Added XXE remediation at intermediate events (#433)

Also added tests, a. common reporter, etc.

Author: nahsra

framework/codemodder-base/src/main/java/io/codemodder/CodemodFileScanningResult.java

@@ -13,12 +13,12 @@ static CodemodFileScanningResult from(
     return new CodemodFileScanningResult() {
       @Override
       public List<CodemodChange> changes() {
-        return changes;
+        return List.copyOf(changes);
       }
 
       @Override
       public List<UnfixedFinding> unfixedFindings() {
-        return unfixedFindings;
+        return List.copyOf(unfixedFindings);
       }
     };
   }

framework/codemodder-base/src/main/java/io/codemodder/remediation/GenericRemediationMetadata.java

@@ -10,6 +10,7 @@ public enum GenericRemediationMetadata {
   JNDI("jndi-injection"),
   HEADER_INJECTION("header-injection"),
   REFLECTION_INJECTION("reflection-injection"),
+  DESERIALIZATION("java-deserialization"),
   SQL_INJECTION("sql-injection");
 
   private final CodemodReporterStrategy reporter;

framework/codemodder-base/src/main/java/io/codemodder/remediation/javadeserialization/DefaultJavaDeserializationRemediator.java

@@ -123,6 +123,8 @@ public <T> CodemodFileScanningResult remediateAll(
             .forEach(unfixedFindings::add);
       }
     }
+
+    unfixedFindings.addAll(results.unfixableFindings());
     return CodemodFileScanningResult.from(changes, unfixedFindings);
   }
 

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DefaultXXEIntermediateXMLStreamReaderRemediator.java

@@ -0,0 +1,97 @@
+package io.codemodder.remediation.xxe;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.stmt.Statement;
+import io.codemodder.CodemodChange;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import io.codemodder.codetf.UnfixedFinding;
+import io.codemodder.remediation.FixCandidate;
+import io.codemodder.remediation.FixCandidateSearchResults;
+import io.codemodder.remediation.FixCandidateSearcher;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.function.Function;
+
+final class DefaultXXEIntermediateXMLStreamReaderRemediator
+    implements XXEIntermediateXMLStreamReaderRemediator {
+
+  @Override
+  public <T> CodemodFileScanningResult remediateAll(
+      final CompilationUnit cu,
+      final String path,
+      final DetectorRule detectorRule,
+      final List<T> issuesForFile,
+      final Function<T, String> getKey,
+      final Function<T, Integer> getLine,
+      final Function<T, Integer> getColumn) {
+    FixCandidateSearcher<T> searcher =
+        new FixCandidateSearcher.Builder<T>()
+            .withMethodName("createXMLStreamReader")
+            .withMatcher(mce -> mce.getScope().isPresent())
+            .withMatcher(mce -> mce.getArguments().isNonEmpty())
+            .build();
+
+    FixCandidateSearchResults<T> results =
+        searcher.search(cu, path, detectorRule, issuesForFile, getKey, getLine, getColumn);
+
+    List<CodemodChange> changes = new ArrayList<>();
+    List<UnfixedFinding> unfixedFindings = new ArrayList<>();
+
+    for (FixCandidate<T> fixCandidate : results.fixCandidates()) {
+      List<T> issues = fixCandidate.issues();
+
+      // get the xmlstreamreader scope variable
+      MethodCallExpr createXMLStreamReaderCall = fixCandidate.methodCall();
+      Expression xmlStreamReaderScope = createXMLStreamReaderCall.getScope().get();
+      // make sure its a variable
+      if (!xmlStreamReaderScope.isNameExpr()) {
+        issues.stream()
+            .map(
+                issue ->
+                    new UnfixedFinding(
+                        getKey.apply(issue),
+                        detectorRule,
+                        path,
+                        getLine.apply(issue),
+                        "Could not find the XMLStreamReader variable"))
+            .forEach(unfixedFindings::add);
+        continue;
+      }
+      // get the variable
+      NameExpr xmlStreamReaderVariable = xmlStreamReaderScope.asNameExpr();
+      // get the JavaParser statement that contains the create call
+      Optional<Statement> ancestorStatement =
+          createXMLStreamReaderCall.findAncestor(Statement.class);
+      if (ancestorStatement.isEmpty()) {
+        issues.stream()
+            .map(
+                issue ->
+                    new UnfixedFinding(
+                        getKey.apply(issue),
+                        detectorRule,
+                        path,
+                        getLine.apply(issue),
+                        "Could not find the statement containing the XMLStreamReader creation"))
+            .forEach(unfixedFindings::add);
+        continue;
+      }
+      Statement stmt = ancestorStatement.get();
+      XMLFeatures.addXMLInputFactoryDisablingStatement(xmlStreamReaderVariable, stmt, true);
+      issues.stream()
+          .map(
+              issue ->
+                  CodemodChange.from(
+                      getLine.apply(issue), new FixedFinding(getKey.apply(issue), detectorRule)))
+          .forEach(changes::add);
+    }
+
+    unfixedFindings.addAll(results.unfixableFindings());
+    return CodemodFileScanningResult.from(changes, unfixedFindings);
+  }
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLFeatures.java

@@ -38,6 +38,37 @@ static MethodCallExpr createGeneralEntityDisablingCall(final NameExpr nameExpr)
             new BooleanLiteralExpr(false)));
   }
 
+  /**
+   * Creates a call for {@link javax.xml.stream.XMLInputFactory#setProperty(java.lang.String,
+   * java.lang.Object)} for disabling.
+   */
+  static XXEFixAttempt addXMLInputFactoryDisablingStatement(
+      final NameExpr variable, final Statement statementToInjectAround, final boolean before) {
+    MethodCallExpr call =
+        new MethodCallExpr(
+            variable,
+            "setProperty",
+            NodeList.nodeList(
+                new StringLiteralExpr("javax.xml.stream.isSupportingExternalEntities"),
+                new BooleanLiteralExpr(false)));
+
+    Optional<BlockStmt> block = ASTs.findBlockStatementFrom(statementToInjectAround);
+    if (block.isEmpty()) {
+      return new XXEFixAttempt(true, false, "No block statement found for newFactory() call");
+    }
+
+    BlockStmt blockStmt = block.get();
+    NodeList<Statement> existingStatements = blockStmt.getStatements();
+    int index = existingStatements.indexOf(statementToInjectAround);
+    if (!before) {
+      index++;
+    }
+
+    Statement fixStatement = new ExpressionStmt(call);
+    existingStatements.add(index, fixStatement);
+    return new XXEFixAttempt(true, true, null);
+  }
+
   static XXEFixAttempt addFeatureDisablingStatements(
       final NameExpr variable, final Statement statementToInjectAround, final boolean before) {
     Optional<BlockStmt> block = ASTs.findBlockStatementFrom(statementToInjectAround);

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XXEIntermediateXMLStreamReaderRemediator.java

@@ -0,0 +1,28 @@
+package io.codemodder.remediation.xxe;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.codetf.DetectorRule;
+import java.util.List;
+import java.util.function.Function;
+
+/**
+ * Strategy for remediating XXE vulnerabilities at an intermediate step in {@link
+ * javax.xml.stream.XMLInputFactory#createXMLStreamReader}.
+ */
+public interface XXEIntermediateXMLStreamReaderRemediator {
+
+  /** A default implementation for callers. */
+  XXEIntermediateXMLStreamReaderRemediator DEFAULT =
+      new DefaultXXEIntermediateXMLStreamReaderRemediator();
+
+  /** Remediate all XXE vulnerabilities in the given compilation unit. */
+  <T> CodemodFileScanningResult remediateAll(
+      CompilationUnit cu,
+      String path,
+      DetectorRule detectorRule,
+      List<T> issuesForFile,
+      Function<T, String> getKey,
+      Function<T, Integer> getLine,
+      Function<T, Integer> getColumn);
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XXERemediator.java

@@ -6,7 +6,7 @@
 import java.util.List;
 import java.util.function.Function;
 
-/** Strategy for remediating XXE vulnerabilities using Java's DOM parser. */
+/** Strategy for remediating XXE vulnerabilities at the sink for multiple parser APIs. */
 public interface XXERemediator {
 
   /** A default implementation for callers. */

framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/description.md

@@ -0,0 +1,34 @@
+This change fixes Java deserialization vulnerabilities. Even a simple operation like an object deserialization is an opportunity to yield control of your system to an attacker. In fact, without specific, non-default protections, any object deserialization call can lead to arbitrary code execution. The JavaDoc [now even says](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/io/ObjectInputFilter.html):
+
+> Deserialization of untrusted data is inherently dangerous and should be avoided.
+
+Let's discuss the attack. In Java, types can customize how they should be deserialized by specifying a `readObject()` method like this real example from an [old version of Spring](https://github.com/spring-projects/spring-framework/blob/4.0.x/spring-core/src/main/java/org/springframework/core/SerializableTypeWrapper.java#L404):
+
+```java
+static class MethodInvokeTypeProvider implements TypeProvider {
+    private final TypeProvider provider;
+    private final String methodName;
+
+    private void readObject(ObjectInputStream inputStream) {
+        inputStream.defaultReadObject();
+        Method method = ReflectionUtils.findMethod(
+                this.provider.getType().getClass(),
+                this.methodName
+        );
+        this.result = ReflectionUtils.invokeMethod(method,this.provider.getType());
+    }
+}
+```
+
+Reflecting on this code reveals a terrifying conclusion. If an attacker presents this object to be deserialized by your app, the runtime will take a class and a method name from the attacker and then call them. Note that an attacker can provide any serliazed type -- it doesn't have to be the one you're expecting, and it will still deserialize.
+
+Attackers can repurpose the logic of selected types within the Java classpath (called "gadgets") and chain them together to achieve arbitrary remote code execution. There are a limited number of publicly known gadgets that can be used for attack, and our change simply inserts an [ObjectInputFilter](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/io/ObjectInputStream.html#setObjectInputFilter(java.io.ObjectInputFilter)) into the `ObjectInputStream` to prevent them from being used.
+
+```diff
++ import io.github.pixee.security.ObjectInputFilters.createSafeObjectInputStream;
+- ObjectInputStream ois = new ObjectInputStream(is);
++ ObjectInputStream ois = createSafeObjectInputStream(is);
+  AcmeObject acme = (AcmeObject)ois.readObject();
+```
+
+This is a tough vulnerability class to understand, but it is deadly serious. It offers the highest impact possible (remote code execution), it's a common vulnerability (it's in the OWASP Top 10), and exploitation is easy enough that automated exploitation is possible. It's best to remove deserialization entirely, but our protections is effective against all known exploitation strategies.

framework/codemodder-base/src/main/resources/generic-remediation-reports/java-deserialization/report.json

@@ -0,0 +1,12 @@
+{
+  "summary" : "Introduced protections against deserialization attacks",
+  "control" : "https://github.com/pixee/java-security-toolkit/blob/main/src/main/java/io/github/pixee/security/ObjectInputFilters.java",
+  "change" : "Hardened the deserialization call by introducing a filter that prevents known malicious gadgets from executing arbitrary code",
+  "references" : ["https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html", "https://portswigger.net/web-security/deserialization/exploiting"],
+  "faqs" :  [
+    {
+      "question" : "Why does this codemod require a Pixee dependency?",
+      "answer" : "We always prefer to use existing controls built into Java, or a control from a well-known and trusted community dependency. However, older versions of Java don't support fine-grained deserialization filter controls, and there are no community-trusted controls."
+    }
+  ]
+}

framework/codemodder-base/src/test/java/io/codemodder/remediation/xxe/DefaultXXEIntermediateXMLStreamReaderRemediatorTest.java

@@ -0,0 +1,90 @@
+package io.codemodder.remediation.xxe;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import com.github.javaparser.StaticJavaParser;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.printer.lexicalpreservation.LexicalPreservingPrinter;
+import io.codemodder.CodemodChange;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import java.util.List;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+final class DefaultXXEIntermediateXMLStreamReaderRemediatorTest {
+
+  private DefaultXXEIntermediateXMLStreamReaderRemediator remediator;
+  private DetectorRule rule;
+
+  @BeforeEach
+  void setup() {
+    remediator = new DefaultXXEIntermediateXMLStreamReaderRemediator();
+    rule = new DetectorRule("xxe", "XXE Fixed At XMLStreamReader", null);
+  }
+
+  @Test
+  void it_remediates_finding() {
+    String fixableCode =
+        """
+                import javax.xml.stream.XMLInputFactory;
+                import javax.xml.stream.XMLStreamReader;
+                import java.io.StringReader;
+
+                class MessageReader {
+
+                    Message read(String xml) {
+                        XMLInputFactory factory = XMLInputFactory.newInstance();
+                        XMLStreamReader reader = factory.createXMLStreamReader(new StringReader(xml));
+                        // turn into a Message
+                        Message message = convertMessage(reader);
+                        return message;
+                    }
+                }
+                """;
+    CompilationUnit cu = StaticJavaParser.parse(fixableCode);
+    LexicalPreservingPrinter.setup(cu);
+
+    CodemodFileScanningResult result =
+        remediator.remediateAll(
+            cu, "foo", rule, List.of(new Object()), f -> "my-id-1", f -> 9, f -> null);
+
+    // confirm code is what's expected
+    String actualCode = LexicalPreservingPrinter.print(cu);
+    assertThat(actualCode)
+        .isEqualToIgnoringWhitespace(
+            """
+                import javax.xml.stream.XMLInputFactory;
+                import javax.xml.stream.XMLStreamReader;
+                import java.io.StringReader;
+
+                class MessageReader {
+                    Message read(String xml) {
+                        XMLInputFactory factory = XMLInputFactory.newInstance();
+                        factory.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+                        XMLStreamReader reader = factory.createXMLStreamReader(new StringReader(xml));
+                        // turn into a Message
+                        Message message = convertMessage(reader);
+                        return message;
+                    }
+                }
+                """);
+
+    // confirm reporting metadata is all correct
+    assertThat(result.unfixedFindings()).isEmpty();
+
+    List<CodemodChange> changes = result.changes();
+    assertThat(changes).hasSize(1);
+
+    CodemodChange change = changes.get(0);
+    assertThat(change.lineNumber()).isEqualTo(9);
+    assertThat(change.getDependenciesNeeded()).isEmpty();
+    ;
+    List<FixedFinding> fixedFindings = change.getFixedFindings();
+    assertThat(fixedFindings).hasSize(1);
+    FixedFinding fixedFinding = fixedFindings.get(0);
+    assertThat(fixedFinding.getId()).isEqualTo("my-id-1");
+    assertThat(fixedFinding.getRule()).isEqualTo(rule);
+  }
+}