How to search for misconfigurations

Perfectly configuring objects can be a difficult task. Especially since some settings are by default insecure and needs to be set explicitly. XML eXternal Entities (XXE) is a great example of such a flaw.

In the following section, we learn how to search for missing or redundant configuration settings.

How to configure objects

Objects are usually created by calling a controller or a factory method. Afterward, we configure these objects by calling specific methods. These methods are mostly in the form of setXXX(YYY). Of course, there are other options as well, but in this section, we'll look at the most common pattern.

Searching for missing method calls

We will start by searching for an object creation. Next, we can configure Sensei to look in the return value if that call gets used further down the code. This behavior can be configured by using the followedBy option.

search:
  instancecreation:
    name: "Cookie"
    not:
      followedBy:
        methodcall:
          name: "setSecure"

In the example above we start by searching for a constructor invocation of the Cookie class. Next, we check if the result of that expression - which is the object instance - is lacking a method invocation with the name setSecure.

Adding the missing configuration method calls

Fixing these mistakes with Sensei is quite simple. We can simply use the addMethodCall action. But before executing this action, we must check if the result of the instance creation expression has been assigned to a variable. If this is not the case, we will automatically create the variable assignment before executing the action.

availableFixes:
- name: "add setSecure(true)"
  actions:
  - addMethodCall:
      name: "setSecure"
      arguments:
      - "true"

Advanced example

For reference, we've included a more advanced example that can be used to detect and fix XXE vulnerabilities.

example snippet
public void example() throws Exception {
    DocumentBuilderFactory newInstance = DocumentBuilderFactory.newInstance();
    newInstance.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
search
search:
  methodcall:
    not:
      followedBy:
        methodcall:
          args:
            1:
              referenceTo:
                name: javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
          name: setFeature
    name: newInstance
    declaration:
      type:
        reference:
          matches: javax\.xml\.(parsers|transform|validation|xpath)\.(DocumentBuilderFactory|TransformerFactory|SAXParserFactory|SchemaFactory|XPathFactory)
        checkInheritance: false
fix
availableFixes:
- name: "Set FEATURE_SECURE_PROCESSING true"
  actions:
  - addMethodCall:
      name: "setFeature"
      arguments:
      - "javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING"
      - "true"
      position: "first-available-spot"