SQL Injection visitor utility (#383)

carlosu7 · web-flow · commit 8be323fb5b51 · 2024-06-13T21:45:32.000-06:00
Utility to help implement sql injection codemods' visit method
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java b/core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java
@@ -1,16 +1,13 @@
 package io.codemodder.codemods;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
+import io.codemodder.codemods.util.JavaParserSQLInjectionRemediatorStrategy;
 import io.codemodder.codetf.DetectorRule;
-import io.codemodder.codetf.FixedFinding;
-import io.codemodder.codetf.UnfixedFinding;
 import io.codemodder.javaparser.JavaParserChanger;
 import io.codemodder.providers.defectdojo.DefectDojoScan;
 import io.codemodder.providers.defectdojo.Finding;
 import io.codemodder.providers.defectdojo.RuleFindings;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
 import javax.inject.Inject;
@@ -52,73 +49,14 @@ public DetectorRule detectorRule() {
   @Override
   public CodemodFileScanningResult visit(
       final CodemodInvocationContext context, final CompilationUnit cu) {
-
-    List<MethodCallExpr> allMethodCalls = cu.findAll(MethodCallExpr.class);
-
     List<Finding> findingsForThisPath = findings.getForPath(context.path());
-    if (findingsForThisPath.isEmpty()) {
-      return CodemodFileScanningResult.none();
-    }
-
-    List<UnfixedFinding> unfixedFindings = new ArrayList<>();
-
-    List<CodemodChange> changes = new ArrayList<>();
-    for (Finding finding : findingsForThisPath) {
-      String id = String.valueOf(finding.getId());
-      Integer line = finding.getLine();
-      if (line == null) {
-        UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id, detectorRule(), context.path().toString(), null, "No line number provided");
-        unfixedFindings.add(unfixableFinding);
-        continue;
-      }
-
-      List<MethodCallExpr> supportedSqlMethodCallsOnThatLine =
-          allMethodCalls.stream()
-              .filter(methodCallExpr -> methodCallExpr.getRange().get().begin.line == line)
-              .filter(SQLParameterizer::isSupportedJdbcMethodCall)
-              .toList();
-
-      if (supportedSqlMethodCallsOnThatLine.isEmpty()) {
-        UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id,
-                detectorRule(),
-                context.path().toString(),
-                line,
-                "No supported SQL methods found on the given line");
-        unfixedFindings.add(unfixableFinding);
-        continue;
-      }
-
-      if (supportedSqlMethodCallsOnThatLine.size() > 1) {
-        UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id,
-                detectorRule(),
-                context.path().toString(),
-                line,
-                "Multiple supported SQL methods found on the given line");
-        unfixedFindings.add(unfixableFinding);
-        continue;
-      }
-
-      MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
-      if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
-        changes.add(CodemodChange.from(line, new FixedFinding(id, detectorRule())));
-      } else {
-        UnfixedFinding unfixableFinding =
-            new UnfixedFinding(
-                id,
-                detectorRule(),
-                context.path().toString(),
-                line,
-                "State changing effects possible or unrecognized code shape");
-        unfixedFindings.add(unfixableFinding);
-      }
-    }
 
-    return CodemodFileScanningResult.from(changes, unfixedFindings);
+    return JavaParserSQLInjectionRemediatorStrategy.DEFAULT.visit(
+        context,
+        cu,
+        findingsForThisPath,
+        detectorRule(),
+        finding -> String.valueOf(finding.getId()),
+        Finding::getLine);
   }
 }
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/util/DefaultJavaParserSQLInjectionRemediatorStrategy.java b/core-codemods/src/main/java/io/codemodder/codemods/util/DefaultJavaParserSQLInjectionRemediatorStrategy.java
@@ -0,0 +1,113 @@
+package io.codemodder.codemods.util;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import io.codemodder.CodemodChange;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.CodemodInvocationContext;
+import io.codemodder.codemods.SQLParameterizer;
+import io.codemodder.codemods.SQLParameterizerWithCleanup;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.codetf.FixedFinding;
+import io.codemodder.codetf.UnfixedFinding;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.function.Function;
+
+/**
+ * Default implementation of the JavaParserSQLInjectionRemediatorStrategy interface. This class
+ * provides the logic to visit a CompilationUnit and process findings for potential SQL injections.
+ */
+final class DefaultJavaParserSQLInjectionRemediatorStrategy
+    implements JavaParserSQLInjectionRemediatorStrategy {
+
+  /**
+   * Visits the provided CompilationUnit and processes findings for potential SQL injections.
+   *
+   * @param context the context of the codemod invocation
+   * @param cu the compilation unit to be scanned
+   * @param pathFindings a collection of findings to be processed
+   * @param detectorRule the rule used to detect potential issues
+   * @param findingIdExtractor a function to extract the ID from a finding
+   * @param findingLineExtractor a function to extract the line number from a finding
+   * @param <T> the type of the findings
+   * @return a result object containing the changes and unfixed findings
+   */
+  public <T> CodemodFileScanningResult visit(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final Collection<T> pathFindings,
+      final DetectorRule detectorRule,
+      final Function<T, String> findingIdExtractor,
+      final Function<T, Integer> findingLineExtractor) {
+
+    final List<MethodCallExpr> allMethodCalls = cu.findAll(MethodCallExpr.class);
+
+    if (pathFindings.isEmpty()) {
+      return CodemodFileScanningResult.none();
+    }
+
+    final List<UnfixedFinding> unfixedFindings = new ArrayList<>();
+    final List<CodemodChange> changes = new ArrayList<>();
+
+    for (T finding : pathFindings) {
+      final String id = findingIdExtractor.apply(finding);
+      final Integer line = findingLineExtractor.apply(finding);
+
+      if (line == null) {
+        final UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id, detectorRule, context.path().toString(), null, "No line number provided");
+        unfixedFindings.add(unfixableFinding);
+        continue;
+      }
+
+      final List<MethodCallExpr> supportedSqlMethodCallsOnThatLine =
+          allMethodCalls.stream()
+              .filter(methodCallExpr -> methodCallExpr.getRange().get().begin.line == line)
+              .filter(SQLParameterizer::isSupportedJdbcMethodCall)
+              .toList();
+
+      if (supportedSqlMethodCallsOnThatLine.isEmpty()) {
+        final UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                detectorRule,
+                context.path().toString(),
+                line,
+                "No supported SQL methods found on the given line");
+        unfixedFindings.add(unfixableFinding);
+        continue;
+      }
+
+      if (supportedSqlMethodCallsOnThatLine.size() > 1) {
+        final UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                detectorRule,
+                context.path().toString(),
+                line,
+                "Multiple supported SQL methods found on the given line");
+        unfixedFindings.add(unfixableFinding);
+        continue;
+      }
+
+      final MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
+      if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
+        changes.add(CodemodChange.from(line, new FixedFinding(id, detectorRule)));
+      } else {
+        final UnfixedFinding unfixableFinding =
+            new UnfixedFinding(
+                id,
+                detectorRule,
+                context.path().toString(),
+                line,
+                "State changing effects possible or unrecognized code shape");
+        unfixedFindings.add(unfixableFinding);
+      }
+    }
+
+    return CodemodFileScanningResult.from(changes, unfixedFindings);
+  }
+}
diff --git a/core-codemods/src/main/java/io/codemodder/codemods/util/JavaParserSQLInjectionRemediatorStrategy.java b/core-codemods/src/main/java/io/codemodder/codemods/util/JavaParserSQLInjectionRemediatorStrategy.java
@@ -0,0 +1,39 @@
+package io.codemodder.codemods.util;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.CodemodInvocationContext;
+import io.codemodder.codetf.DetectorRule;
+import java.util.Collection;
+import java.util.function.Function;
+
+/**
+ * Strategy interface for remediating SQL injection vulnerabilities using JavaParser.
+ * Implementations of this interface define the method to visit a CompilationUnit and process
+ * findings for potential SQL injections.
+ */
+public interface JavaParserSQLInjectionRemediatorStrategy {
+
+  /**
+   * Visits the provided CompilationUnit and processes findings for potential SQL injections.
+   *
+   * @param context the context of the codemod invocation
+   * @param cu the compilation unit to be scanned
+   * @param pathFindings a collection of findings to be processed
+   * @param detectorRule the rule used to detect potential issues
+   * @param findingIdExtractor a function to extract the ID from a finding
+   * @param findingLineExtractor a function to extract the line number from a finding
+   * @param <T> the type of the findings
+   * @return a result object containing the changes and unfixed findings
+   */
+  <T> CodemodFileScanningResult visit(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final Collection<T> pathFindings,
+      final DetectorRule detectorRule,
+      final Function<T, String> findingIdExtractor,
+      final Function<T, Integer> findingLineExtractor);
+
+  JavaParserSQLInjectionRemediatorStrategy DEFAULT =
+      new DefaultJavaParserSQLInjectionRemediatorStrategy();
+}
