# Semgrep security rules for Familienarchiv backend.
# These rules catch the absence of XXE protection on XML parser factories.
# CWE-611: Improper Restriction of XML External Entity Reference.
# Run: semgrep --config .semgrep/security.yml --error backend/src/

rules:

  # DocumentBuilderFactory without XXE hardening.
  # All call sites must call setFeature("…disallow-doctype-decl", true) before use.
  - id: dbf-xxe-default
    patterns:
      - pattern: $X = DocumentBuilderFactory.newInstance();
      - pattern-not-inside: |
          ...
          $X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
          ...
    message: >
      DocumentBuilderFactory without XXE protection (CWE-611).
      Call XxeSafeXmlParser.hardenedFactory() instead of DocumentBuilderFactory.newInstance().
    languages: [java]
    severity: WARNING

  # SAXParserFactory without XXE hardening.
  - id: sax-xxe-default
    patterns:
      - pattern: $X = SAXParserFactory.newInstance();
      - pattern-not-inside: |
          ...
          $X.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
          ...
    message: >
      SAXParserFactory without XXE protection (CWE-611).
      Apply disallow-doctype-decl and disable external entity features before use.
    languages: [java]
    severity: WARNING

  # XMLInputFactory without XXE hardening (StAX parser).
  - id: stax-xxe-default
    patterns:
      - pattern: $X = XMLInputFactory.newInstance();
      - pattern-not-inside: |
          ...
          $X.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
          ...
    message: >
      XMLInputFactory without XXE protection (CWE-611).
      Set IS_SUPPORTING_EXTERNAL_ENTITIES to false and SUPPORT_DTD to false before use.
    languages: [java]
    severity: WARNING