Refactored XXE remediation (#391)

This change introduces more features into XXE protection.

* Refactored to make it easier to extend and test
* Added more protection cases
* Added more tests
* Added a generic reporter for cases where you could fix from multiple
APIs

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/SonarXXECodemod.java

@@ -6,6 +6,7 @@
 import io.codemodder.providers.sonar.ProvidedSonarScan;
 import io.codemodder.providers.sonar.RuleIssue;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericVulnerabilityReporterStrategies;
 import io.codemodder.remediation.xxe.XXEJavaRemediatorStrategy;
 import io.codemodder.sonar.model.Issue;
 import io.codemodder.sonar.model.SonarFinding;
@@ -25,9 +26,7 @@ public final class SonarXXECodemod extends SonarRemediatingJavaParserChanger {
 
   @Inject
   public SonarXXECodemod(@ProvidedSonarScan(ruleId = "java:S2755") final RuleIssue issues) {
-    super(
-        CodemodReporterStrategy.fromClasspathDirectory(SonarXXECodemod.class, "xxe-generic"),
-        issues);
+    super(GenericVulnerabilityReporterStrategies.xxeReporterStrategy, issues);
     this.issues = Objects.requireNonNull(issues);
     this.remediationStrategy = XXEJavaRemediatorStrategy.DEFAULT;
   }

core-codemods/src/test/java/io/codemodder/remediation/xxe/DefaultXXEJavaRemediatorStrategyTest.java

@@ -0,0 +1,13 @@
+package io.codemodder.remediation;
+
+import io.codemodder.CodeChanger;
+import io.codemodder.CodemodReporterStrategy;
+
+/** Reporter strategies that are useful without mentioning specific APIs. */
+public final class GenericVulnerabilityReporterStrategies {
+
+  private GenericVulnerabilityReporterStrategies() {}
+
+  public static final CodemodReporterStrategy xxeReporterStrategy =
+      CodemodReporterStrategy.fromClasspathDirectory(CodeChanger.class, "/reports/xxe-generic");
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/GenericVulnerabilityReporterStrategies.java

@@ -18,6 +18,7 @@ final class DefaultXXEJavaRemediatorStrategy implements XXEJavaRemediatorStrateg
     this.fixers =
         List.of(
             new DocumentBuilderFactoryAndSAXParserAtCreationFixer(),
+            new DocumentBuilderFactoryAtParseFixer(),
             new TransformerFactoryAtCreationFixer(),
             new XMLReaderAtParseFixer());
   }
@@ -41,7 +42,7 @@ public <T> CodemodFileScanningResult remediateAll(
       int line = getLine.apply(issue);
       Integer column = getColumn.apply(issue);
       for (XXEFixer fixer : fixers) {
-        XXEFixAttempt fixAttempt = fixer.tryFix(issue, line, column, cu);
+        XXEFixAttempt fixAttempt = fixer.tryFix(line, column, cu);
         if (!fixAttempt.isResponsibleFixer()) {
           continue;
         }

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DefaultXXEJavaRemediatorStrategy.java

@@ -20,8 +20,7 @@
 final class DocumentBuilderFactoryAndSAXParserAtCreationFixer implements XXEFixer {
 
   @Override
-  public <T> XXEFixAttempt tryFix(
-      final T issue, final int line, final Integer column, CompilationUnit cu) {
+  public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUnit cu) {
     List<MethodCallExpr> candidateMethods =
         ASTs.findMethodCallsWhichAreAssignedToType(
             cu, line, column, "newInstance", List.of("DocumentBuilderFactory", "SAXParserFactory"));

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAndSAXParserAtCreationFixer.java

@@ -0,0 +1,114 @@
+package io.codemodder.remediation.xxe;
+
+import static io.codemodder.remediation.RemediationMessages.multipleCallsFound;
+import static io.codemodder.remediation.RemediationMessages.noCallsAtThatLocation;
+
+import com.github.javaparser.Position;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.body.MethodDeclaration;
+import com.github.javaparser.ast.body.Parameter;
+import com.github.javaparser.ast.body.VariableDeclarator;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.nodeTypes.NodeWithType;
+import com.github.javaparser.ast.stmt.Statement;
+import io.codemodder.ast.ASTs;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+/** Fix XXEs that are reported at the DocumentBuilder.parse() call locations. */
+final class DocumentBuilderFactoryAtParseFixer implements XXEFixer {
+
+  @Override
+  public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUnit cu) {
+    List<MethodCallExpr> candidateMethods =
+        cu.findAll(MethodCallExpr.class).stream()
+            .filter(m -> "parse".equals(m.getNameAsString()))
+            .filter(m -> m.getScope().isPresent())
+            .filter(m -> m.getScope().get().isNameExpr())
+            .filter(m -> m.getRange().isPresent() && m.getRange().get().begin.line == line)
+            .toList();
+
+    if (candidateMethods.size() > 1 && column != null) {
+      candidateMethods =
+          candidateMethods.stream()
+              .filter(m -> m.getRange().get().contains(new Position(line, column)))
+              .toList();
+    }
+
+    if (candidateMethods.isEmpty()) {
+      return new XXEFixAttempt(false, false, noCallsAtThatLocation);
+    } else if (candidateMethods.size() > 1) {
+      return new XXEFixAttempt(false, false, multipleCallsFound);
+    }
+
+    // find the variable that we're calling parse() on
+    MethodCallExpr parseCall = candidateMethods.get(0);
+
+    // we know from the filter that it's scope is a name expression
+    NameExpr documentBuilder = parseCall.getScope().get().asNameExpr();
+
+    // so, we need to see if we can see the DocumentBuilderFactory from whence this came
+    Optional<MethodDeclaration> methodBody = ASTs.findMethodBodyFrom(documentBuilder);
+    if (methodBody.isEmpty()) {
+      return new XXEFixAttempt(false, false, "No method body found for the call");
+    }
+
+    Optional<Node> documentBuilderAssignment =
+        ASTs.findNonCallableSimpleNameSource(documentBuilder.getName());
+    if (documentBuilderAssignment.isEmpty()) {
+      return new XXEFixAttempt(false, false, "No assignment found for the DocumentBuilder");
+    }
+    Node parserAssignmentNode = documentBuilderAssignment.get();
+    if (!(parserAssignmentNode instanceof NodeWithType<?, ?>)) {
+      return new XXEFixAttempt(false, false, "Unknown DocumentBuilder assignment");
+    }
+    String parserType = ((NodeWithType<?, ?>) parserAssignmentNode).getTypeAsString();
+    if (!Set.of("DocumentBuilder", "javax.xml.parsers.DocumentBuilder").contains(parserType)) {
+      return new XXEFixAttempt(false, false, "Parsing method is not a DocumentBuilder");
+    }
+
+    if (parserAssignmentNode instanceof VariableDeclarator dbVar) {
+      Optional<Expression> initializer = dbVar.getInitializer();
+      if (initializer.isEmpty()) {
+        return new XXEFixAttempt(
+            false, false, "DocumentBuilder was not initialized in an expected way");
+      } else if (!(initializer.get() instanceof MethodCallExpr)) {
+        return new XXEFixAttempt(
+            false, false, "DocumentBuilder was not initialized with a factory call");
+      }
+      MethodCallExpr potentialFactoryCall = (MethodCallExpr) initializer.get();
+      if (!"newDocumentBuilder".equals(potentialFactoryCall.getNameAsString())) {
+        return new XXEFixAttempt(
+            false, false, "DocumentBuilder was initialized with newDocumentBuilder");
+      }
+      if (potentialFactoryCall.getScope().isEmpty()) {
+        return new XXEFixAttempt(
+            true, false, "DocumentBuilder was initialized with a factory call without a scope");
+      }
+      if (!(potentialFactoryCall.getScope().get() instanceof NameExpr)) {
+        return new XXEFixAttempt(
+            false,
+            false,
+            "DocumentBuilder was initialized with a factory call with a non-name scope");
+      }
+      NameExpr factoryNameExpr = (NameExpr) potentialFactoryCall.getScope().get();
+      Optional<Statement> newDocumentBuilderStatement = ASTs.findParentStatementFrom(dbVar);
+      if (newDocumentBuilderStatement.isEmpty()) {
+        return new XXEFixAttempt(
+            false,
+            false,
+            "DocumentBuilder was initialized with a factory call without a statement");
+      }
+      return XMLFeatures.addFeatureDisablingStatements(
+          cu, factoryNameExpr, newDocumentBuilderStatement.get(), true);
+    } else if (parserAssignmentNode instanceof Parameter) {
+      return new XXEFixAttempt(true, false, "DocumentBuilder came from outside the method scope");
+    }
+
+    return new XXEFixAttempt(true, false, "DocumentBuilder was not initialized in an expected way");
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAtParseFixer.java

@@ -23,8 +23,7 @@
 final class TransformerFactoryAtCreationFixer implements XXEFixer {
 
   @Override
-  public <T> XXEFixAttempt tryFix(
-      final T issue, final int line, final Integer column, CompilationUnit cu) {
+  public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUnit cu) {
     List<MethodCallExpr> candidateMethods =
         ASTs.findMethodCallsWhichAreAssignedToType(
             cu, line, column, "newInstance", List.of("TransformerFactory"));

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/TransformerFactoryAtCreationFixer.java

@@ -20,8 +20,7 @@
 final class XMLReaderAtParseFixer implements XXEFixer {
 
   @Override
-  public <T> XXEFixAttempt tryFix(
-      final T issue, final int line, final Integer column, final CompilationUnit cu) {
+  public XXEFixAttempt tryFix(final int line, final Integer column, final CompilationUnit cu) {
     List<MethodCallExpr> candidateMethods =
         cu.findAll(MethodCallExpr.class).stream()
             .filter(m -> "parse".equals(m.getNameAsString()))

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLReaderAtParseFixer.java

@@ -6,5 +6,5 @@
 interface XXEFixer {
 
   /** A provider (for a given XML API) attempts to fix the given issue. */
-  <T> XXEFixAttempt tryFix(T issue, int line, Integer column, CompilationUnit cu);
+  XXEFixAttempt tryFix(int line, Integer column, CompilationUnit cu);
 }