Add security rules for XML processing and database connection vulnerabilities

[ESS-ENN]

Summary by CodeRabbit

• New Features

  • Added security rules to detect potential vulnerabilities related to XML external entity processing and hard-coded secrets in Java applications.
  • Introduced new test configurations to validate the handling of external entities and hard-coded credentials.

• Tests

  • New test cases and snapshot configurations added for validating the behavior of DocumentBuilderFactory and DriverManager regarding security best practices.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Walkthrough

This pull request introduces three new security rules for Java applications, focusing on XML processing and database connection vulnerabilities. The rules target potential security risks in DocumentBuilderFactory related to external entities and a hardcoded secret detection mechanism for DriverManager. Each rule is accompanied by corresponding test configurations and snapshots to validate the detection of insecure configurations. The primary goal is to enhance security by identifying and flagging potentially dangerous XML processing settings and hardcoded credentials.

Changes

File Path	Change Summary
rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml	Added security rule to detect enabling of external general entities in XML processing
rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml	Added security rule to detect enabling of external parameter entities in XML processing
rules/java/security/drivermanager-hardcoded-secret-java.yml	Added security rule to detect hardcoded secrets in database connection configurations
tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml	Added test configuration for external general entities rule
tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml	Added test configuration for external parameter entities rule
tests/java/drivermanager-hardcoded-secret-java-test.yml	Added test configuration for hardcoded secrets rule
tests/__snapshots__/*-snapshot.yml	Added snapshot files for each new rule to support testing

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Rule as Security Rule
    participant Code as Java Code
    
    Dev->>Code: Writes XML processing code
    Code->>Rule: Invokes security check
    Rule->>Rule: Analyze XML entity settings
    Rule->>Code: Flag potential security risks
    Rule->>Dev: Provide warning about unsafe configuration

Loading

Possibly related PRs

• Update ast-grep CLI & add Java cookie management rules #7: Rule for DocumentBuilderFactory external general entities
• One java and one rust rule #13: Security rules for XML processing configurations
• Two Java rules 10Oct2024 #16: Rules for cookie security
• Rules - One php and one java rule #20: Detection of hardcoded secrets in DriverManager
• Add security rules for Java and Swift applications for cookie and secret management #43: Rules for cookie handling and security
• Add security rules for cookie settings and XML processing in YAML config #66: Rules for detecting insecure cookie settings
• Add security rules for cookie handling in Java applications #67: Additional rules for cookie handling

Suggested reviewers

• rohit121

Poem

🐰 Secure code, oh what a delight!
XML entities, no longer a fright
Secrets hidden, now brought to light
CodeRabbit's rules shine ever so bright
Safety dancing with each byte! 🔒

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (12)

tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml (1)

5-9: Consider expanding test coverage for edge cases.

While the basic cases are covered, consider adding tests for:

1. Case sensitivity variations of the feature string
2. Different boolean representations (Boolean.TRUE, 1, etc.)
3. Chained configurations with other security-related features

tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml (1)

6-10: Consider adding test cases for combined security features.

While individual feature testing is good, consider adding test cases that combine multiple security features to ensure they work together correctly:

• External general entities with DTD processing
• External general entities with external parameter entities

rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml (2)

4-7: Consider enhancing the error message with examples.

The message clearly identifies the issue but could be more helpful by including a code example of the correct configuration.

 message: >-
       External entities are allowed for $DBFACTORY. This is vulnerable to XML
       external entity attacks. Disable this by setting the feature
-      "http://xml.org/sax/features/external-parameter-entities" to false.
+      "http://xml.org/sax/features/external-parameter-entities" to false.
+      Example: dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

---

8-11: Enhance documentation with additional references.

While the current reference is good, consider adding:

• OWASP XXE Prevention Cheat Sheet
• Links to related CVEs
• Java-specific security guidelines

tests/java/drivermanager-hardcoded-secret-java-test.yml (2)

3-4: Consider using a more secure example for the valid case.

While demonstrating a connection without password is valid for testing, consider adding a comment explaining that this is just for testing purposes and real applications should use proper authentication.

---

7-16: Enhance test coverage for edge cases.

The test cases cover basic scenarios but could be expanded to include:

• Connection strings with environment variables
• Connection pooling configurations
• Different database vendors

Would you like me to provide additional test cases?

rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml (2)

4-12: Enhance security context in the message and notes.

The security context could be improved by:

1. Adding specific CVE references for XXE attacks
2. Including examples of safe configurations
3. Mentioning potential impact of XXE attacks

---

14-39: Fix YAML formatting issues and enhance pattern matching.

The rule implementation has formatting inconsistencies and could be improved.

Apply these formatting fixes:

 utils:
   match_expression_statement:
-    kind: expression_statement
+     kind: expression_statement
     has:
-      stopBy: end
+       stopBy: end
     kind: method_invocation
     all:
       - has:
-          stopBy: end
+           stopBy: end
          kind: identifier
       - has:
-          stopBy: end
+           stopBy: end
          kind: identifier 
          regex: 'setFeature'

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 15-15: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 17-17: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 21-21: wrong indentation: expected 10 but found 9

(indentation)

---

[warning] 24-24: wrong indentation: expected 10 but found 9

(indentation)

---

[error] 25-25: trailing spaces

(trailing-spaces)

---

[error] 29-29: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[warning] 33-33: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 37-37: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 39-39: trailing spaces

(trailing-spaces)

tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml (1)

3-25: Consider obfuscating sensitive information in snapshots.

While these are test cases, consider:

1. Using placeholder values for database URLs
2. Adding comments to indicate these are non-production examples

rules/java/security/drivermanager-hardcoded-secret-java.yml (3)

1-13: Consider adding more security references

The rule metadata is well-structured, but consider adding these additional relevant references:

• OWASP Top 10 A07:2021 - Identification and Authentication Failures
• CWE-259: Use of Hard-coded Password

---

14-133: Pattern matching could be more comprehensive

Consider enhancing the patterns to catch these additional cases:

1. Properties files loaded via Properties.load()
2. Spring's JdbcTemplate configurations
3. Connection pools like HikariCP

Would you like me to provide example patterns for these cases?

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 16-16: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 18-18: wrong indentation: expected 5 but found 8

(indentation)

---

[warning] 31-31: wrong indentation: expected 14 but found 17

(indentation)

---

[error] 35-35: trailing spaces

(trailing-spaces)

---

[warning] 39-39: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 51-51: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 75-75: wrong indentation: expected 4 but found 3

(indentation)

---

[error] 78-78: trailing spaces

(trailing-spaces)

---

[warning] 85-85: wrong indentation: expected 11 but found 12

(indentation)

---

[warning] 88-88: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 92-92: wrong indentation: expected 19 but found 18

(indentation)

---

[warning] 95-95: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 98-98: wrong indentation: expected 9 but found 8

(indentation)

---

[warning] 101-101: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 102-102: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 106-106: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[warning] 130-130: wrong indentation: expected 17 but found 16

(indentation)

---

133-143: Consider adding pattern validation

The rule structure is good, but consider adding validation to reduce false positives:

1. Check if the string is actually a password/secret using regex patterns
2. Exclude test files and example code

Example validation pattern:

exclude:
  - kind: file
    regex: '^.*[Tt]est.*\.java$'
validation:
  - kind: string_literal
    regex: '(?i).*(password|secret|key|token).*'

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b6d6f3 and 7444c82.

📒 Files selected for processing (9)

• rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml (1 hunks)
• rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml (1 hunks)
• rules/java/security/drivermanager-hardcoded-secret-java.yml (1 hunks)
• tests/__snapshots__/documentbuilderfactory-external-general-entities-true-java-snapshot.yml (1 hunks)
• tests/__snapshots__/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml (1 hunks)
• tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml (1 hunks)
• tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml (1 hunks)
• tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml (1 hunks)
• tests/java/drivermanager-hardcoded-secret-java-test.yml (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• tests/snapshots/documentbuilderfactory-external-general-entities-true-java-snapshot.yml
• tests/snapshots/documentbuilderfactory-external-parameter-entities-true-java-snapshot.yml

🧰 Additional context used

🪛 yamllint (1.35.1)

rules/java/security/documentbuilderfactory-external-general-entities-true-java.yml

[warning] 15-15: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 17-17: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 21-21: wrong indentation: expected 10 but found 9

(indentation)

---

[warning] 24-24: wrong indentation: expected 10 but found 9

(indentation)

---

[error] 25-25: trailing spaces

(trailing-spaces)

---

[error] 29-29: trailing spaces

(trailing-spaces)

---

[error] 32-32: trailing spaces

(trailing-spaces)

---

[warning] 33-33: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 37-37: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 39-39: trailing spaces

(trailing-spaces)

---

[warning] 43-43: too many blank lines

(1 > 0) (empty-lines)

rules/java/security/drivermanager-hardcoded-secret-java.yml

[warning] 16-16: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 18-18: wrong indentation: expected 5 but found 8

(indentation)

---

[warning] 31-31: wrong indentation: expected 14 but found 17

(indentation)

---

[error] 35-35: trailing spaces

(trailing-spaces)

---

[warning] 39-39: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 51-51: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 75-75: wrong indentation: expected 4 but found 3

(indentation)

---

[error] 78-78: trailing spaces

(trailing-spaces)

---

[warning] 85-85: wrong indentation: expected 11 but found 12

(indentation)

---

[warning] 88-88: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 92-92: wrong indentation: expected 19 but found 18

(indentation)

---

[warning] 95-95: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 98-98: wrong indentation: expected 9 but found 8

(indentation)

---

[warning] 101-101: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 102-102: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 106-106: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[warning] 130-130: wrong indentation: expected 17 but found 16

(indentation)

---

[error] 151-151: trailing spaces

(trailing-spaces)

---

[error] 152-152: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)

tests/java/documentbuilderfactory-external-parameter-entities-true-java-test.yml (1)

1-4: LGTM! Valid case correctly demonstrates secure configuration.

The test correctly validates that setting external parameter entities to false is the secure configuration.

tests/java/documentbuilderfactory-external-general-entities-true-java-test.yml (1)

1-5: LGTM! Comprehensive coverage of valid cases.

The test correctly validates secure configurations for both DocumentBuilderFactory and SAXParserFactory.

rules/java/security/documentbuilderfactory-external-parameter-entities-true-java.yml (1)

1-3: LGTM! Appropriate severity level for XXE vulnerability.

The warning severity is appropriate for this security issue, and the language specification is correct.

tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml (1)

27-137: Improve snapshot organization and readability.

The snapshot file could benefit from:

1. Grouping similar test cases together
2. Adding descriptive comments for each test scenario
3. Using consistent indentation for label blocks

Additionally, verify that all test cases are properly covered:

✅ Verification successful

Let me gather more information about the test cases and snapshots to properly verify the coverage.

---

Snapshot coverage and organization is complete but could be improved

The snapshot file contains all test cases from the test file, with proper coverage of both valid and invalid cases. However, the original review suggestions for improving organization remain valid:

• Test cases could be grouped by similar patterns (e.g., DriverManager cases together, DriverManagerDataSource cases together)
• Missing descriptive comments to explain each test scenario
• Inconsistent indentation in label blocks

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if all test cases from the test file have corresponding snapshots

# Get test cases from the test file
echo "Checking test coverage..."
rg -U "invalid:(\n.*?){2,}" "tests/java/drivermanager-hardcoded-secret-java-test.yml" --multiline

# Compare with snapshots
echo "Checking corresponding snapshots..."
rg -U "snapshots:(\n.*?){2,}" "tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml" --multiline

Length of output: 384

---

Script:

#!/bin/bash
# Get the full content of both files to compare test cases and snapshots
echo "Test file content:"
cat tests/java/drivermanager-hardcoded-secret-java-test.yml

echo -e "\nSnapshot file content:"
cat tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml

Length of output: 4598

rules/java/security/drivermanager-hardcoded-secret-java.yml (1)

1-152: Verify rule coverage with test cases

Let's verify the rule's effectiveness against various scenarios:

✅ Verification successful

Rule implementation verified with comprehensive test coverage

The rule effectively detects hardcoded credentials in both DriverManager and DriverManagerDataSource implementations. Test cases cover all critical scenarios:

• Direct password in DriverManager.getConnection
• Variable-based password in DriverManager.getConnection
• DriverManagerDataSource with setPassword
• DriverManagerDataSource constructor with credentials
• Valid case without hardcoded credentials

The rule's patterns correctly match the security-critical paths while avoiding false positives, and the test cases validate both the positive and negative scenarios. The implementation aligns with the CWE-798 requirements for detecting hardcoded credentials.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check test coverage and potential false positives

# Find and analyze test files
echo "Analyzing test coverage..."
fd -e yml "drivermanager.*test" tests/java/

# Check for similar rules in other security tools
echo "Checking similar rules in other tools..."
rg -l "DriverManager.*getConnection|setPassword" rules/

Length of output: 373

---

Script:

#!/bin/bash
# Let's examine the test cases to verify rule coverage

echo "Analyzing test cases content..."
cat tests/java/drivermanager-hardcoded-secret-java-test.yml

echo -e "\nChecking for potential similar patterns..."
# Look for other potential patterns that might need coverage
rg "DriverManager|DataSource" -A 3 rules/java/security/

Length of output: 4688

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 16-16: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 18-18: wrong indentation: expected 5 but found 8

(indentation)

---

[warning] 31-31: wrong indentation: expected 14 but found 17

(indentation)

---

[error] 35-35: trailing spaces

(trailing-spaces)

---

[warning] 39-39: wrong indentation: expected 6 but found 8

(indentation)

---

[warning] 51-51: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 75-75: wrong indentation: expected 4 but found 3

(indentation)

---

[error] 78-78: trailing spaces

(trailing-spaces)

---

[warning] 85-85: wrong indentation: expected 11 but found 12

(indentation)

---

[warning] 88-88: wrong indentation: expected 14 but found 17

(indentation)

---

[warning] 92-92: wrong indentation: expected 19 but found 18

(indentation)

---

[warning] 95-95: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 98-98: wrong indentation: expected 9 but found 8

(indentation)

---

[warning] 101-101: wrong indentation: expected 10 but found 8

(indentation)

---

[warning] 102-102: wrong indentation: expected 12 but found 11

(indentation)

---

[warning] 106-106: wrong indentation: expected 12 but found 11

(indentation)

---

[error] 117-117: trailing spaces

(trailing-spaces)

---

[warning] 130-130: wrong indentation: expected 17 but found 16

(indentation)

---

[error] 151-151: trailing spaces

(trailing-spaces)

---

[error] 152-152: trailing spaces

(trailing-spaces)