fixes another xxe in codeql from webgoat, but some debt to fix here

pixee · Oct 17, 2024 · 0f412cd · 0f412cd
1 parent 767703c
commit 0f412cd
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 6 deletions.
diff --git a/core-codemods/src/intTest/java/io/codemodder/integration/WebGoat20238Test.java b/core-codemods/src/intTest/java/io/codemodder/integration/WebGoat20238Test.java
@@ -46,7 +46,7 @@ void it_remediates_webgoat_2023_8() throws Exception {
             .flatMap(Collection::stream)
             .toList();
 
-    assertThat(fileChanges.size(), is(49));
+    assertThat(fileChanges.size(), is(50));
 
     verifyStandardCodemodResults(fileChanges);
 
@@ -70,6 +70,7 @@ void it_remediates_webgoat_2023_8() throws Exception {
 
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-randomness", 0);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/ssrf", 1);
+    verifyCodemodsHitWithChangesetCount(report, "codeql:java/xxe", 1);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/sql-injection", 6);
     verifyCodemodsHitWithChangesetCount(report, "codeql:java/insecure-cookie", 2);
   }

diff --git a/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXXECodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLXXECodemod.java
@@ -5,7 +5,7 @@
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
 import io.codemodder.remediation.GenericRemediationMetadata;
-import io.codemodder.remediation.xxe.XXERemediator;
+import io.codemodder.remediation.xxe.XXEIntermediateXMLStreamReaderRemediator;
 import javax.inject.Inject;
 
 /** A codemod for automatically fixing SQL injection from CodeQL. */
@@ -16,12 +16,12 @@
     executionPriority = CodemodExecutionPriority.HIGH)
 public final class CodeQLXXECodemod extends CodeQLRemediationCodemod {
 
-  private final XXERemediator remediator;
+  private final XXEIntermediateXMLStreamReaderRemediator remediator;
 
   @Inject
   public CodeQLXXECodemod(@ProvidedCodeQLScan(ruleId = "java/xxe") final RuleSarif sarif) {
     super(GenericRemediationMetadata.XXE.reporter(), sarif);
-    this.remediator = XXERemediator.DEFAULT;
+    this.remediator = XXEIntermediateXMLStreamReaderRemediator.DEFAULT;
   }
 
   @Override
@@ -42,6 +42,7 @@ public CodemodFileScanningResult visit(
         ruleSarif.getResultsByLocationPath(context.path()),
         SarifFindingKeyUtil::buildFindingId,
         r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine(),
         r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn());
   }
 }
diff --git a/...ork/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DefaultXXERemediator.java b/...ork/codemodder-base/src/main/java/io/codemodder/remediation/xxe/DefaultXXERemediator.java
@@ -33,7 +33,7 @@ public <T> CodemodFileScanningResult remediateAll(
       final List<T> issuesForFile,
       final Function<T, String> getKey,
       final Function<T, Integer> getStartLine,
-      final Function<T, Integer> getColumn) {
+      final Function<T, Integer> getStartColumn) {
 
     List<UnfixedFinding> unfixedFindings = new ArrayList<>();
     List<CodemodChange> changes = new ArrayList<>();
@@ -42,7 +42,7 @@ public <T> CodemodFileScanningResult remediateAll(
 
       String findingId = getKey.apply(issue);
       int line = getStartLine.apply(issue);
-      Integer column = getColumn.apply(issue);
+      Integer column = getStartColumn.apply(issue);
       for (XXEFixer fixer : fixers) {
         XXEFixAttempt fixAttempt = fixer.tryFix(line, column, cu);
         if (!fixAttempt.isResponsibleFixer()) {