Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding two abstract visitor classes for XXE vulnerabilities #98

Merged
merged 3 commits into from
Aug 21, 2023
Merged

Adding two abstract visitor classes for XXE vulnerabilities #98

merged 3 commits into from
Aug 21, 2023

Conversation

aaronist
Copy link
Contributor

@aaronist aaronist commented Aug 17, 2023
edited
Loading

  • Add two abstract visitors (one to search, one to update) for XXE vulnerabilities to allow for easier addition of new XML parsers
  • Additional code cleanup

JLLeitschuh
JLLeitschuh requested changes Aug 17, 2023
View reviewed changes
Copy link
Collaborator

@JLLeitschuh JLLeitschuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions. Otherwise looks good!

src/main/java/org/openrewrite/java/security/xml/XmlFactoryInsertVisitor.java Outdated
@Getter
public abstract class XmlFactoryInsertVisitor<P> extends JavaIsoVisitor<P> {
private final J.Block scope;
private final StringBuilder template;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just assign this to a new string builder, then you don't need to pass it in the super call

src/main/java/org/openrewrite/java/security/xml/XmlFactoryInsertVisitor.java Outdated
return s != null ? s.getCoordinates().before() : b.getCoordinates().lastStatement();
}

public J.Block updateTemplate(J.Block b, J.Block block, Statement beforeStatement, Set<String> imports) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about this method name

...ava/org/openrewrite/java/security/xml/TransformerFactoryInsertAttributeStatementVisitor.java Outdated
maybeAddImport("javax.xml.XMLConstants");
Statement beforeStatement = getInsertStatement(b);
if (b.isScope(getScope())) {
b = updateTemplate(b, block, beforeStatement, Stream.of("javax.xml.XMLConstants").collect(Collectors.toSet()));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
b = updateTemplate(b, block, beforeStatement, Stream.of("javax.xml.XMLConstants").collect(Collectors.toSet()));
b = updateTemplate(b, block, beforeStatement, Collections.single("javax.xml.XMLConstants"));

Not sure I got the method name entirely correct

JLLeitschuh
JLLeitschuh approved these changes Aug 21, 2023
View reviewed changes
Copy link
Collaborator

@JLLeitschuh JLLeitschuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aaronist aaronist marked this pull request as ready for review August 21, 2023 16:35
@JLLeitschuh JLLeitschuh merged commit 727dd1a into openrewrite:main Aug 21, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JLLeitschuh JLLeitschuh JLLeitschuh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
OpenRewrite
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aaronist @JLLeitschuh