How to search for misconfigurations
===================================

Perfectly configuring objects can be a difficult task. Especially since some settings are by default
insecure and needs to be set explicitly. XML eXternal Entities (XXE) is a great example of such a flaw.

In the following section, we learn how to search for missing or redundant configuration settings.


How to configure objects
------------------------

Objects are usually created by calling a controller or a factory method. Afterward, we configure these
objects by calling specific methods. These methods are mostly in the form of ``setXXX(YYY)``. Of course,
there are other options as well, but in this section, we'll look at the most common pattern.


Searching for missing method calls
----------------------------------
We will start by searching for an object creation. Next, we can configure Sensei to look in the return
value if that call gets used further down the code. This behavior can be configured by using the
``followedBy`` option.

.. code-block:: yaml

    search:
      instancecreation:
        name: "Cookie"
        not:
          followedBy:
            methodcall:
              name: "setSecure"

In the example above we start by searching for a constructor invocation of the ``Cookie`` class. Next,
we check if the result of that expression - which is the object instance - is lacking a method
invocation with the name ``setSecure``.


Adding the missing configuration method calls
---------------------------------------------

Fixing these mistakes with Sensei is quite simple. We can simply use the ``addMethodCall`` action. But
before executing this action, we must check if the result of the instance creation expression has been
assigned to a variable. If this is not the case, we will automatically create the variable assignment
before executing the action.

.. code-block:: yaml

    availableFixes:
    - name: "add setSecure(true)"
      actions:
      - addMethodCall:
          name: "setSecure"
          arguments:
          - "true"


Advanced example
----------------

For reference, we've included a more advanced example that can be used to detect and fix XXE
vulnerabilities.

.. literalinclude:: src/misconfig.java
    :language: java
    :caption: example snippet
    :lines: 5-8
    :dedent: 4


.. code-block:: yaml
    :caption: search

    search:
      methodcall:
        not:
          followedBy:
            methodcall:
              args:
                1:
                  referenceTo:
                    name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
              name: setFeature
        name: newInstance
        declaration:
          type:
            reference:
              matches: javax\.xml\.(parsers|transform|validation|xpath)\.(DocumentBuilderFactory|TransformerFactory|SAXParserFactory|SchemaFactory|XPathFactory)
            checkInheritance: false


.. code-block:: yaml
    :caption: fix

    availableFixes:
    - name: "Set FEATURE_SECURE_PROCESSING true"
      actions:
      - addMethodCall:
          name: "setFeature"
          arguments:
          - "javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING"
          - "true"
          position: "first-available-spot"