Package io.codemodder.codemods

Class HardenXMLReaderCodemod

java.lang.Object
io.codemodder.javaparser.JavaParserChanger
io.codemodder.SarifPluginJavaParserChanger<com.github.javaparser.ast.expr.MethodCallExpr>
io.codemodder.codemods.HardenXMLReaderCodemod
All Implemented Interfaces:
io.codemodder.CodeChanger
@Codemod(id="pixee:java/harden-xmlreader", importance=HIGH, reviewGuidance=MERGE_WITHOUT_REVIEW) public final class HardenXMLReaderCodemod extends io.codemodder.SarifPluginJavaParserChanger<com.github.javaparser.ast.expr.MethodCallExpr>
Disables external entity resolution in XMLReader use. This codemod takes a different approach than similarly-purposed HardenXMLInputFactoryCodemod. It attempts to inline the necessary calls to XMLReader.setFeature(String, boolean) to disable external entities. It must be somewhat clever about this in case one is already present, only presenting the one that's needed. We could do this inline with JavaParser inspection but it is more robust to use Semgrep to determine which settings are needed.

  • Field Summary

    Fields inherited from class io.codemodder.SarifPluginJavaParserChanger

    sarif

    Fields inherited from class io.codemodder.javaparser.JavaParserChanger

    reporter

  • Constructor Summary

    Constructors
    Constructor
    Description
    HardenXMLReaderCodemod(io.codemodder.RuleSarif sarif)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    io.codemodder.javaparser.ChangesResult
    onResultFound(io.codemodder.CodemodInvocationContext context, com.github.javaparser.ast.CompilationUnit cu, com.github.javaparser.ast.expr.MethodCallExpr parseCall, com.contrastsecurity.sarif.Result result)
     

    Methods inherited from class io.codemodder.SarifPluginJavaParserChanger

    shouldRun, visit

    Methods inherited from class io.codemodder.javaparser.JavaParserChanger

    getDescription, getIndividualChangeDescription, getReferences, getSummary

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • HardenXMLReaderCodemod

      @Inject public HardenXMLReaderCodemod(@SemgrepScan(ruleId="harden-xmlreader") io.codemodder.RuleSarif sarif)

  • Method Details

    • onResultFound

      public io.codemodder.javaparser.ChangesResult onResultFound(io.codemodder.CodemodInvocationContext context, com.github.javaparser.ast.CompilationUnit cu, com.github.javaparser.ast.expr.MethodCallExpr parseCall, com.contrastsecurity.sarif.Result result)
      Specified by:
      onResultFound in class io.codemodder.SarifPluginJavaParserChanger<com.github.javaparser.ast.expr.MethodCallExpr>