new capacity bits (#67)

tests/fixtures/xxe/java/IrrelevantXmlCall.java

@@ -0,0 +1,15 @@
+// Baseline: tainted body flows through a non-parser XML helper
+// (StringBuilder concat).  No XML parser entry point, no XXE label
+// classification.  Used to confirm taint-xxe doesn't fire on stray
+// XML-adjacent string operations.
+import javax.servlet.http.HttpServletRequest;
+
+public class IrrelevantXmlCall {
+    public String handle(HttpServletRequest req) {
+        String body = req.getParameter("xml");
+        StringBuilder sb = new StringBuilder("<wrap>");
+        sb.append(body);
+        sb.append("</wrap>");
+        return sb.toString();
+    }
+}

tests/fixtures/xxe/java/SafeLog4jConfig.java

@@ -0,0 +1,23 @@
+// Safe counterpart to UnsafeLog4jConfig.java: DOMConfigurator-style XML
+// config loader, hardened by setting FEATURE_SECURE_PROCESSING + the
+// disallow-doctype-decl feature on the factory before the builder is
+// produced.  The xml_config sidecar records the hardening fact on the
+// factory's SSA value, propagates it to the builder via
+// `newDocumentBuilder()`, and the parse sink suppresses the XXE bit.
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.File;
+
+public class SafeLog4jConfig {
+    public Document loadConfig(HttpServletRequest req) throws Exception {
+        String configPath = req.getParameter("config");
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new File(configPath));
+    }
+}

tests/fixtures/xxe/java/SafeXxe.java

@@ -0,0 +1,10 @@
+// Safe: no XML parser sink reached, body just stored.  Used as a baseline
+// to confirm taint-xxe does not fire when the dangerous API is absent.
+import javax.servlet.http.HttpServletRequest;
+
+public class SafeXxe {
+    public String handle(HttpServletRequest req) {
+        String body = req.getParameter("xml");
+        return body.length() > 0 ? body : "empty";
+    }
+}

tests/fixtures/xxe/java/SafeXxeConfig.java

@@ -0,0 +1,23 @@
+// Safe: tainted XML routed through a hardened DocumentBuilder.  The
+// factory is configured with `FEATURE_SECURE_PROCESSING = true` before
+// the builder is produced, and the produced builder inherits that
+// hardening fact via the SSA xml-parser-config pass.  The downstream
+// `builder.parse(...)` sink call therefore sees a secure receiver and
+// the XXE bit is suppressed.
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.ByteArrayInputStream;
+
+public class SafeXxeConfig {
+    public Document handle(HttpServletRequest req) throws Exception {
+        String body = req.getParameter("xml");
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new ByteArrayInputStream(body.getBytes()));
+    }
+}

tests/fixtures/xxe/java/SafeXxePhi.java

@@ -0,0 +1,27 @@
+// Safe: parser variable reassigned across a branch; both branches harden
+// the receiver before reaching `parse`, so the SSA phi-meet preserves
+// the secure_processing fact.  Validates Phase 07 acceptance:
+// "Config fact correctly survives intra-procedural reassignment of the
+// parser variable through SSA phi."
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.ByteArrayInputStream;
+
+public class SafeXxePhi {
+    public Document handle(HttpServletRequest req, boolean useAlternate) throws Exception {
+        String body = req.getParameter("xml");
+        DocumentBuilderFactory factory;
+        if (useAlternate) {
+            factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } else {
+            factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        }
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new ByteArrayInputStream(body.getBytes()));
+    }
+}

tests/fixtures/xxe/java/UnsafeLog4jConfig.java

@@ -0,0 +1,23 @@
+// Unsafe: Log4Shell-shape XXE leg.  The DOMConfigurator-style loader
+// reads an XML config file path supplied by the user, then parses it
+// through DocumentBuilder without enabling FEATURE_SECURE_PROCESSING or
+// disallowing DOCTYPE declarations.  External entities resolve, giving
+// the attacker a file-disclosure / SSRF primitive on the host.  Real-
+// world precedent: CVE-2022-23305 / CVE-2022-23307 (Log4j 1.x JDBC /
+// chainsaw config XXE).  Exercises the TypeFacts-tagged builder receiver
+// + xml_config sidecar end-to-end: builder is XmlParser-typed, no
+// secure-processing fact recorded, parse fires the XXE sink.
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.File;
+
+public class UnsafeLog4jConfig {
+    public Document loadConfig(HttpServletRequest req) throws Exception {
+        String configPath = req.getParameter("config");
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new File(configPath));
+    }
+}

tests/fixtures/xxe/java/UnsafeXxe.java

@@ -0,0 +1,17 @@
+// Unsafe: tainted XML reaches DocumentBuilder.parse without secure-processing
+// configuration.  The instance receiver `builder` carries TypeKind::XmlParser
+// (Phase 07) so the type-qualified `XmlParser.parse` sink rule fires.
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import org.w3c.dom.Document;
+import java.io.ByteArrayInputStream;
+
+public class UnsafeXxe {
+    public Document handle(HttpServletRequest req) throws Exception {
+        String body = req.getParameter("xml");
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new ByteArrayInputStream(body.getBytes()));
+    }
+}