Added new codemod to fix SQL table injections (#412)

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
Co-authored-by: pixeebot[bot] <pixeebot[bot]@users.noreply.github.com>
Co-authored-by: Arshan Dabirsiaghi <[email protected]>

Author: 3 people

core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java

@@ -2,12 +2,12 @@
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
-import io.codemodder.codemods.util.JavaParserSQLInjectionRemediatorStrategy;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.javaparser.JavaParserChanger;
 import io.codemodder.providers.defectdojo.DefectDojoScan;
 import io.codemodder.providers.defectdojo.Finding;
 import io.codemodder.providers.defectdojo.RuleFindings;
+import io.codemodder.remediation.sqlinjection.JavaParserSQLInjectionRemediatorStrategy;
 import java.util.List;
 import java.util.Objects;
 import javax.inject.Inject;

core-codemods/src/main/java/io/codemodder/codemods/HQLParameterizationCodemod.java

@@ -11,6 +11,7 @@
 import io.codemodder.*;
 import io.codemodder.ast.ASTTransforms;
 import io.codemodder.javaparser.JavaParserChanger;
+import io.codemodder.remediation.sqlinjection.QueryParameterizer;
 import java.util.ArrayList;
 import java.util.Deque;
 import java.util.List;

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizerCodemod.java

@@ -4,6 +4,7 @@
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
 import io.codemodder.javaparser.JavaParserChanger;
+import io.codemodder.remediation.sqlinjection.SQLParameterizerWithCleanup;
 import java.util.List;
 import java.util.Optional;
 

core-codemods/src/main/java/io/codemodder/codemods/SonarSQLInjectionCodemod.java

@@ -2,12 +2,12 @@
 
 import com.github.javaparser.ast.CompilationUnit;
 import io.codemodder.*;
-import io.codemodder.codemods.util.JavaParserSQLInjectionRemediatorStrategy;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.providers.sonar.ProvidedSonarScan;
 import io.codemodder.providers.sonar.RuleHotspot;
 import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
 import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.sqlinjection.JavaParserSQLInjectionRemediatorStrategy;
 import io.codemodder.sonar.model.Hotspot;
 import io.codemodder.sonar.model.SonarFinding;
 import java.util.List;

core-codemods/src/test/java/io/codemodder/codemods/AlphanumericBlacklistFilter.java

@@ -0,0 +1,37 @@
+package io.codemodder.codemods;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.util.regex.Pattern;
+import org.junit.jupiter.api.Test;
+
+final class AlphanumericBlacklistFilterTest {
+
+  String validateTableName(final String tablename) {
+    Pattern regex = Pattern.compile("[a-zA-Z0-9_]+(.[a-zA-Z0-9_]+)?");
+    if (!regex.matcher(tablename).matches()) {
+      throw new SecurityException("Supplied table name contains non-alphanumeric characters");
+    }
+    return tablename;
+  }
+
+  @Test
+  void it_tests_basic_alpha_string() {
+    String tablename = "the_quick_brown_fox_jumps_over_the_lazy_dog_1234567890";
+    assertEquals(validateTableName(tablename), tablename);
+  }
+
+  @Test
+  void it_accepts_schema_table_name() {
+    String tablename = "schema.table";
+    assertEquals(validateTableName(tablename), tablename);
+  }
+
+  @Test
+  void it_rejects_non_alphanumeric() {
+    String tablename = "\"reject_this\" where 1=1";
+    SecurityException e = assertThrows(SecurityException.class, () -> validateTableName(tablename));
+    assertEquals("Supplied table name contains non-alphanumeric characters", e.getMessage());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/SonarSQLInjectionCodemodTest.java

@@ -24,4 +24,13 @@ class UnsupportedTest implements CodemodTestMixin {}
       expectingFixesAtLines = {69},
       dependencies = {})
   class SupportedTest implements CodemodTestMixin {}
+
+  @Nested
+  @Metadata(
+      codemodType = SonarSQLInjectionCodemod.class,
+      testResourceDir = "sonar-sql-injection-s2077/supportedTableInjection",
+      renameTestFile = "core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      expectingFixesAtLines = {19, 25, 33, 40},
+      dependencies = {})
+  class SupportedTableInjectionTest implements CodemodTestMixin {}
 }

core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedTableInjection/SQLTest.java.after

@@ -0,0 +1,59 @@
+package com.acme.testcode;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.sql.PreparedStatement;
+import java.util.Scanner;
+import java.util.regex.Pattern;
+
+public final class SQLTest {
+
+  private Connection conn;
+
+  public ResultSet simpleIndirect() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    String sql = "SELECT * FROM " + validateTableName(input + "");
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery(sql);
+  }
+
+  public boolean simplePreparedStatementDirect() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    PreparedStatement stmt = conn.prepareStatement("SELECT * FROM " + validateTableName(input + ""));
+    return stmt.execute();
+  }
+
+  public ResultSet deleteStatement() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("DELETE FROM " + validateTableName(input + "") + " WHERE 1=1");
+  }
+
+  public ResultSet withQuotes() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("DELETE FROM \"" + validateTableName(input + "") + "\" WHERE 1=1");
+  }
+
+  public ResultSet ignoreStatic() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("SELECT * FROM " + "user_table");
+  }
+  
+  String validateTableName(final String tablename) {
+      Pattern regex = Pattern.compile("[a-zA-Z0-9_]+(.[a-zA-Z0-9_]+)?");
+      if (!regex.matcher(tablename).matches()) {
+          throw new SecurityException("Supplied table name contains non-alphanumeric characters");
+      }
+      return tablename;
+  }
+
+}

core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedTableInjection/SQLTest.java.before

@@ -0,0 +1,50 @@
+package com.acme.testcode;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.sql.PreparedStatement;
+import java.util.Scanner;
+
+public final class SQLTest {
+
+  private Connection conn;
+
+  public ResultSet simpleIndirect() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    String sql = "SELECT * FROM " + input;
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery(sql);
+  }
+
+  public boolean simplePreparedStatementDirect() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    PreparedStatement stmt = conn.prepareStatement("SELECT * FROM " + input);
+    return stmt.execute();
+  }
+
+  public ResultSet deleteStatement() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("DELETE FROM " + input + " WHERE 1=1");
+  }
+
+  public ResultSet withQuotes() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("DELETE FROM \"" + input + "\" WHERE 1=1");
+  }
+
+  public ResultSet ignoreStatic() throws SQLException {
+    Scanner scanner = new Scanner(System.in);
+    String input = scanner.nextLine();
+    Statement stmt = conn.createStatement();
+    return stmt.executeQuery("SELECT * FROM " + "user_table");
+  }
+
+}

core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedTableInjection/sonar-hotspots.json

@@ -0,0 +1,108 @@
+{
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 100,
+    "total": 4
+  },
+  "hotspots": [
+    {
+      "key": "AZCR88Tp4FI6qXo1Oo7Z",
+      "component": "pixee_codemodder-java:core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "project": "pixee_codemodder-java",
+      "securityCategory": "sql-injection",
+      "vulnerabilityProbability": "HIGH",
+      "status": "TO_REVIEW",
+      "line": 19,
+      "message": "Make sure using a dynamically formatted SQL query is safe here.",
+      "creationDate": "2024-07-08T12:45:43+0200",
+      "updateDate": "2024-07-08T12:45:59+0200",
+      "textRange": {
+        "startLine": 19,
+        "endLine": 19,
+        "startOffset": 29,
+        "endOffset": 32
+      },
+      "flows": [],
+      "ruleKey": "java:S2077"
+    },
+    {
+      "key": "AZCR9sx3sB8d7cmTiSDr",
+      "component": "pixee_codemodder-java:core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "project": "pixee_codemodder-java",
+      "securityCategory": "sql-injection",
+      "vulnerabilityProbability": "HIGH",
+      "status": "TO_REVIEW",
+      "line": 25,
+      "message": "Make sure using a dynamically formatted SQL query is safe here.",
+      "creationDate": "2024-07-08T12:49:19+0200",
+      "updateDate": "2024-07-08T12:49:19+0200",
+      "textRange": {
+        "startLine": 25,
+        "endLine": 25,
+        "startOffset": 51,
+        "endOffset": 75
+      },
+      "flows": [],
+      "ruleKey": "java:S2077"
+    },
+    {
+      "key": "AZCR9sx3sB8d7cmTiSDs",
+      "component": "pixee_codemodder-java:core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "project": "pixee_codemodder-java",
+      "securityCategory": "sql-injection",
+      "vulnerabilityProbability": "HIGH",
+      "status": "TO_REVIEW",
+      "line": 33,
+      "message": "Make sure using a dynamically formatted SQL query is safe here.",
+      "creationDate": "2024-07-08T12:49:19+0200",
+      "updateDate": "2024-07-08T12:49:19+0200",
+      "textRange": {
+        "startLine": 33,
+        "endLine": 33,
+        "startOffset": 29,
+        "endOffset": 66
+      },
+      "flows": [],
+      "ruleKey": "java:S2077"
+    },
+    {
+      "key": "AZCR9sx3sB8d7cmTiSDt",
+      "component": "pixee_codemodder-java:core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "project": "pixee_codemodder-java",
+      "securityCategory": "sql-injection",
+      "vulnerabilityProbability": "HIGH",
+      "status": "TO_REVIEW",
+      "line": 40,
+      "message": "Make sure using a dynamically formatted SQL query is safe here.",
+      "creationDate": "2024-07-08T12:49:19+0200",
+      "updateDate": "2024-07-08T12:49:19+0200",
+      "textRange": {
+        "startLine": 40,
+        "endLine": 40,
+        "startOffset": 29,
+        "endOffset": 70
+      },
+      "flows": [],
+      "ruleKey": "java:S2077"
+    }
+  ],
+  "components": [
+    {
+      "organization": "pixee",
+      "key": "pixee_codemodder-java",
+      "qualifier": "TRK",
+      "name": "codemodder-java",
+      "longName": "codemodder-java",
+      "pullRequest": "412"
+    },
+    {
+      "organization": "pixee",
+      "key": "pixee_codemodder-java:core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "qualifier": "FIL",
+      "name": "SQLTest.java",
+      "longName": "core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "path": "core-codemods/src/main/java/io/codemodder/codemods/SQLTest.java",
+      "pullRequest": "412"
+    }
+  ]
+}

framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/DefaultHQLInjectionRemediator.java

@@ -0,0 +1,3 @@
+package io.codemodder.remediation.sqlinjection;
+
+final class DefaultHQLInjectionRemediator implements HQLInjectionRemediator {}