Remove explicit setEntityExpansion calls (#394)

nahsra · web-flow · commit ec403a7fd5af · 2024-06-21T17:40:31.000-04:00
When fixing XXE, users may find it helpful to also remove explicit
turning on off entity expansion.
diff --git a/core-codemods/src/test/resources/sonar-xxe-s2755/Test.java.after b/core-codemods/src/test/resources/sonar-xxe-s2755/Test.java.after
@@ -72,7 +72,6 @@ public class XXEVuln {
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
         dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-        dbf.setExpandEntityReferences(true);
         DocumentBuilder db = dbf.newDocumentBuilder();
         return db.parse(new InputSource(new StringReader(xml)));
     }
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAndSAXParserAtCreationFixer.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAndSAXParserAtCreationFixer.java
@@ -44,6 +44,6 @@ public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUni
 
     Statement statement = variableDeclarationStmtRef.get();
     return addFeatureDisablingStatements(
-        cu, newFactoryVariable.getNameAsExpression(), statement, false);
+        newFactoryVariable.getNameAsExpression(), statement, false);
   }
 }
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAtParseFixer.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAtParseFixer.java
@@ -104,7 +104,7 @@ public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUni
             "DocumentBuilder was initialized with a factory call without a statement");
       }
       return XMLFeatures.addFeatureDisablingStatements(
-          cu, factoryNameExpr, newDocumentBuilderStatement.get(), true);
+          factoryNameExpr, newDocumentBuilderStatement.get(), true);
     } else if (parserAssignmentNode instanceof Parameter) {
       return new XXEFixAttempt(true, false, "DocumentBuilder came from outside the method scope");
     }
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLFeatures.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLFeatures.java
@@ -1,6 +1,6 @@
 package io.codemodder.remediation.xxe;
 
-import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;
 import com.github.javaparser.ast.expr.BooleanLiteralExpr;
 import com.github.javaparser.ast.expr.MethodCallExpr;
@@ -39,10 +39,7 @@ static MethodCallExpr createGeneralEntityDisablingCall(final NameExpr nameExpr)
   }
 
   static XXEFixAttempt addFeatureDisablingStatements(
-      final CompilationUnit cu,
-      final NameExpr variable,
-      final Statement statementToInjectAround,
-      final boolean before) {
+      final NameExpr variable, final Statement statementToInjectAround, final boolean before) {
     Optional<BlockStmt> block = ASTs.findBlockStatementFrom(statementToInjectAround);
     if (block.isEmpty()) {
       return new XXEFixAttempt(true, false, "No block statement found for newFactory() call");
@@ -62,6 +59,22 @@ static XXEFixAttempt addFeatureDisablingStatements(
       index++;
     }
     existingStatements.addAll(index, fixStatements);
+
+    // search for any dbf.setExpandEntityReferences(true) calls and remove them
+    blockStmt.findAll(MethodCallExpr.class).stream()
+        .filter(
+            m ->
+                "setExpandEntityReferences".equals(m.getNameAsString())
+                    && m.getScope().isPresent()
+                    && m.getScope().get().equals(variable)
+                    && m.getArguments().size() == 1
+                    && m.getArguments().get(0).isBooleanLiteralExpr()
+                    && m.getArguments().get(0).asBooleanLiteralExpr().getValue())
+        .map(Node::getParentNode)
+        .filter(Optional::isPresent)
+        .map(Optional::get)
+        .forEach(Node::remove);
+
     return new XXEFixAttempt(true, true, null);
   }
 }
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLReaderAtParseFixer.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XMLReaderAtParseFixer.java
@@ -72,6 +72,6 @@ public XXEFixAttempt tryFix(final int line, final Integer column, final Compilat
       return new XXEFixAttempt(true, false, "No statement found for parse() call");
     }
     return XMLFeatures.addFeatureDisablingStatements(
-        cu, parser.asNameExpr(), parseStatement.get(), true);
+        parser.asNameExpr(), parseStatement.get(), true);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,6 @@ public class XXEVuln {`
`72`	`72`	`DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();`
`73`	`73`	`dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);`
`74`	`74`	`dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);`
`75`		`- dbf.setExpandEntityReferences(true);`
`76`	`75`	`DocumentBuilder db = dbf.newDocumentBuilder();`
`77`	`76`	`return db.parse(new InputSource(new StringReader(xml)));`
`78`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,6 @@ public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUni`
`44`	`44`
`45`	`45`	`Statement statement = variableDeclarationStmtRef.get();`
`46`	`46`	`return addFeatureDisablingStatements(`
`47`		`- cu, newFactoryVariable.getNameAsExpression(), statement, false);`
	`47`	`+ newFactoryVariable.getNameAsExpression(), statement, false);`
`48`	`48`	`}`
`49`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUni`
`104`	`104`	`"DocumentBuilder was initialized with a factory call without a statement");`
`105`	`105`	`}`
`106`	`106`	`return XMLFeatures.addFeatureDisablingStatements(`
`107`		`- cu, factoryNameExpr, newDocumentBuilderStatement.get(), true);`
	`107`	`+ factoryNameExpr, newDocumentBuilderStatement.get(), true);`
`108`	`108`	`} else if (parserAssignmentNode instanceof Parameter) {`
`109`	`109`	`return new XXEFixAttempt(true, false, "DocumentBuilder came from outside the method scope");`
`110`	`110`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,6 @@ public XXEFixAttempt tryFix(final int line, final Integer column, final Compilat`
`72`	`72`	`return new XXEFixAttempt(true, false, "No statement found for parse() call");`
`73`	`73`	`}`
`74`	`74`	`return XMLFeatures.addFeatureDisablingStatements(`
`75`		`- cu, parser.asNameExpr(), parseStatement.get(), true);`
	`75`	`+ parser.asNameExpr(), parseStatement.get(), true);`
`76`	`76`	`}`
`77`	`77`	`}`