create basics

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -17,6 +17,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         AddMissingOverrideCodemod.class,
         AvoidImplicitPublicConstructorCodemod.class,
         DeclareVariableOnSeparateLineCodemod.class,
+        DefectDojoSqlInjectionCodemod.class,
         DefineConstantForLiteralCodemod.class,
         DisableAutomaticDirContextDeserializationCodemod.class,
         FixRedundantStaticOnEnumCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java

@@ -3,7 +3,9 @@
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
+import io.codemodder.codetf.DetectionTool;
 import io.codemodder.codetf.DetectorFinding;
+import io.codemodder.codetf.DetectorRule;
 import io.codemodder.javaparser.JavaParserChanger;
 import io.codemodder.providers.defectdojo.DefectDojoScan;
 import io.codemodder.providers.defectdojo.Finding;
@@ -19,7 +21,8 @@
     reviewGuidance = ReviewGuidance.MERGE_AFTER_REVIEW,
     executionPriority = CodemodExecutionPriority.HIGH,
     importance = Importance.HIGH)
-public final class DefectDojoSqlInjectionCodemod extends JavaParserChanger {
+public final class DefectDojoSqlInjectionCodemod extends JavaParserChanger
+    implements FixOnlyCodeChanger {
 
   private final RuleFindings findings;
 
@@ -30,6 +33,16 @@ public DefectDojoSqlInjectionCodemod(
     this.findings = Objects.requireNonNull(findings);
   }
 
+  @Override
+  public DetectionTool getDetectionTool() {
+    DetectorRule semgrepSqliRule =
+        new DetectorRule(
+            "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
+            "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli",
+            null);
+    return new DetectionTool("DefectDojo", semgrepSqliRule, List.of());
+  }
+
   @Override
   public CodemodFileScanningResult visit(
       final CodemodInvocationContext context, final CompilationUnit cu) {
@@ -41,8 +54,7 @@ public CodemodFileScanningResult visit(
       return CodemodFileScanningResult.none();
     }
 
-    List<DetectorFinding> fixed = new ArrayList<>();
-    List<DetectorFinding> allUnfixable = new ArrayList<>();
+    List<DetectorFinding> allFindings = new ArrayList<>();
 
     List<CodemodChange> changes = new ArrayList<>();
     for (Finding finding : findingsForThisPath) {
@@ -51,7 +63,7 @@ public CodemodFileScanningResult visit(
       if (line == null) {
         DetectorFinding unfixableFinding =
             new DetectorFinding(id, false, "No line number provided");
-        allUnfixable.add(unfixableFinding);
+        allFindings.add(unfixableFinding);
         continue;
       }
 
@@ -64,15 +76,15 @@ public CodemodFileScanningResult visit(
       if (supportedSqlMethodCallsOnThatLine.isEmpty()) {
         DetectorFinding unfixableFinding =
             new DetectorFinding(id, false, "No supported SQL methods found on the given line");
-        allUnfixable.add(unfixableFinding);
+        allFindings.add(unfixableFinding);
         continue;
       }
 
       if (supportedSqlMethodCallsOnThatLine.size() > 1) {
         DetectorFinding unfixableFinding =
             new DetectorFinding(
                 id, false, "Multiple supported SQL methods found on the given line");
-        allUnfixable.add(unfixableFinding);
+        allFindings.add(unfixableFinding);
         continue;
       }
 
@@ -81,15 +93,15 @@ public CodemodFileScanningResult visit(
 
       if (parameterizer.checkAndFix()) {
         DetectorFinding fixedFinding = new DetectorFinding(id, true, null);
-        fixed.add(fixedFinding);
+        allFindings.add(fixedFinding);
         changes.add(CodemodChange.from(line, "Fixes issue " + id + " by parameterizing SQL"));
       } else {
         DetectorFinding unfixableFinding =
             new DetectorFinding(id, false, "Fixing may have side effects");
-        allUnfixable.add(unfixableFinding);
+        allFindings.add(unfixableFinding);
       }
     }
 
-    return CodemodFileScanningResult.from(changes, allUnfixable);
+    return CodemodFileScanningResult.from(changes, allFindings);
   }
 }

core-codemods/src/main/resources/io/codemodder/codemods/DefectDojoSqlInjectionCodemod/description.md

@@ -0,0 +1,13 @@
+This change fixes SQL injections found in DefectDojo by parameterizing the given statement.
+
+Without parameterization, developers must remember to escape inputs using the rules for that database. It's usually buggy, at the least -- and sometimes vulnerable.
+
+Our changes look something like this:
+
+```diff
+- Statement stmt = connection.createStatement();
+- ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE name = '" + user + "'");
++ PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE name = ?");
++ stmt.setString(1, user);
++ ResultSet rs = stmt.executeQuery();
+```

core-codemods/src/main/resources/io/codemodder/codemods/DefectDojoSqlInjectionCodemod/report.json

@@ -0,0 +1,9 @@
+{
+  "summary" : "Fixed SQL Injection",
+  "change": "Parameterized SQL usage to prevent any bugs or vulnerabilities",
+  "reviewGuidanceIJustification" : "Although there should be no functional differences, the rewrite here is complex and should be verified by a human.",
+  "references" : [
+    "https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html",
+    "https://cwe.mitre.org/data/definitions/89.html"
+  ]
+}

core-codemods/src/test/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemodTest.java

@@ -0,0 +1,26 @@
+package io.codemodder.codemods;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
+
+final class DefectDojoSqlInjectionCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = DefectDojoSqlInjectionCodemod.class,
+      testResourceDir = "defectdojo-sql-injection/SqlInjectionChallenge",
+      renameTestFile =
+          "src/main/java/org/owasp/webgoat/lessons/sqlinjection/advanced/SqlInjectionChallenge.java",
+      dependencies = {})
+  final class DefectDojoSqlInjectionChallengeCodemodTestMixin implements CodemodTestMixin {}
+
+  @Nested
+  @Metadata(
+      codemodType = DefectDojoSqlInjectionCodemod.class,
+      testResourceDir = "defectdojo-sql-injection/SqlInjectionLesson8",
+      renameTestFile =
+          "src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java",
+      dependencies = {})
+  final class DefectDojoSqlInjectionLesson8CodemodTestMixin implements CodemodTestMixin {}
+}

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after

@@ -0,0 +1,106 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
+
+import java.sql.*;
+import java.sql.PreparedStatement;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@RestController
+@AssignmentHints(
+    value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
+@Slf4j
+public class SqlInjectionChallenge extends AssignmentEndpoint {
+
+  private final LessonDataSource dataSource;
+
+  public SqlInjectionChallenge(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PutMapping("/SqlInjectionAdvanced/challenge")
+  // assignment path is bounded to class so we use different http method :-)
+  @ResponseBody
+  public AttackResult registerNewUser(
+      @RequestParam String username_reg,
+      @RequestParam String email_reg,
+      @RequestParam String password_reg)
+      throws Exception {
+    AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
+
+    if (attackResult == null) {
+
+      try (Connection connection = dataSource.getConnection()) {
+        String checkUserQuery =
+            "select userid from sql_challenge_users where userid = ?";
+        PreparedStatement statement = connection.prepareStatement(checkUserQuery);
+        statement.setString(1, username_reg);
+        ResultSet resultSet = statement.execute();
+
+        if (resultSet.next()) {
+          if (username_reg.contains("tom'")) {
+            attackResult = success(this).feedback("user.exists").build();
+          } else {
+            attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
+          }
+        } else {
+          PreparedStatement preparedStatement =
+              connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
+          preparedStatement.setString(1, username_reg);
+          preparedStatement.setString(2, email_reg);
+          preparedStatement.setString(3, password_reg);
+          preparedStatement.execute();
+          attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
+        }
+      } catch (SQLException e) {
+        attackResult = failed(this).output("Something went wrong").build();
+      }
+    }
+    return attackResult;
+  }
+
+  private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
+    if (StringUtils.isEmpty(username_reg)
+        || StringUtils.isEmpty(email_reg)
+        || StringUtils.isEmpty(password_reg)) {
+      return failed(this).feedback("input.invalid").build();
+    }
+    if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
+      return failed(this).feedback("input.invalid").build();
+    }
+    return null;
+  }
+}

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.before

@@ -0,0 +1,104 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.sqlinjection.advanced;
+
+import java.sql.*;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.container.LessonDataSource;
+import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.container.assignments.AssignmentHints;
+import org.owasp.webgoat.container.assignments.AttackResult;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author nbaars
+ * @since 4/8/17.
+ */
+@RestController
+@AssignmentHints(
+    value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
+@Slf4j
+public class SqlInjectionChallenge extends AssignmentEndpoint {
+
+  private final LessonDataSource dataSource;
+
+  public SqlInjectionChallenge(LessonDataSource dataSource) {
+    this.dataSource = dataSource;
+  }
+
+  @PutMapping("/SqlInjectionAdvanced/challenge")
+  // assignment path is bounded to class so we use different http method :-)
+  @ResponseBody
+  public AttackResult registerNewUser(
+      @RequestParam String username_reg,
+      @RequestParam String email_reg,
+      @RequestParam String password_reg)
+      throws Exception {
+    AttackResult attackResult = checkArguments(username_reg, email_reg, password_reg);
+
+    if (attackResult == null) {
+
+      try (Connection connection = dataSource.getConnection()) {
+        String checkUserQuery =
+            "select userid from sql_challenge_users where userid = '" + username_reg + "'";
+        Statement statement = connection.createStatement();
+        ResultSet resultSet = statement.executeQuery(checkUserQuery);
+
+        if (resultSet.next()) {
+          if (username_reg.contains("tom'")) {
+            attackResult = success(this).feedback("user.exists").build();
+          } else {
+            attackResult = failed(this).feedback("user.exists").feedbackArgs(username_reg).build();
+          }
+        } else {
+          PreparedStatement preparedStatement =
+              connection.prepareStatement("INSERT INTO sql_challenge_users VALUES (?, ?, ?)");
+          preparedStatement.setString(1, username_reg);
+          preparedStatement.setString(2, email_reg);
+          preparedStatement.setString(3, password_reg);
+          preparedStatement.execute();
+          attackResult = success(this).feedback("user.created").feedbackArgs(username_reg).build();
+        }
+      } catch (SQLException e) {
+        attackResult = failed(this).output("Something went wrong").build();
+      }
+    }
+    return attackResult;
+  }
+
+  private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
+    if (StringUtils.isEmpty(username_reg)
+        || StringUtils.isEmpty(email_reg)
+        || StringUtils.isEmpty(password_reg)) {
+      return failed(this).feedback("input.invalid").build();
+    }
+    if (username_reg.length() > 250 || email_reg.length() > 30 || password_reg.length() > 30) {
+      return failed(this).feedback("input.invalid").build();
+    }
+    return null;
+  }
+}