Sonar codemod to Add a private constructor to hide the implicit public one. (#256)

Utility classes should not have public constructors

Author: carlosu7

core-codemods/src/main/java/io/codemodder/codemods/AvoidImplicitPublicConstructorCodemod.java

@@ -0,0 +1,60 @@
+package io.codemodder.codemods;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.Modifier;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.NodeList;
+import com.github.javaparser.ast.body.BodyDeclaration;
+import com.github.javaparser.ast.body.ClassOrInterfaceDeclaration;
+import com.github.javaparser.ast.body.ConstructorDeclaration;
+import com.github.javaparser.ast.expr.SimpleName;
+import io.codemodder.*;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleIssues;
+import io.codemodder.providers.sonar.SonarPluginJavaParserChanger;
+import io.codemodder.providers.sonar.api.Issue;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod for setting a private constructor to hide implicit public constructor (Sonar) */
+@Codemod(
+    id = "sonar:java/avoid-implicit-public-constructor-s1118",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class AvoidImplicitPublicConstructorCodemod
+    extends SonarPluginJavaParserChanger<SimpleName> {
+
+  @Inject
+  public AvoidImplicitPublicConstructorCodemod(
+      @ProvidedSonarScan(ruleId = "java:S1118") final RuleIssues issues) {
+    super(issues, SimpleName.class, RegionNodeMatcher.MATCHES_START);
+  }
+
+  @Override
+  public boolean onIssueFound(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final SimpleName simpleName,
+      final Issue issue) {
+
+    final Optional<Node> classOptional = simpleName.getParentNode();
+
+    if (classOptional.isPresent()
+        && classOptional.get() instanceof ClassOrInterfaceDeclaration classNode) {
+      // Create a constructor
+      final ConstructorDeclaration constructor = new ConstructorDeclaration();
+      constructor.setName(classNode.getName());
+      constructor.setModifiers(Modifier.privateModifier().getKeyword());
+
+      // Add the constructor at the beginning of the class node's members
+      NodeList<BodyDeclaration<?>> members = classNode.getMembers();
+      members.add(0, constructor);
+
+      // Update the class node's members
+      classNode.setMembers(members);
+      return true; // Return true if the modification was successful
+    }
+
+    return false;
+  }
+}

core-codemods/src/main/resources/io/codemodder/codemods/AvoidImplicitPublicConstructorCodemod/description.md

@@ -0,0 +1,9 @@
+This change adds private constructors to utility classes. Utility classes are only meant to be accessed statically. Since they're not meant to be instantiated, we can use the Java's code visibility protections to hide the constructor and prevent unintended or malicious access.
+
+Our changes look something like this:
+
+```diff
+   public class Utils {
++    private Utils() {}
+     ...
+```

core-codemods/src/main/resources/io/codemodder/codemods/AvoidImplicitPublicConstructorCodemod/report.json

@@ -0,0 +1,7 @@
+{
+  "summary" : "Set private constructor to hide implicit public constructor (Sonar)",
+  "change" : "Set private constructor to hide implicit public constructor",
+  "references" : [
+    "https://rules.sonarsource.com/java/RSPEC-1118/"
+  ]
+}

core-codemods/src/test/java/io/codemodder/codemods/AvoidImplicitPublicConstructorCodemodTest.java

@@ -0,0 +1,11 @@
+package io.codemodder.codemods;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = AvoidImplicitPublicConstructorCodemod.class,
+    testResourceDir = "avoid-implicit-public-constructor-s1118",
+    renameTestFile = "src/main/java/org/owasp/webgoat/lessons/cryptography/CryptoUtil.java",
+    dependencies = {})
+final class AvoidImplicitPublicConstructorCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/resources/avoid-implicit-public-constructor-s1118/Test.java.after

@@ -0,0 +1,146 @@
+package org.owasp.webgoat.lessons.cryptography;
+
+import java.math.BigInteger;
+import java.nio.charset.Charset;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Signature;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.RSAKeyGenParameterSpec;
+import java.util.Base64;
+import javax.xml.bind.DatatypeConverter;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class CryptoUtil {
+
+private CryptoUtil() {
+}
+
+  private static final BigInteger[] FERMAT_PRIMES = {
+    BigInteger.valueOf(3),
+    BigInteger.valueOf(5),
+    BigInteger.valueOf(17),
+    BigInteger.valueOf(257),
+    BigInteger.valueOf(65537)
+  };
+
+  public static KeyPair generateKeyPair()
+      throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+    RSAKeyGenParameterSpec kpgSpec =
+        new RSAKeyGenParameterSpec(
+            2048, FERMAT_PRIMES[new SecureRandom().nextInt(FERMAT_PRIMES.length)]);
+    keyPairGenerator.initialize(kpgSpec);
+    // keyPairGenerator.initialize(2048);
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  public static String getPrivateKeyInPEM(KeyPair keyPair) {
+    String encodedString = "-----BEGIN PRIVATE KEY-----\n";
+    encodedString =
+        encodedString
+            + new String(
+                Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),
+                Charset.forName("UTF-8"))
+            + "\n";
+    encodedString = encodedString + "-----END PRIVATE KEY-----\n";
+    return encodedString;
+  }
+
+  public static String signMessage(String message, PrivateKey privateKey) {
+
+    log.debug("start signMessage");
+    String signature = null;
+
+    try {
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initSign(privateKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      signature = new String(Base64.getEncoder().encode(instance.sign()), Charset.forName("UTF-8"));
+
+      log.info("signe the signature with result: {}", signature);
+    } catch (Exception e) {
+      log.error("Signature signing failed", e);
+    }
+
+    log.debug("end signMessage");
+    return signature;
+  }
+
+  public static boolean verifyMessage(
+      String message, String base64EncSignature, PublicKey publicKey) {
+
+    log.debug("start verifyMessage");
+    boolean result = false;
+
+    try {
+
+      base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "").replace(" ", "");
+      // get raw signature from base64 encrypted string in header
+      byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
+
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initVerify(publicKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      result = instance.verify(decodedSignature);
+
+      log.info("Verified the signature with result: {}", result);
+    } catch (Exception e) {
+      log.error("Signature verification failed", e);
+    }
+
+    log.debug("end verifyMessage");
+    return result;
+  }
+
+  public static boolean verifyAssignment(String modulus, String signature, PublicKey publicKey) {
+
+    /* first check if the signature is correct, i.e. right private key and right hash */
+    boolean result = false;
+
+    if (modulus != null && signature != null) {
+      result = verifyMessage(modulus, signature, publicKey);
+
+      /*
+       * next check if the submitted modulus is the correct modulus of the public key
+       */
+      RSAPublicKey rsaPubKey = (RSAPublicKey) publicKey;
+      if (modulus.length() == 512) {
+        modulus = "00".concat(modulus);
+      }
+      result =
+          result
+              && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray())
+                  .equals(modulus.toUpperCase()));
+    }
+    return result;
+  }
+
+  public static PrivateKey getPrivateKeyFromPEM(String privateKeyPem)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+    privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
+
+    byte[] decoded = Base64.getDecoder().decode(privateKeyPem);
+
+    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
+    KeyFactory kf = KeyFactory.getInstance("RSA");
+    return kf.generatePrivate(spec);
+  }
+}

core-codemods/src/test/resources/avoid-implicit-public-constructor-s1118/Test.java.before

@@ -0,0 +1,143 @@
+package org.owasp.webgoat.lessons.cryptography;
+
+import java.math.BigInteger;
+import java.nio.charset.Charset;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.Signature;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.RSAKeyGenParameterSpec;
+import java.util.Base64;
+import javax.xml.bind.DatatypeConverter;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+public class CryptoUtil {
+
+  private static final BigInteger[] FERMAT_PRIMES = {
+    BigInteger.valueOf(3),
+    BigInteger.valueOf(5),
+    BigInteger.valueOf(17),
+    BigInteger.valueOf(257),
+    BigInteger.valueOf(65537)
+  };
+
+  public static KeyPair generateKeyPair()
+      throws NoSuchAlgorithmException, InvalidAlgorithmParameterException {
+    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+    RSAKeyGenParameterSpec kpgSpec =
+        new RSAKeyGenParameterSpec(
+            2048, FERMAT_PRIMES[new SecureRandom().nextInt(FERMAT_PRIMES.length)]);
+    keyPairGenerator.initialize(kpgSpec);
+    // keyPairGenerator.initialize(2048);
+    return keyPairGenerator.generateKeyPair();
+  }
+
+  public static String getPrivateKeyInPEM(KeyPair keyPair) {
+    String encodedString = "-----BEGIN PRIVATE KEY-----\n";
+    encodedString =
+        encodedString
+            + new String(
+                Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),
+                Charset.forName("UTF-8"))
+            + "\n";
+    encodedString = encodedString + "-----END PRIVATE KEY-----\n";
+    return encodedString;
+  }
+
+  public static String signMessage(String message, PrivateKey privateKey) {
+
+    log.debug("start signMessage");
+    String signature = null;
+
+    try {
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initSign(privateKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      signature = new String(Base64.getEncoder().encode(instance.sign()), Charset.forName("UTF-8"));
+
+      log.info("signe the signature with result: {}", signature);
+    } catch (Exception e) {
+      log.error("Signature signing failed", e);
+    }
+
+    log.debug("end signMessage");
+    return signature;
+  }
+
+  public static boolean verifyMessage(
+      String message, String base64EncSignature, PublicKey publicKey) {
+
+    log.debug("start verifyMessage");
+    boolean result = false;
+
+    try {
+
+      base64EncSignature = base64EncSignature.replace("\r", "").replace("\n", "").replace(" ", "");
+      // get raw signature from base64 encrypted string in header
+      byte[] decodedSignature = Base64.getDecoder().decode(base64EncSignature);
+
+      // Initiate signature verification
+      Signature instance = Signature.getInstance("SHA256withRSA");
+      instance.initVerify(publicKey);
+      instance.update(message.getBytes("UTF-8"));
+
+      // actual verification against signature
+      result = instance.verify(decodedSignature);
+
+      log.info("Verified the signature with result: {}", result);
+    } catch (Exception e) {
+      log.error("Signature verification failed", e);
+    }
+
+    log.debug("end verifyMessage");
+    return result;
+  }
+
+  public static boolean verifyAssignment(String modulus, String signature, PublicKey publicKey) {
+
+    /* first check if the signature is correct, i.e. right private key and right hash */
+    boolean result = false;
+
+    if (modulus != null && signature != null) {
+      result = verifyMessage(modulus, signature, publicKey);
+
+      /*
+       * next check if the submitted modulus is the correct modulus of the public key
+       */
+      RSAPublicKey rsaPubKey = (RSAPublicKey) publicKey;
+      if (modulus.length() == 512) {
+        modulus = "00".concat(modulus);
+      }
+      result =
+          result
+              && (DatatypeConverter.printHexBinary(rsaPubKey.getModulus().toByteArray())
+                  .equals(modulus.toUpperCase()));
+    }
+    return result;
+  }
+
+  public static PrivateKey getPrivateKeyFromPEM(String privateKeyPem)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+    privateKeyPem = privateKeyPem.replace("-----BEGIN PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("-----END PRIVATE KEY-----", "");
+    privateKeyPem = privateKeyPem.replace("\n", "").replace("\r", "");
+
+    byte[] decoded = Base64.getDecoder().decode(privateKeyPem);
+
+    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decoded);
+    KeyFactory kf = KeyFactory.getInstance("RSA");
+    return kf.generatePrivate(spec);
+  }
+}