• Home
• io.codemodder
• codemodder-base
• 0.97.0
• source code
• DocumentBuilderFactoryAtNewDBFixer.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.codemodder.remediation.xxe.DocumentBuilderFactoryAtNewDBFixer Maven / Gradle / Ivy

package io.codemodder.remediation.xxe;

import static io.codemodder.remediation.RemediationMessages.multipleNodesFound;
import static io.codemodder.remediation.RemediationMessages.noNodesAtThatLocation;
import static io.codemodder.remediation.xxe.XMLFeatures.addFeatureDisablingStatements;

import com.github.javaparser.ast.CompilationUnit;
import com.github.javaparser.ast.expr.Expression;
import com.github.javaparser.ast.expr.MethodCallExpr;
import com.github.javaparser.ast.stmt.Statement;
import io.codemodder.ast.ASTs;
import java.util.List;
import java.util.Optional;

/** Fix XXEs that are reported at the DocumentBuilderFactory.newDocumentBuilder() call locations. */
final class DocumentBuilderFactoryAtNewDBFixer implements XXEFixer {

  @Override
  public XXEFixAttempt tryFix(final int line, final Integer column, CompilationUnit cu) {
    List candidateMethods =
        ASTs.findMethodCallsWhichAreAssignedToType(
            cu, line, column, "newDocumentBuilder", List.of("DocumentBuilder"));

    if (candidateMethods.isEmpty()) {
      return new XXEFixAttempt(false, false, noNodesAtThatLocation);
    } else if (candidateMethods.size() > 1) {
      return new XXEFixAttempt(false, false, multipleNodesFound);
    }

    MethodCallExpr newDocumentBuilderCall = candidateMethods.get(0);

    // the scope must be the DocumentBuilderFactory
    Optional newDocumentBuilderCallScope = newDocumentBuilderCall.getScope();
    if (newDocumentBuilderCallScope.isEmpty()) {
      return new XXEFixAttempt(true, false, "No scope found");
    }

    Expression scope = newDocumentBuilderCallScope.get();
    if (!scope.isNameExpr()) {
      return new XXEFixAttempt(true, false, "Scope is not a name");
    }

    Optional statement = scope.findAncestor(Statement.class);
    if (statement.isEmpty()) {
      return new XXEFixAttempt(true, false, "No statement found");
    }
    return addFeatureDisablingStatements(scope.asNameExpr(), statement.get(), true);
  }
}