New CodeQL Error Message Exposure codemod (#471)

Rewrote StackTraceExposureCodemod with the remediator API. Also added
support for a new case.

Fixed a node position matching bug. Had to adjust/fix some codemods and
tests.

Fixed flakyness from a codemod.

\close #work

Author: andrecsilva

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -27,6 +27,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         AddMissingOverrideCodemod.class,
         AvoidImplicitPublicConstructorCodemod.class,
         CodeQLDeserializationOfUserControlledDataCodemod.class,
+        CodeQLErrorMessageExposureCodemod.class,
         CodeQLHttpResponseSplittingCodemod.class,
         CodeQLInputResourceLeakCodemod.class,
         CodeQLInsecureCookieCodemod.class,
@@ -39,7 +40,6 @@ public static List<Class<? extends CodeChanger>> asList() {
         CodeQLRegexInjectionCodemod.class,
         CodeQLSQLInjectionCodemod.class,
         CodeQLSSRFCodemod.class,
-        CodeQLStackTraceExposureCodemod.class,
         CodeQLUnverifiedJwtCodemod.class,
         CodeQLXSSCodemod.class,
         CodeQLXXECodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/SonarXXECodemod.java

@@ -59,7 +59,7 @@ public CodemodFileScanningResult visit(
                 : Optional.empty(),
         i ->
             i.getTextRange() != null
-                ? Optional.of(i.getTextRange().getStartOffset() + 1)
+                ? Optional.of(i.getTextRange().getStartOffset())
                 : Optional.empty());
   }
 }

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLErrorMessageExposureCodemod.java

@@ -0,0 +1,56 @@
+package io.codemodder.codemods.codeql;
+
+import com.contrastsecurity.sarif.Result;
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sarif.codeql.ProvidedCodeQLScan;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.errorexposure.ErrorMessageExposureRemediator;
+import java.util.Optional;
+import javax.inject.Inject;
+
+/** A codemod that removes sensitive information exposure from error messages * */
+@Codemod(
+    id = "codeql:java/error-message-exposure",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.MEDIUM,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class CodeQLErrorMessageExposureCodemod extends CodeQLRemediationCodemod {
+
+  private final Remediator<Result> remediator;
+
+  @Inject
+  public CodeQLErrorMessageExposureCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/error-message-exposure") final RuleSarif sarif) {
+    super(GenericRemediationMetadata.ERROR_MESSAGE_EXPOSURE.reporter(), sarif);
+    this.remediator = new ErrorMessageExposureRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "error-message-exposure",
+        "Information exposure through an error message",
+        "https://codeql.github.com/codeql-query-help/java/java-error-message-exposure/");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
+  }
+}

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLStackTraceExposureCodemod.java

@@ -0,0 +1,26 @@
+package io.codemodder.codemods.codeql;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
+
+final class CodeQLErrorMessageExposureCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = CodeQLErrorMessageExposureCodemod.class,
+      testResourceDir = "error-message-exposure/IntoPrinter",
+      renameTestFile =
+          "app/src/main/java/org/apache/roller/weblogger/ui/rendering/servlets/TrackbackServlet"
+              + ".java",
+      expectingFixesAtLines = {147, 221},
+      dependencies = {})
+  final class IntoPrinterTest implements CodemodTestMixin {}
+
+  @Nested
+  @Metadata(
+      codemodType = CodeQLErrorMessageExposureCodemod.class,
+      testResourceDir = "error-message-exposure/SendErrorAndPrintStackTrace",
+      dependencies = {})
+  final class SendErrorAndPrintStackTraceTest implements CodemodTestMixin {}
+}

core-codemods/src/test/java/io/codemodder/codemods/codeql/CodeQLErrorMessageExposureCodemodTest.java

@@ -14,7 +14,7 @@ final class CodeQLRegexInjectionCodemodTest {
       expectingFixesAtLines = 438,
       doRetransformTest = false,
       dependencies = {})
-  class BannedWordlistTest implements CodemodTestMixin {}
+  final class BannedWordlistTest implements CodemodTestMixin {}
 
   @Nested
   @Metadata(
@@ -24,5 +24,5 @@ class BannedWordlistTest implements CodemodTestMixin {}
       expectingFixesAtLines = {71, 66, 49},
       doRetransformTest = false,
       dependencies = {})
-  class RegexUtilTest implements CodemodTestMixin {}
+  final class RegexUtilTest implements CodemodTestMixin {}
 }