SoapUtil.java

package com.jsql.util;

import com.jsql.model.InjectionModel;
import com.jsql.model.exception.JSqlException;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.util.regex.Pattern;

public class SoapUtil {
    
    /**
     * Log4j logger sent to view.
     */
    private static final Logger LOGGER = LogManager.getRootLogger();

    private final InjectionModel injectionModel;
    
    public SoapUtil(InjectionModel injectionModel) {
        this.injectionModel = injectionModel;
    }

    public boolean testParameters(boolean hasFoundInjection) {
        if (!hasFoundInjection) {
            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "{} SOAP...", () -> I18nUtil.valueByKey("LOG_CHECKING"));
        } else {
            return true;
        }

        if (
            this.injectionModel.getMediatorUtils().getPreferencesUtil().isCheckingAllSoapParam()
            && this.injectionModel.getMediatorUtils().getParameterUtil().isRequestSoap()
        ) {
            try {
                var doc = SoapUtil.convertToDocument(this.injectionModel.getMediatorUtils().getParameterUtil().getRawRequest());
                LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Parsing SOAP from Request...");
                return this.isTextNodeInjectable(doc, doc.getDocumentElement());
            } catch (Exception e) {
                LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "SOAP not detected");
            }
        }
        return false;
    }
    
    public static Document convertToDocument(String xmlStr) throws ParserConfigurationException, SAXException, IOException {
        var factory = DocumentBuilderFactory.newInstance();
        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
        factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY);
        factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
        factory.setExpandEntityReferences(false);
        var builder = factory.newDocumentBuilder();
        return builder.parse(new InputSource(new StringReader(xmlStr)));
    }

    public boolean isTextNodeInjectable(Document doc, Node node) {
        var nodeList = node.getChildNodes();
        for (var i = 0 ; i < nodeList.getLength() ; i++) {
            var currentNode = nodeList.item(i);
            if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
                if (this.isTextNodeInjectable(doc, currentNode)) {  // calls this method for all the children which is Element
                    return true;
                }
            } else if (currentNode.getNodeType() == Node.TEXT_NODE) {
                
                SoapUtil.removeInjectionPoint(doc, doc.getDocumentElement());
                currentNode.setTextContent(currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY) + InjectionModel.STAR);
                this.injectionModel.getMediatorUtils().getParameterUtil().initRequest(SoapUtil.convertDocumentToString(doc));
                
                try {
                    LOGGER.log(
                        LogLevelUtil.CONSOLE_INFORM,
                        "{} SOAP {}={}",
                        () -> I18nUtil.valueByKey("LOG_CHECKING"),
                        () -> currentNode.getParentNode().getNodeName(),
                        () -> currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY)
                    );
                    if (this.injectionModel.getMediatorMethod().getRequest().testParameters()) {
                        return true;
                    }
                } catch (JSqlException e) {
                    // Injection failure
                    LOGGER.log(
                        LogLevelUtil.CONSOLE_ERROR,
                        String.format(
                            "No SOAP Request injection for %s=%s",
                            currentNode.getParentNode().getNodeName(),
                            currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY)
                        )
                    );
                }
            }
        }
        return false;
    }

    public static void removeInjectionPoint(Document doc, Node node) {
        var nodeList = node.getChildNodes();
        for (var i = 0 ; i < nodeList.getLength() ; i++) {
            var currentNode = nodeList.item(i);
            if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
                SoapUtil.removeInjectionPoint(doc, currentNode);  // calls this method for all the children which is Element
            } else if (currentNode.getNodeType() == Node.TEXT_NODE) {
                currentNode.setTextContent(
                    currentNode
                    .getTextContent()
                    .replaceAll(Pattern.quote(InjectionModel.STAR) + "*$", StringUtils.EMPTY)
                );
            }
        }
    }
    
    private static String convertDocumentToString(Document doc) {
        var transformerFactory = TransformerFactory.newInstance();
        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY);
        
        String output = null;
        try {
            var transformer = transformerFactory.newTransformer();
            var writer = new StringWriter();
            transformer.transform(new DOMSource(doc), new StreamResult(writer));
            output = writer.getBuffer().toString();
        } catch (TransformerException e) {
            // ignore
        }
        return output;
    }
}




































Active mutators

CONDITIONALS_BOUNDARY
EMPTY_RETURNS
FALSE_RETURNS
INCREMENTS
INVERT_NEGS
MATH
NEGATE_CONDITIONALS
NULL_RETURNS
PRIMITIVE_RETURNS
TRUE_RETURNS
VOID_METHOD_CALLS

Tests examined

Report generated by PIT 1.19.1

1		package com.jsql.util;
2
3		import com.jsql.model.InjectionModel;
4		import com.jsql.model.exception.JSqlException;
5		import org.apache.commons.lang3.StringUtils;
6		import org.apache.logging.log4j.LogManager;
7		import org.apache.logging.log4j.Logger;
8		import org.w3c.dom.Document;
9		import org.w3c.dom.Node;
10		import org.xml.sax.InputSource;
11		import org.xml.sax.SAXException;
12
13		import javax.xml.XMLConstants;
14		import javax.xml.parsers.DocumentBuilderFactory;
15		import javax.xml.parsers.ParserConfigurationException;
16		import javax.xml.transform.TransformerException;
17		import javax.xml.transform.TransformerFactory;
18		import javax.xml.transform.dom.DOMSource;
19		import javax.xml.transform.stream.StreamResult;
20		import java.io.IOException;
21		import java.io.StringReader;
22		import java.io.StringWriter;
23		import java.util.regex.Pattern;
24
25		public class SoapUtil {
26
27		/**
28		* Log4j logger sent to view.
29		*/
30		private static final Logger LOGGER = LogManager.getRootLogger();
31
32		private final InjectionModel injectionModel;
33
34		public SoapUtil(InjectionModel injectionModel) {
35		this.injectionModel = injectionModel;
36		}
37
38		public boolean testParameters(boolean hasFoundInjection) {
39	1 1. testParameters : negated conditional → NO_COVERAGE	if (!hasFoundInjection) {
40		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "{} SOAP...", () -> I18nUtil.valueByKey("LOG_CHECKING"));
41		} else {
42	1 1. testParameters : replaced boolean return with false for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE	return true;
43		}
44
45		if (
46	1 1. testParameters : negated conditional → NO_COVERAGE	this.injectionModel.getMediatorUtils().getPreferencesUtil().isCheckingAllSoapParam()
47	1 1. testParameters : negated conditional → NO_COVERAGE	&& this.injectionModel.getMediatorUtils().getParameterUtil().isRequestSoap()
48		) {
49		try {
50		var doc = SoapUtil.convertToDocument(this.injectionModel.getMediatorUtils().getParameterUtil().getRawRequest());
51		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Parsing SOAP from Request...");
52	2 1. testParameters : replaced boolean return with true for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE 2. testParameters : replaced boolean return with false for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE	return this.isTextNodeInjectable(doc, doc.getDocumentElement());
53		} catch (Exception e) {
54		LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "SOAP not detected");
55		}
56		}
57	1 1. testParameters : replaced boolean return with true for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE	return false;
58		}
59
60		public static Document convertToDocument(String xmlStr) throws ParserConfigurationException, SAXException, IOException {
61		var factory = DocumentBuilderFactory.newInstance();
62	1 1. convertToDocument : removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE	factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
63	1 1. convertToDocument : removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE	factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, StringUtils.EMPTY);
64	1 1. convertToDocument : removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE	factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
65	1 1. convertToDocument : removed call to javax/xml/parsers/DocumentBuilderFactory::setExpandEntityReferences → NO_COVERAGE	factory.setExpandEntityReferences(false);
66		var builder = factory.newDocumentBuilder();
67	1 1. convertToDocument : replaced return value with null for com/jsql/util/SoapUtil::convertToDocument → NO_COVERAGE	return builder.parse(new InputSource(new StringReader(xmlStr)));
68		}
69
70		public boolean isTextNodeInjectable(Document doc, Node node) {
71		var nodeList = node.getChildNodes();
72	2 1. isTextNodeInjectable : negated conditional → NO_COVERAGE 2. isTextNodeInjectable : changed conditional boundary → NO_COVERAGE	for (var i = 0 ; i < nodeList.getLength() ; i++) {
73		var currentNode = nodeList.item(i);
74	1 1. isTextNodeInjectable : negated conditional → NO_COVERAGE	if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
75	1 1. isTextNodeInjectable : negated conditional → NO_COVERAGE	if (this.isTextNodeInjectable(doc, currentNode)) { // calls this method for all the children which is Element
76	1 1. isTextNodeInjectable : replaced boolean return with false for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE	return true;
77		}
78	1 1. isTextNodeInjectable : negated conditional → NO_COVERAGE	} else if (currentNode.getNodeType() == Node.TEXT_NODE) {
79
80	1 1. isTextNodeInjectable : removed call to com/jsql/util/SoapUtil::removeInjectionPoint → NO_COVERAGE	SoapUtil.removeInjectionPoint(doc, doc.getDocumentElement());
81	1 1. isTextNodeInjectable : removed call to org/w3c/dom/Node::setTextContent → NO_COVERAGE	currentNode.setTextContent(currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY) + InjectionModel.STAR);
82	1 1. isTextNodeInjectable : removed call to com/jsql/util/ParameterUtil::initRequest → NO_COVERAGE	this.injectionModel.getMediatorUtils().getParameterUtil().initRequest(SoapUtil.convertDocumentToString(doc));
83
84		try {
85		LOGGER.log(
86		LogLevelUtil.CONSOLE_INFORM,
87		"{} SOAP {}={}",
88	1 1. lambda$isTextNodeInjectable$1 : replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$1 → NO_COVERAGE	() -> I18nUtil.valueByKey("LOG_CHECKING"),
89	1 1. lambda$isTextNodeInjectable$2 : replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$2 → NO_COVERAGE	() -> currentNode.getParentNode().getNodeName(),
90	1 1. lambda$isTextNodeInjectable$3 : replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$3 → NO_COVERAGE	() -> currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY)
91		);
92	1 1. isTextNodeInjectable : negated conditional → NO_COVERAGE	if (this.injectionModel.getMediatorMethod().getRequest().testParameters()) {
93	1 1. isTextNodeInjectable : replaced boolean return with false for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE	return true;
94		}
95		} catch (JSqlException e) {
96		// Injection failure
97		LOGGER.log(
98		LogLevelUtil.CONSOLE_ERROR,
99		String.format(
100		"No SOAP Request injection for %s=%s",
101		currentNode.getParentNode().getNodeName(),
102		currentNode.getTextContent().replace(InjectionModel.STAR, StringUtils.EMPTY)
103		)
104		);
105		}
106		}
107		}
108	1 1. isTextNodeInjectable : replaced boolean return with true for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE	return false;
109		}
110
111		public static void removeInjectionPoint(Document doc, Node node) {
112		var nodeList = node.getChildNodes();
113	2 1. removeInjectionPoint : negated conditional → NO_COVERAGE 2. removeInjectionPoint : changed conditional boundary → NO_COVERAGE	for (var i = 0 ; i < nodeList.getLength() ; i++) {
114		var currentNode = nodeList.item(i);
115	1 1. removeInjectionPoint : negated conditional → NO_COVERAGE	if (currentNode.getNodeType() == Node.ELEMENT_NODE) {
116	1 1. removeInjectionPoint : removed call to com/jsql/util/SoapUtil::removeInjectionPoint → NO_COVERAGE	SoapUtil.removeInjectionPoint(doc, currentNode); // calls this method for all the children which is Element
117	1 1. removeInjectionPoint : negated conditional → NO_COVERAGE	} else if (currentNode.getNodeType() == Node.TEXT_NODE) {
118	1 1. removeInjectionPoint : removed call to org/w3c/dom/Node::setTextContent → NO_COVERAGE	currentNode.setTextContent(
119		currentNode
120		.getTextContent()
121		.replaceAll(Pattern.quote(InjectionModel.STAR) + "*$", StringUtils.EMPTY)
122		);
123		}
124		}
125		}
126
127		private static String convertDocumentToString(Document doc) {
128		var transformerFactory = TransformerFactory.newInstance();
129	1 1. convertDocumentToString : removed call to javax/xml/transform/TransformerFactory::setAttribute → NO_COVERAGE	transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, StringUtils.EMPTY);
130	1 1. convertDocumentToString : removed call to javax/xml/transform/TransformerFactory::setAttribute → NO_COVERAGE	transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, StringUtils.EMPTY);
131
132		String output = null;
133		try {
134		var transformer = transformerFactory.newTransformer();
135		var writer = new StringWriter();
136	1 1. convertDocumentToString : removed call to javax/xml/transform/Transformer::transform → NO_COVERAGE	transformer.transform(new DOMSource(doc), new StreamResult(writer));
137		output = writer.getBuffer().toString();
138		} catch (TransformerException e) {
139		// ignore
140		}
141	1 1. convertDocumentToString : replaced return value with "" for com/jsql/util/SoapUtil::convertDocumentToString → NO_COVERAGE	return output;
142		}
143		}
		Mutations
39		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
42		1.1 Location : testParameters Killed by : none replaced boolean return with false for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE
46		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
47		1.1 Location : testParameters Killed by : none negated conditional → NO_COVERAGE
52		1.1 Location : testParameters Killed by : none replaced boolean return with true for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE 2.2 Location : testParameters Killed by : none replaced boolean return with false for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE
57		1.1 Location : testParameters Killed by : none replaced boolean return with true for com/jsql/util/SoapUtil::testParameters → NO_COVERAGE
62		1.1 Location : convertToDocument Killed by : none removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE
63		1.1 Location : convertToDocument Killed by : none removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE
64		1.1 Location : convertToDocument Killed by : none removed call to javax/xml/parsers/DocumentBuilderFactory::setAttribute → NO_COVERAGE
65		1.1 Location : convertToDocument Killed by : none removed call to javax/xml/parsers/DocumentBuilderFactory::setExpandEntityReferences → NO_COVERAGE
67		1.1 Location : convertToDocument Killed by : none replaced return value with null for com/jsql/util/SoapUtil::convertToDocument → NO_COVERAGE
72		1.1 Location : isTextNodeInjectable Killed by : none negated conditional → NO_COVERAGE 2.2 Location : isTextNodeInjectable Killed by : none changed conditional boundary → NO_COVERAGE
74		1.1 Location : isTextNodeInjectable Killed by : none negated conditional → NO_COVERAGE
75		1.1 Location : isTextNodeInjectable Killed by : none negated conditional → NO_COVERAGE
76		1.1 Location : isTextNodeInjectable Killed by : none replaced boolean return with false for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE
78		1.1 Location : isTextNodeInjectable Killed by : none negated conditional → NO_COVERAGE
80		1.1 Location : isTextNodeInjectable Killed by : none removed call to com/jsql/util/SoapUtil::removeInjectionPoint → NO_COVERAGE
81		1.1 Location : isTextNodeInjectable Killed by : none removed call to org/w3c/dom/Node::setTextContent → NO_COVERAGE
82		1.1 Location : isTextNodeInjectable Killed by : none removed call to com/jsql/util/ParameterUtil::initRequest → NO_COVERAGE
88		1.1 Location : lambda$isTextNodeInjectable$1 Killed by : none replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$1 → NO_COVERAGE
89		1.1 Location : lambda$isTextNodeInjectable$2 Killed by : none replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$2 → NO_COVERAGE
90		1.1 Location : lambda$isTextNodeInjectable$3 Killed by : none replaced return value with null for com/jsql/util/SoapUtil::lambda$isTextNodeInjectable$3 → NO_COVERAGE
92		1.1 Location : isTextNodeInjectable Killed by : none negated conditional → NO_COVERAGE
93		1.1 Location : isTextNodeInjectable Killed by : none replaced boolean return with false for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE
108		1.1 Location : isTextNodeInjectable Killed by : none replaced boolean return with true for com/jsql/util/SoapUtil::isTextNodeInjectable → NO_COVERAGE
113		1.1 Location : removeInjectionPoint Killed by : none negated conditional → NO_COVERAGE 2.2 Location : removeInjectionPoint Killed by : none changed conditional boundary → NO_COVERAGE
115		1.1 Location : removeInjectionPoint Killed by : none negated conditional → NO_COVERAGE
116		1.1 Location : removeInjectionPoint Killed by : none removed call to com/jsql/util/SoapUtil::removeInjectionPoint → NO_COVERAGE
117		1.1 Location : removeInjectionPoint Killed by : none negated conditional → NO_COVERAGE
118		1.1 Location : removeInjectionPoint Killed by : none removed call to org/w3c/dom/Node::setTextContent → NO_COVERAGE
129		1.1 Location : convertDocumentToString Killed by : none removed call to javax/xml/transform/TransformerFactory::setAttribute → NO_COVERAGE
130		1.1 Location : convertDocumentToString Killed by : none removed call to javax/xml/transform/TransformerFactory::setAttribute → NO_COVERAGE
136		1.1 Location : convertDocumentToString Killed by : none removed call to javax/xml/transform/Transformer::transform → NO_COVERAGE
141		1.1 Location : convertDocumentToString Killed by : none replaced return value with "" for com/jsql/util/SoapUtil::convertDocumentToString → NO_COVERAGE

SoapUtil.java

Mutations

Active mutators

Tests examined