Adjustments and test

andrecsilva · andrecsilva · commit 8d65e9322820 · 2024-11-07T08:55:28.000-03:00
diff --git a/core-codemods/src/test/java/io/codemodder/codemods/SQLParameterizerCodemodTest.java b/core-codemods/src/test/java/io/codemodder/codemods/SQLParameterizerCodemodTest.java
@@ -2,9 +2,21 @@
 
 import io.codemodder.testutils.CodemodTestMixin;
 import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
 
-@Metadata(
-    codemodType = SQLParameterizerCodemod.class,
-    testResourceDir = "sql-parameterizer",
-    dependencies = {})
-final class SQLParameterizerCodemodTest implements CodemodTestMixin {}
+final class SQLParameterizerCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = SQLParameterizerCodemod.class,
+      testResourceDir = "sql-parameterizer/defaultTransformation",
+      dependencies = {})
+  class DefaultTransformationTest implements CodemodTestMixin {}
+
+  @Nested
+  @Metadata(
+      codemodType = SQLParameterizerCodemod.class,
+      testResourceDir = "sql-parameterizer/hijackTransformation",
+      dependencies = {})
+  class HijackTransformationTest implements CodemodTestMixin {}
+}
diff --git a/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after b/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after
diff --git a/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.before b/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.before
diff --git a/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after b/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after
@@ -0,0 +1,46 @@
+package com.acme.testcode;
+
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public final class Test {
+
+  private Connection conn;
+
+  public void queryAfterDeclaration() throws SQLException {
+	Statement stmt;
+	String query2 = "SELECT * FROM users WHERE username = ?";
+	PreparedStatement statement = conn.prepareStatement(query2);
+	statement.setString(1, request.getParameter("username"));
+	ResultSet rs2 = statement.execute();
+	stmt = statement;
+	while (rs2.next()) {
+		System.out.println("User: " + rs2.getString("username"));
+	}
+	String query3 = "SELECT * FROM users WHERE email = ?";
+	stmt.close();
+	PreparedStatement stmt1 = conn.prepareStatement(query3);
+	stmt1.setString(1, request.getParameter("email"));
+	ResultSet rs3 = stmt1.execute();
+	stmt = stmt1;
+	while (rs3.next()) {
+		System.out.println("User: " + rs3.getString("username"));
+	}
+
+	
+	
+	
+	
+
+	
+	
+	
+
+	
+	
+
+  }
+}
diff --git a/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.before b/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.before
@@ -0,0 +1,27 @@
+package com.acme.testcode;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+
+public final class Test {
+
+  private Connection conn;
+
+  public void queryAfterDeclaration() throws SQLException {
+	Statement stmt = conn.createStatement();
+	String username = request.getParameter("username");
+	String query2 = "SELECT * FROM users WHERE username = '" + username + "'";
+	ResultSet rs2 = stmt.executeQuery(query2);
+	while (rs2.next()) {
+		System.out.println("User: " + rs2.getString("username"));
+	}
+	String email = request.getParameter("email");
+	String query3 = "SELECT * FROM users WHERE email = '" + email + "'";
+	ResultSet rs3 = stmt.executeQuery(query3);
+	while (rs3.next()) {
+		System.out.println("User: " + rs3.getString("username"));
+	}
+  }
+}
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/javaparser/JavaParserCodemodRunner.java b/framework/codemodder-base/src/main/java/io/codemodder/javaparser/JavaParserCodemodRunner.java
@@ -58,7 +58,6 @@ public CodemodFileScanningResult run(final CodemodInvocationContext context) thr
     Path file = context.path();
     CompilationUnit cu = parser.parseJavaFile(file);
     CodemodFileScanningResult result = javaParserChanger.visit(context, cu);
-    System.out.println(cu);
     List<CodemodChange> changes = result.changes();
     if (!changes.isEmpty()) {
       String encodingName = encodingDetector.detect(file).orElse("UTF-8");
diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java
@@ -101,12 +101,13 @@ private Optional<MethodCallExpr> isConnectionCreateStatement(final Expression ex
             return false;
           }
         };
+    var stmtCreationMethods = List.of("createStatement", "prepareStatement");
     return Optional.of(expr)
         .map(e -> e instanceof MethodCallExpr ? expr.asMethodCallExpr() : null)
         .filter(
             mce ->
                 mce.getScope().filter(isConnection).isPresent()
-                    && mce.getNameAsString().equals("createStatement"));
+                    && (stmtCreationMethods.contains(mce.getNameAsString())));
   }
 
   private Optional<MethodCallExpr> validateExecuteCall(final MethodCallExpr executeCall) {
@@ -187,16 +188,17 @@ private Optional<MethodCallExpr> validateExecuteCall(final MethodCallExpr execut
             .map(expr -> expr instanceof NameExpr ? expr.asNameExpr() : null)
             .flatMap(ne -> ASTs.findEarliestLocalVariableDeclarationOf(ne, ne.getNameAsString()));
 
-    // Has a single assignment
-    // We erroniously assume that it always shadows the init expression
     // Needs some flow analysis to correctly address this case
     final Optional<AssignExpr> maybeSingleAssigned =
         maybeLVD
             .map(lvd -> ASTs.findAllAssignments(lvd).limit(2).toList())
-            .filter(allAssignments -> allAssignments.size() == 1)
-            .map(allAssignments -> allAssignments.get(0))
+            .filter(allAssignments -> !allAssignments.isEmpty())
+            .map(allAssignments -> allAssignments.get(allAssignments.size() - 1))
             .filter(assign -> assign.getTarget().isNameExpr())
-            .filter(assign -> isConnectionCreateStatement(assign.getValue()).isPresent());
+            .filter(
+                assign ->
+                    isConnectionCreateStatement(ASTs.resolveLocalExpression(assign.getValue()))
+                        .isPresent());
 
     if (maybeSingleAssigned.isPresent()) {
       return maybeSingleAssigned.map(a -> Either.right(Either.left(a)));
@@ -665,7 +667,7 @@ private Expression getConnectionExpression(
       final Either<AssignExpr, LocalVariableDeclaration> stmtCreation) {
     return stmtCreation
         .ifLeftOrElseGet(
-            ae -> ae.getValue().asMethodCallExpr(),
+            ae -> ASTs.resolveLocalExpression(ae.getValue()).asMethodCallExpr(),
             lvd -> lvd.getDeclaration().getInitializer().get().asMethodCallExpr())
         .getScope()
         .get();
@@ -707,6 +709,7 @@ private MethodCallExpr fixByHijackedStatement(
                     prepareStatementCall)));
     ASTTransforms.addStatementBeforeStatement(topStatement, pStmtCreation);
     topStatement = pStmtCreation;
+    ASTTransforms.addImportIfMissing(compilationUnit, "java.sql.PreparedStatement");
 
     // Test if stmt.execute*() is the first usage of the stmt object
     // If so, remove initializer
