Create JNDI alternate fix (#401)

Create another strategy for JNDI that swaps out the sink for a hardened
version.

Author: nahsra

framework/codemodder-base/src/main/java/io/codemodder/DependencyGAV.java

@@ -160,7 +160,7 @@ static DependencyGAV createDefault(
         group, artifact, version, justification, license, repositoryUrl, noTransitiveDependencies);
   }
 
-  String JAVA_SECURITY_TOOLKIT_VERSION = "1.1.3";
+  String JAVA_SECURITY_TOOLKIT_VERSION = "1.2.0";
   String JAVA_SECURITY_TOOLKIT_GAV =
       "io.github.pixee:java-security-toolkit:" + JAVA_SECURITY_TOOLKIT_VERSION;
 

framework/codemodder-base/src/main/java/io/codemodder/remediation/jndiinjection/DefaultJNDIInjectionRemediator.java

@@ -1,8 +1,5 @@
 package io.codemodder.remediation.jndiinjection;
 
-import static io.codemodder.ast.ASTTransforms.addImportIfMissing;
-
-import com.github.javaparser.StaticJavaParser;
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
@@ -13,6 +10,7 @@
 import com.github.javaparser.ast.stmt.Statement;
 import io.codemodder.CodemodChange;
 import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.DependencyGAV;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.codetf.FixedFinding;
 import io.codemodder.codetf.UnfixedFinding;
@@ -21,29 +19,20 @@
 import io.codemodder.remediation.FixCandidateSearcher;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Objects;
 import java.util.Optional;
-import java.util.Set;
 import java.util.function.Function;
 
 final class DefaultJNDIInjectionRemediator implements JNDIInjectionRemediator {
 
-  private final MethodDeclaration fixMethod;
+  private final JNDIFixStrategy fixStrategy;
 
   DefaultJNDIInjectionRemediator() {
-    String fixMethodCode =
-        """
-                private static void validateResourceName(final String name) {
-                    if (name != null) {
-                      Set<String> illegalNames = Set.of("ldap://", "rmi://", "dns://", "java:");
-                      String canonicalName = name.toLowerCase().trim();
-                      if (illegalNames.stream().anyMatch(canonicalName::startsWith)) {
-                        throw new SecurityException("Illegal JNDI resource name: " + name);
-                      }
-                    }
-                }
-                """;
-
-    this.fixMethod = StaticJavaParser.parseMethodDeclaration(fixMethodCode);
+    this(new ReplaceLimitedLookupStrategy());
+  }
+
+  DefaultJNDIInjectionRemediator(final JNDIFixStrategy fixStrategy) {
+    this.fixStrategy = Objects.requireNonNull(fixStrategy);
   }
 
   @Override
@@ -110,8 +99,6 @@ public <T> CodemodFileScanningResult remediateAll(
       // validate the shape of code around the lookup call to make sure its safe to add the call and
       // method
       NameExpr contextNameVariable = lookupCall.getArgument(0).asNameExpr();
-      MethodCallExpr validationCall = new MethodCallExpr(null, validateResourceMethodName);
-      validationCall.addArgument(contextNameVariable);
 
       Optional<Node> lookupParentNode = lookupStatement.get().getParentNode();
       if (lookupParentNode.isEmpty()) {
@@ -122,7 +109,7 @@ public <T> CodemodFileScanningResult remediateAll(
         continue;
       }
 
-      if (!(lookupParentNode.get() instanceof BlockStmt)) {
+      if (!(lookupParentNode.get() instanceof BlockStmt blockStmt)) {
         UnfixedFinding unfixedFinding =
             new UnfixedFinding(
                 findingId, detectorRule, path, line, "No block statement found around lookup call");
@@ -131,32 +118,15 @@ public <T> CodemodFileScanningResult remediateAll(
       }
 
       // add the validation call to the block statement
-      BlockStmt blockStmt = (BlockStmt) lookupParentNode.get();
       int index = blockStmt.getStatements().indexOf(lookupStatement.get());
-      blockStmt.addStatement(index, validationCall);
-
-      // add the validation method if it's not already present
-      boolean alreadyHasResourceValidationCallPresent =
-          parentClass.findAll(MethodDeclaration.class).stream()
-              .anyMatch(
-                  md ->
-                      md.getNameAsString().equals(validateResourceMethodName)
-                          && md.getParameters().size() == 1
-                          && md.getParameters().get(0).getTypeAsString().equals("String"));
-
-      if (!alreadyHasResourceValidationCallPresent) {
-        parentClass.addMember(fixMethod);
-        addImportIfMissing(cu, Set.class);
-      }
-
-      changes.add(CodemodChange.from(line, new FixedFinding(findingId, detectorRule)));
+      List<DependencyGAV> deps =
+          fixStrategy.fix(cu, parentClass, lookupCall, contextNameVariable, blockStmt, index);
+      changes.add(CodemodChange.from(line, deps, new FixedFinding(findingId, detectorRule)));
     }
 
     List<UnfixedFinding> allUnfixedFindings = new ArrayList<>(results.unfixableFindings());
     allUnfixedFindings.addAll(unfixedFindings);
 
     return CodemodFileScanningResult.from(changes, allUnfixedFindings);
   }
-
-  private static final String validateResourceMethodName = "validateResourceName";
 }

framework/codemodder-base/src/main/java/io/codemodder/remediation/jndiinjection/InjectValidationMethodStrategy.java

@@ -0,0 +1,71 @@
+package io.codemodder.remediation.jndiinjection;
+
+import static io.codemodder.ast.ASTTransforms.addImportIfMissing;
+
+import com.github.javaparser.StaticJavaParser;
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.body.MethodDeclaration;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.stmt.BlockStmt;
+import io.codemodder.DependencyGAV;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * {@inheritDoc}
+ *
+ * <p>Fixes by injecting a validation method into the class and calling it before the lookup() call.
+ */
+final class InjectValidationMethodStrategy implements JNDIFixStrategy {
+
+  private final MethodDeclaration fixMethod;
+
+  InjectValidationMethodStrategy() {
+    String fixMethodCode =
+        """
+                        private static void validateResourceName(final String name) {
+                            if (name != null) {
+                              Set<String> illegalNames = Set.of("ldap://", "rmi://", "dns://", "java:");
+                              String canonicalName = name.toLowerCase().trim();
+                              if (illegalNames.stream().anyMatch(canonicalName::startsWith)) {
+                                throw new SecurityException("Illegal JNDI resource name: " + name);
+                              }
+                            }
+                        }
+                        """;
+    this.fixMethod = StaticJavaParser.parseMethodDeclaration(fixMethodCode);
+  }
+
+  @Override
+  public List<DependencyGAV> fix(
+      final CompilationUnit cu,
+      final ClassOrInterfaceDeclaration parentClass,
+      final MethodCallExpr lookupCall,
+      final NameExpr contextNameVariable,
+      final BlockStmt blockStmt,
+      final int index) {
+    MethodCallExpr validationCall = new MethodCallExpr(null, validateResourceMethodName);
+    validationCall.addArgument(contextNameVariable);
+    blockStmt.addStatement(index, validationCall);
+
+    // add the validation method if it's not already present
+    boolean alreadyHasResourceValidationCallPresent =
+        parentClass.findAll(MethodDeclaration.class).stream()
+            .anyMatch(
+                md ->
+                    md.getNameAsString().equals(validateResourceMethodName)
+                        && md.getParameters().size() == 1
+                        && md.getParameters().get(0).getTypeAsString().equals("String"));
+
+    if (!alreadyHasResourceValidationCallPresent) {
+      parentClass.addMember(fixMethod);
+      addImportIfMissing(cu, Set.class);
+    }
+
+    return List.of();
+  }
+
+  private static final String validateResourceMethodName = "validateResourceName";
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/jndiinjection/JNDIFixStrategy.java

@@ -0,0 +1,32 @@
+package io.codemodder.remediation.jndiinjection;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.stmt.BlockStmt;
+import io.codemodder.DependencyGAV;
+import java.util.List;
+
+/** Strategy for fixing JNDI injection vulnerabilities. */
+interface JNDIFixStrategy {
+
+  /**
+   * Fix the JNDI injection vulnerability.
+   *
+   * @param cu the compilation unit
+   * @param parentClass the parent type (could be nested type)
+   * @param lookupCall the lookup() method call
+   * @param blockStmt the block which contains the lookup statement
+   * @param index the index of the statement in the block
+   * @param contextNameVariable the variable that holds the JNDI context
+   * @return the list of dependencies that need to be added to the project
+   */
+  List<DependencyGAV> fix(
+      CompilationUnit cu,
+      ClassOrInterfaceDeclaration parentClass,
+      MethodCallExpr lookupCall,
+      NameExpr contextNameVariable,
+      BlockStmt blockStmt,
+      int index);
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/jndiinjection/ReplaceLimitedLookupStrategy.java

@@ -0,0 +1,41 @@
+package io.codemodder.remediation.jndiinjection;
+
+import static io.codemodder.javaparser.JavaParserTransformer.wrap;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.stmt.BlockStmt;
+import io.codemodder.DependencyGAV;
+import io.github.pixee.security.JNDI;
+import java.util.List;
+
+/** Replaces the call with a limited call. */
+final class ReplaceLimitedLookupStrategy implements JNDIFixStrategy {
+
+  @Override
+  public List<DependencyGAV> fix(
+      final CompilationUnit cu,
+      final ClassOrInterfaceDeclaration parentClass,
+      final MethodCallExpr lookupCall,
+      final NameExpr contextNameVariable,
+      final BlockStmt blockStmt,
+      final int index) {
+
+    String className = JNDI.class.getName();
+    String methodName = "limitedContext";
+
+    // rather than insert all new nodes, we'll replace the ones in place
+    // ctx.lookup(foo) -> JNDI.limitedContext(ctx).lookup(foo)
+
+    // this is the JNDI Context object
+    Expression jndiContext = lookupCall.getScope().get();
+
+    // the new scope is the static call
+    wrap(jndiContext).withStaticMethod(className, methodName, false);
+
+    return List.of(DependencyGAV.JAVA_SECURITY_TOOLKIT);
+  }
+}