().get().isNameExpr())
+            .toList();
+
+    if (matchingStatements.isEmpty()) {
+      return new XSSCodeShapeFixResult(false, false, null, line);
+    } else if (matchingStatements.size() > 1) {
+      return new XSSCodeShapeFixResult(true, false, RemediationMessages.multipleCallsFound, line);
+    }
+
+    ReturnStmt nakedReturn = matchingStatements.get(0);
+    wrap(nakedReturn.getExpression().get())
+        .withStaticMethod("org.owasp.encoder.Encode", "forHtml", false);
+
+    return new XSSCodeShapeFixResult(true, true, null, line);
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/PrintingMethodFixer.java

@@ -0,0 +1,76 @@
+package io.codemodder.remediation.xss;
+
+import static io.codemodder.javaparser.JavaParserTransformer.wrap;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.nodeTypes.NodeWithType;
+import io.codemodder.ast.ASTs;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.remediation.RemediationMessages;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.function.Function;
+
+/**
+ * Fixes a method invocation that prints {@link String} expression.
+ *
+ * <pre>{@code
+ * out.println(foo); // should become return out.println(Encode.forHtml(foo));
+ * }</pre>
+ */
+final class PrintingMethodFixer implements XSSCodeShapeFixer {
+
+  private static final Set<String> writingMethodNames = Set.of("print", "println", "write");
+
+  @Override
+  public <T> XSSCodeShapeFixResult fixCodeShape(
+      final CompilationUnit cu,
+      final String path,
+      final DetectorRule detectorRule,
+      final List<T> issues,
+      final Function<T, String> getKey,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+    int line = getLine.apply(issues.get(0));
+    Integer column = getColumn.apply(issues.get(0));
+
+    List<MethodCallExpr> writingMethodCalls =
+        cu.findAll(MethodCallExpr.class).stream()
+            .filter(mce -> writingMethodNames.contains(mce.getNameAsString()))
+            .filter(mce -> mce.getArguments().size() == 1)
+            .filter(mce -> mce.getRange().isPresent())
+            .filter(mce -> mce.getRange().get().begin.line == line)
+            .filter(mce -> column == null || mce.getRange().get().begin.column == column)
+            .filter(
+                mce -> {
+                  Expression arg = mce.getArgument(0);
+                  if (arg instanceof NameExpr nameExpr) {
+                    Optional<Node> source =
+                        ASTs.findNonCallableSimpleNameSource(nameExpr.getName());
+                    if (source.isPresent()
+                        && source.get() instanceof NodeWithType<?, ?> typedNode) {
+                      String typeAsString = typedNode.getTypeAsString();
+                      return "String".equals(typeAsString)
+                          || "java.lang.String".equals(typeAsString);
+                    }
+                  }
+                  return false;
+                })
+            .toList();
+
+    if (writingMethodCalls.isEmpty()) {
+      return new XSSCodeShapeFixResult(false, false, null, line);
+    } else if (writingMethodCalls.size() > 1) {
+      return new XSSCodeShapeFixResult(true, false, RemediationMessages.multipleCallsFound, line);
+    }
+
+    MethodCallExpr call = writingMethodCalls.get(0);
+    wrap(call.getArgument(0)).withStaticMethod("org.owasp.encoder.Encode", "forHtml", false);
+    return new XSSCodeShapeFixResult(true, true, null, line);
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/XSSCodeShapeFixResult.java

@@ -0,0 +1,20 @@
+package io.codemodder.remediation.xss;
+
+/** The results of a fix attempt. */
+record XSSCodeShapeFixResult(
+    boolean isResponsibleFixer, boolean isFixed, String reasonNotFixed, int line) {
+  XSSCodeShapeFixResult {
+    if (!isResponsibleFixer && isFixed) {
+      throw new IllegalArgumentException("Must be responsible fixer if fixed");
+    }
+    if (isFixed && reasonNotFixed != null) {
+      throw new IllegalArgumentException("Cannot be fixed and have a reason not fixed");
+    }
+    if (isResponsibleFixer && !isFixed && reasonNotFixed == null) {
+      throw new IllegalArgumentException("Must have a reason not fixed if not fixed");
+    }
+    if (isFixed && line < 0) {
+      throw new IllegalArgumentException("Line must be positive");
+    }
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/XSSCodeShapeFixer.java

@@ -0,0 +1,31 @@
+package io.codemodder.remediation.xss;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.codetf.DetectorRule;
+import java.util.List;
+import java.util.function.Function;
+
+/** A function that can fix XSS that has a particular code shape. */
+interface XSSCodeShapeFixer {
+
+  /**
+   * Find the shape of code at this location, and fix it if it's the expected shape.
+   *
+   * @param cu the compilation unit to fix
+   * @param path the path of the file being fixed
+   * @param detectorRule the detector rule that found the issue
+   * @param fixGroup the group of issues to fix
+   * @param getKey a function to get the key of an issue
+   * @param getLine a function to get the line of an issue
+   * @param getColumn a function to get the column of an issue
+   * @return the result of the fix
+   */
+  <T> XSSCodeShapeFixResult fixCodeShape(
+      CompilationUnit cu,
+      String path,
+      DetectorRule detectorRule,
+      List<T> fixGroup,
+      Function<T, String> getKey,
+      Function<T, Integer> getLine,
+      Function<T, Integer> getColumn);
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/XSSFixGroup.java

@@ -0,0 +1,14 @@
+package io.codemodder.remediation.xss;
+
+import java.util.List;
+import java.util.Objects;
+
+/** A collection of issues that are all fixable at the same line (and column, if available). */
+record XSSFixGroup<T>(List<T> issues) {
+  XSSFixGroup {
+    Objects.requireNonNull(issues, "issues");
+    if (issues.isEmpty()) {
+      throw new IllegalArgumentException("Must have at least one issue");
+    }
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xss/XSSRemediator.java

@@ -0,0 +1,34 @@
+package io.codemodder.remediation.xss;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.codetf.DetectorRule;
+import java.nio.file.Path;
+import java.util.List;
+import java.util.function.Function;
+
+/** Remediates header injection vulnerabilities. */
+public interface XSSRemediator {
+
+  /** Remediate all header injection vulnerabilities in the given compilation unit. */
+  <T> CodemodFileScanningResult remediateJava(
+      CompilationUnit cu,
+      String path,
+      DetectorRule detectorRule,
+      List<T> issuesForFile,
+      Function<T, String> getKey,
+      Function<T, Integer> getLine,
+      Function<T, Integer> getColumn);
+
+  <T> CodemodFileScanningResult remediateJSP(
+      Path filePath,
+      String relativePath,
+      DetectorRule detectorRule,
+      List<T> issuesForFile,
+      Function<T, String> getKey,
+      Function<T, Integer> getLine,
+      Function<T, Integer> getColumn);
+
+  /** The default header injection remediation strategy. */
+  XSSRemediator DEFAULT = new DefaultXSSRemediator();
+}