Package io.codemodder.codemods

Class JSPScriptletXSSCodemod

java.lang.Object

io.codemodder.RawFileChanger

io.codemodder.RegexFileChanger

io.codemodder.codemods.JSPScriptletXSSCodemod

All Implemented Interfaces:

io.codemodder.CodeChanger

@Codemod(id="pixee:java/encode-jsp-scriptlet",
         importance=HIGH,
         reviewGuidance=MERGE_WITHOUT_REVIEW)
public final class JSPScriptletXSSCodemod
extends io.codemodder.RegexFileChanger

This type corrects simple and obvious XSS vulnerabilities in JSPs. It looks for patterns like:

<%= request.getParameter("anything") %>

Literally almost any modification to the above snippets could provide protection -- we only want to find 100% certain cases when its uncontrolled user input which can escape any context and achieve exploitation.

Field Summary

Fields inherited from class io.codemodder.RawFileChanger

reporter

Constructor Summary

Constructors

Constructor	Description
JSPScriptletXSSCodemod()

Method Summary

Modifier and Type	Method	Description
io.codemodder.IncludesExcludesPattern	getIncludesExcludesPattern()
String	getReplacementFor(String matchingSnippet)
boolean	supports(Path file)

Methods inherited from class io.codemodder.RegexFileChanger

visitFile

Methods inherited from class io.codemodder.RawFileChanger

getDescription, getIndividualChangeDescription, getReferences, getSummary

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface io.codemodder.CodeChanger

shouldRun

Constructor Details

JSPScriptletXSSCodemod

public JSPScriptletXSSCodemod()

Method Details

getReplacementFor

public String getReplacementFor(String matchingSnippet)

Specified by:

getReplacementFor in class io.codemodder.RegexFileChanger

supports

public boolean supports(Path file)

getIncludesExcludesPattern

public io.codemodder.IncludesExcludesPattern getIncludesExcludesPattern()