HardenProcessCreationCodemod hardens when there are any variables (#307)

Now this codemod will not be executed when the parameters received are
only constant variables or hardcoded values.

Issue #299

Author: carlosu7

core-codemods/src/main/java/io/codemodder/codemods/ArgumentExpressionExtractor.java

@@ -0,0 +1,45 @@
+package io.codemodder.codemods;
+
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.NodeList;
+import com.github.javaparser.ast.expr.Expression;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import java.util.List;
+import java.util.stream.Collectors;
+
+final class ArgumentExpressionExtractor {
+
+  private ArgumentExpressionExtractor() {}
+
+  /**
+   * Extracts all expressions from the arguments and their child nodes of a MethodCallExpr.
+   *
+   * @param methodCallExpr The MethodCallExpr to extract expressions from.
+   * @return A list containing all expressions found in the MethodCallExpr arguments and their child
+   *     nodes.
+   */
+  static List<Expression> extractExpressions(final MethodCallExpr methodCallExpr) {
+    final NodeList<Expression> arguments = methodCallExpr.getArguments();
+    return arguments.stream()
+        .map(ArgumentExpressionExtractor::getExpressionsFromNode)
+        .flatMap(List::stream)
+        .toList();
+  }
+
+  /**
+   * Recursively collects all expressions from a given node and its child nodes.
+   *
+   * @param node The node to collect expressions from.
+   * @return A list containing all expressions found in the node and its child nodes.
+   */
+  private static List<Expression> getExpressionsFromNode(final Node node) {
+    final List<Expression> expressions =
+        node.getChildNodes().stream()
+            .flatMap(childNode -> getExpressionsFromNode(childNode).stream())
+            .collect(Collectors.toList());
+    if (node instanceof Expression expression) {
+      expressions.add(expression);
+    }
+    return expressions;
+  }
+}

core-codemods/src/main/java/io/codemodder/codemods/HardenProcessCreationCodemod.java

@@ -4,9 +4,12 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
 import com.github.javaparser.ast.NodeList;
+import com.github.javaparser.ast.body.FieldDeclaration;
+import com.github.javaparser.ast.body.VariableDeclarator;
 import com.github.javaparser.ast.expr.Expression;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import com.github.javaparser.ast.expr.NameExpr;
+import com.github.javaparser.ast.expr.SimpleName;
 import io.codemodder.*;
 import io.codemodder.ast.ASTTransforms;
 import io.codemodder.providers.sarif.semgrep.SemgrepScan;
@@ -34,6 +37,31 @@ public boolean onResultFound(
       final CompilationUnit cu,
       final MethodCallExpr methodCallExpr,
       final Result result) {
+
+    final List<FieldDeclaration> fieldDeclarations = cu.findAll(FieldDeclaration.class);
+    final List<FieldDeclaration> constantFieldDeclarations =
+        getConstantFieldDeclarations(fieldDeclarations);
+    final List<SimpleName> constantNames = extractVariableNames(constantFieldDeclarations);
+
+    final List<Expression> allArgumentsExpressions =
+        ArgumentExpressionExtractor.extractExpressions(methodCallExpr);
+
+    final List<Expression> onlyVariableExpressions =
+        allArgumentsExpressions.stream()
+            .filter(Expression::isNameExpr)
+            .filter(
+                expression -> {
+                  final NameExpr nameExpr = (NameExpr) expression;
+                  return !constantNames.contains(nameExpr.getName());
+                })
+            .toList();
+
+    final boolean containsOnlyConstantsAndHardcodedValues = onlyVariableExpressions.isEmpty();
+
+    if (containsOnlyConstantsAndHardcodedValues) {
+      return false;
+    }
+
     Node parent = methodCallExpr.getParentNode().get();
     Expression scope = methodCallExpr.getScope().get();
     ASTTransforms.addImportIfMissing(cu, SystemCommand.class);
@@ -52,4 +80,27 @@ public boolean onResultFound(
   public List<DependencyGAV> dependenciesRequired() {
     return List.of(DependencyGAV.JAVA_SECURITY_TOOLKIT);
   }
+
+  private List<SimpleName> extractVariableNames(List<FieldDeclaration> fieldDeclarations) {
+    return fieldDeclarations.stream()
+        .flatMap(fieldDeclaration -> fieldDeclaration.getVariables().stream())
+        .map(VariableDeclarator::getName)
+        .toList();
+  }
+
+  private List<FieldDeclaration> getConstantFieldDeclarations(
+      final List<FieldDeclaration> fieldDeclarations) {
+
+    return fieldDeclarations.stream()
+        .filter(FieldDeclaration::isFinal) // Check if the fieldDeclaration has the 'final' modifier
+        .filter(
+            fieldDeclaration ->
+                fieldDeclaration.getVariables().stream()
+                    .allMatch(
+                        variable ->
+                            variable
+                                .getInitializer()
+                                .isPresent())) // Check if all variables have initializers
+        .toList();
+  }
 }

core-codemods/src/test/resources/harden-process-creation/Test.java.after

@@ -8,29 +8,43 @@ public final class Test {
 
   private Runtime memberRuntime;
   private static Runtime staticRuntime;
+  private static final String A = "a";
+
+  void variable(final String var){
+      SystemCommand.runCommand(Runtime.getRuntime(), new String[]{"a", "b", var});
+  }
+
+  void constantAndHardcodedValues(){
+      Runtime.getRuntime().exec(new Test(new String[]{"a", "b", A}));
+  }
+
+  void test(){
+    Runtime.getRuntime().exec(new String[]{"a", "b", "c"});
+    Runtime.getRuntime().exec(new String[]{A, "b", "c"});
+  }
 
   void instantiated() {
     Runtime runtime = Runtime.getRuntime();
   }
 
   void fromArgument(Runtime runtime) throws IOException {
-    Process p = SystemCommand.runCommand(runtime, "foo");
+    Process p = runtime.exec("foo");
   }
 
   void fromMemberField() throws IOException {
-    SystemCommand.runCommand(memberRuntime, "ls al");
+    memberRuntime.exec("ls al");
   }
 
   void fromStaticField() throws IOException {
-    SystemCommand.runCommand(staticRuntime, new String[] {"cat", "/app/data.txt"});
+    staticRuntime.exec(new String[] {"cat", "/app/data.txt"});
   }
 
   void withEnvironment() throws IOException {
-    SystemCommand.runCommand(Runtime.getRuntime(), "foo", new String[] {"FOO=BAR"});
+    Runtime.getRuntime().exec("foo", new String[] {"FOO=BAR"});
   }
 
   void withDirectory() throws IOException {
-    SystemCommand.runCommand(Runtime.getRuntime(), "foo", getEnvironment(), getDirectory());
+    Runtime.getRuntime().exec("foo", getEnvironment(), getDirectory());
   }
 
   private String[] getEnvironment() {

core-codemods/src/test/resources/harden-process-creation/Test.java.before

@@ -7,6 +7,20 @@ public final class Test {
 
   private Runtime memberRuntime;
   private static Runtime staticRuntime;
+  private static final String A = "a";
+
+  void variable(final String var){
+      Runtime.getRuntime().exec(new String[]{"a", "b", var});
+  }
+
+  void constantAndHardcodedValues(){
+      Runtime.getRuntime().exec(new Test(new String[]{"a", "b", A}));
+  }
+
+  void test(){
+    Runtime.getRuntime().exec(new String[]{"a", "b", "c"});
+    Runtime.getRuntime().exec(new String[]{A, "b", "c"});
+  }
 
   void instantiated() {
     Runtime runtime = Runtime.getRuntime();