updated test to account for new sql parameterization behavior

Author: nahsra

core-codemods/src/test/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemodTest.java

@@ -13,7 +13,7 @@ final class DefectDojoSqlInjectionCodemodTest {
       renameTestFile =
           "src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java",
       dependencies = {})
-  final class DefectDojoSqlInjectionChallengeCodemodTestMixin implements CodemodTestMixin {}
+  final class WebGoatSqlInjectionChallengeTest implements CodemodTestMixin {}
 
   @Nested
   @Metadata(
@@ -22,5 +22,5 @@ final class DefectDojoSqlInjectionChallengeCodemodTestMixin implements CodemodTe
       renameTestFile =
           "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
       dependencies = {})
-  final class DefectDojoSqlInjectionLesson8CodemodTestMixin implements CodemodTestMixin {}
+  final class WebGoatSqlInjectionLesson8Test implements CodemodTestMixin {}
 }

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after

@@ -65,7 +65,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
 
       try (Connection connection = dataSource.getConnection()) {
         String checkUserQuery =
-            "select userid from sql_challenge_users where userid = ?";
+            "select userid from sql_challenge_users where userid = ?" + "" + "";
         PreparedStatement statement = connection.prepareStatement(checkUserQuery);
         statement.setString(1, username_reg);
         ResultSet resultSet = statement.execute();

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after

@@ -64,19 +64,21 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
   protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
     StringBuilder output = new StringBuilder();
     String query =
-        "SELECT * FROM employees WHERE last_name = '"
-            + name
-            + "' AND auth_tan = '"
-            + auth_tan
-            + "'";
+        "SELECT * FROM employees WHERE last_name = ?"
+            + ""
+            + " AND auth_tan = ?"
+            + ""
+            + "";
 
     try (Connection connection = dataSource.getConnection()) {
       try {
-        Statement statement =
-            connection.createStatement(
-                ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
+        PreparedStatement statement =
+            connection.prepareStatement(
+query,                 ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE);
         log(connection, query);
-        ResultSet results = statement.executeQuery(query);
+        statement.setString(1, name);
+        statement.setString(2, auth_tan);
+        ResultSet results = statement.execute();
 
         if (results.getStatement() != null) {
           if (results.first()) {
@@ -149,9 +151,10 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
     action = action.replace('\'', '"');
     Calendar cal = Calendar.getInstance();
     SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
+    String time = sdf.format(cal.getTime());
 
     String logQuery =
-        "INSERT INTO access_log (time, action) VALUES (?" + ", ?" + ")";
+        "INSERT INTO access_log (time, action) VALUES (?" + "" + ", ?" + "" + ")";
 
     try {
       PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);

framework/codemodder-testutils/src/main/java/io/codemodder/testutils/CodemodTestMixin.java

@@ -251,6 +251,7 @@ default void verifyTransformedCode(final Path before, final Path expected, final
       throws IOException {
     String expectedCode = Files.readString(expected);
     String transformedJavaCode = Files.readString(after);
+    System.out.println(transformedJavaCode);
     assertThat(transformedJavaCode, equalTo(expectedCode));
   }