New Sonarcloud codemod to substitute String#replaceAll() (#247)

This change replaces the usage of `String#replaceAll()` to
`String#replace()` when the first argument is not a regular expression.
It does exactly the same thing as `String#replaceAll()` without the
performance drawback of the regex.

---------

Co-authored-by: Arshan Dabirsiaghi <[email protected]>

Author: carlosu7

core-codemods/src/main/java/io/codemodder/codemods/SubstituteReplaceAllCodemod.java

@@ -0,0 +1,34 @@
+package io.codemodder.codemods;
+
+import com.github.javaparser.ast.CompilationUnit;
+import com.github.javaparser.ast.expr.SimpleName;
+import io.codemodder.*;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleIssues;
+import io.codemodder.providers.sonar.SonarPluginJavaParserChanger;
+import io.codemodder.providers.sonar.api.Issue;
+import javax.inject.Inject;
+
+/** A codemod for automatically replacing replaceAll() calls to replace() . */
+@Codemod(
+    id = "sonar:java/substitute-replaceAll-s5361",
+    reviewGuidance = ReviewGuidance.MERGE_WITHOUT_REVIEW,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SubstituteReplaceAllCodemod extends SonarPluginJavaParserChanger<SimpleName> {
+
+  @Inject
+  public SubstituteReplaceAllCodemod(
+      @ProvidedSonarScan(ruleId = "java:S5361") final RuleIssues issues) {
+    super(issues, SimpleName.class, RegionNodeMatcher.MATCHES_START);
+  }
+
+  @Override
+  public boolean onIssueFound(
+      final CodemodInvocationContext context,
+      final CompilationUnit cu,
+      final SimpleName name,
+      final Issue issue) {
+    name.setIdentifier("replace");
+    return true;
+  }
+}

core-codemods/src/main/resources/io/codemodder/codemods/SubstituteReplaceAllCodemod/description.md

@@ -0,0 +1,12 @@
+This change replaces `String#replaceAll()` with `String#replace()` to enhance performance and avoid confusion.
+
+The `String#replaceAll()` call takes a regular expression for the first argument, which is then compiled and used to replace string subsections. However, the argument being passed to it doesn't actually appear to be a regular expression. Therefore, the `replace()` [API](https://docs.oracle.com/javase/8/docs/api/java/lang/String.html#replace-java.lang.CharSequence-java.lang.CharSequence-) appears to be a better fit.
+
+Our changes look something like this:
+
+```diff
+    String init = "my string\n";
+
+-   String changed = init.replaceAll("\n", "<br>");
++   String changed = init.replace("\n", "<br>");
+```

core-codemods/src/main/resources/io/codemodder/codemods/SubstituteReplaceAllCodemod/report.json

@@ -0,0 +1,7 @@
+{
+  "summary" : "Fixed inefficient usage of `String#replaceAll()` (Sonar).",
+  "change" : "Fixed inefficient usage of `String#replaceAll()`.",
+  "references" : [
+    "https://rules.sonarsource.com/java/RSPEC-5361/"
+  ]
+}

core-codemods/src/test/java/io/codemodder/codemods/AddMissingOverrideCodemodTest.java

@@ -6,5 +6,6 @@
 @Metadata(
     codemodType = AddMissingOverrideCodemod.class,
     testResourceDir = "add-missing-override-s1161",
+    renameTestFile = "src/main/java/SqlInjectionLesson10b.java",
     dependencies = {})
 final class AddMissingOverrideCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/java/io/codemodder/codemods/FixRedundantStaticOnEnumCodemodTest.java

@@ -6,5 +6,6 @@
 @Metadata(
     codemodType = FixRedundantStaticOnEnumCodemod.class,
     testResourceDir = "remove-redundant-static-s2786",
+    renameTestFile = "src/main/java/Response.java",
     dependencies = {})
 final class FixRedundantStaticOnEnumCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/java/io/codemodder/codemods/SubstituteReplaceAllCodemodTest.java

@@ -0,0 +1,11 @@
+package io.codemodder.codemods;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+
+@Metadata(
+    codemodType = SubstituteReplaceAllCodemod.class,
+    testResourceDir = "substitute-replaceAll-s5361",
+    renameTestFile = "src/main/java/org/owasp/webgoat/lessons/ssrf/SSRFTask2.java",
+    dependencies = {})
+final class SubstituteReplaceAllCodemodTest implements CodemodTestMixin {}

core-codemods/src/test/resources/add-missing-override-s1161/sonar-issues.json

@@ -14,7 +14,7 @@
       "key": "AYvtrjy0LCzGLicz7Ajy",
       "rule": "java:S1161",
       "severity": "MAJOR",
-      "component": "nahsra_WebGoat_10_23:Test.java",
+      "component": "nahsra_WebGoat_10_23:src/main/java/SqlInjectionLesson10b.java",
       "project": "nahsra_WebGoat_10_23",
       "line": 143,
       "hash": "e4d44f915becc09c0ce386b304b7621b",

core-codemods/src/test/resources/remove-redundant-static-s2786/sonar-issues.json

@@ -14,7 +14,7 @@
       "key": "AYv0acY3pMuQdcUNcsKX",
       "rule": "java:S2786",
       "severity": "MINOR",
-      "component": "nahsra_WebGoat_10_23:Test.java",
+      "component": "nahsra_WebGoat_10_23:src/main/java/Response.java",
       "project": "nahsra_WebGoat_10_23",
       "line": 4,
       "hash": "f7cdce57b37926f1061e0ab664b60dbd",

core-codemods/src/test/resources/substitute-replaceAll-s5361/Test.java.after

@@ -0,0 +1,72 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.ssrf;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"ssrf.hint3"})
+public class SSRFTask2 extends AssignmentEndpoint {
+
+  @PostMapping("/SSRF/task2")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String url) {
+    return furBall(url);
+  }
+
+  protected AttackResult furBall(String url) {
+    if (url.matches("http://ifconfig\\.pro")) {
+      String html;
+      try (InputStream in = new URL(url).openStream()) {
+        html =
+            new String(in.readAllBytes(), StandardCharsets.UTF_8)
+                .replace("\n", "<br>"); // Otherwise the \n gets escaped in the response
+      } catch (MalformedURLException e) {
+        return getFailedResult(e.getMessage());
+      } catch (IOException e) {
+        // in case the external site is down, the test and lesson should still be ok
+        html =
+            "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve"
+                + " this exercise the right way!</body></html>";
+      }
+      return success(this).feedback("ssrf.success").output(html).build();
+    }
+    var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
+    return getFailedResult(html);
+  }
+
+  private AttackResult getFailedResult(String errorMsg) {
+    return failed(this).feedback("ssrf.failure").output(errorMsg).build();
+  }
+}

core-codemods/src/test/resources/substitute-replaceAll-s5361/Test.java.before

@@ -0,0 +1,72 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.ssrf;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.charset.StandardCharsets;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@AssignmentHints({"ssrf.hint3"})
+public class SSRFTask2 extends AssignmentEndpoint {
+
+  @PostMapping("/SSRF/task2")
+  @ResponseBody
+  public AttackResult completed(@RequestParam String url) {
+    return furBall(url);
+  }
+
+  protected AttackResult furBall(String url) {
+    if (url.matches("http://ifconfig\\.pro")) {
+      String html;
+      try (InputStream in = new URL(url).openStream()) {
+        html =
+            new String(in.readAllBytes(), StandardCharsets.UTF_8)
+                .replaceAll("\n", "<br>"); // Otherwise the \n gets escaped in the response
+      } catch (MalformedURLException e) {
+        return getFailedResult(e.getMessage());
+      } catch (IOException e) {
+        // in case the external site is down, the test and lesson should still be ok
+        html =
+            "<html><body>Although the http://ifconfig.pro site is down, you still managed to solve"
+                + " this exercise the right way!</body></html>";
+      }
+      return success(this).feedback("ssrf.success").output(html).build();
+    }
+    var html = "<img class=\"image\" alt=\"image post\" src=\"images/cat.jpg\">";
+    return getFailedResult(html);
+  }
+
+  private AttackResult getFailedResult(String errorMsg) {
+    return failed(this).feedback("ssrf.failure").output(errorMsg).build();
+  }
+}