weak prng working mapping working

Author: nahsra

core-codemods/src/main/java/io/codemodder/codemods/DefaultCodemods.java

@@ -96,6 +96,7 @@ public static List<Class<? extends CodeChanger>> asList() {
         SonarSQLInjectionCodemod.class,
         SonarSSRFCodemod.class,
         SonarUnsafeReflectionRemediationCodemod.class,
+        SonarWeakRandomCodemod.class,
         SonarXXECodemod.class,
         SQLParameterizerCodemod.class,
         SSRFCodemod.class,

core-codemods/src/main/java/io/codemodder/codemods/sonar/SonarWeakRandomCodemod.java

@@ -0,0 +1,62 @@
+package io.codemodder.codemods.sonar;
+
+import com.github.javaparser.ast.CompilationUnit;
+import io.codemodder.*;
+import io.codemodder.codetf.DetectorRule;
+import io.codemodder.providers.sonar.ProvidedSonarScan;
+import io.codemodder.providers.sonar.RuleHotspot;
+import io.codemodder.providers.sonar.SonarRemediatingJavaParserChanger;
+import io.codemodder.remediation.GenericRemediationMetadata;
+import io.codemodder.remediation.Remediator;
+import io.codemodder.remediation.weakrandom.WeakRandomRemediator;
+import io.codemodder.sonar.model.Hotspot;
+import io.codemodder.sonar.model.SonarFinding;
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import javax.inject.Inject;
+
+@Codemod(
+    id = "sonar:java/weak-prng-2245",
+    reviewGuidance = ReviewGuidance.MERGE_AFTER_CURSORY_REVIEW,
+    importance = Importance.HIGH,
+    executionPriority = CodemodExecutionPriority.HIGH)
+public final class SonarWeakRandomCodemod extends SonarRemediatingJavaParserChanger {
+
+  private final Remediator<Hotspot> remediationStrategy;
+  private final RuleHotspot issues;
+
+  @Inject
+  public SonarWeakRandomCodemod(
+      @ProvidedSonarScan(ruleId = "java:S2245") final RuleHotspot hotspots) {
+    super(GenericRemediationMetadata.WEAK_RANDOM.reporter(), hotspots);
+    this.issues = Objects.requireNonNull(hotspots);
+    this.remediationStrategy = new WeakRandomRemediator<>();
+  }
+
+  @Override
+  public DetectorRule detectorRule() {
+    return new DetectorRule(
+        "java:S2245",
+        "Make sure that using this pseudorandom number generator is safe here",
+        "https://rules.sonarsource.com/java/RSPEC-2245/?search=weak%20random");
+  }
+
+  @Override
+  public CodemodFileScanningResult visit(
+      final CodemodInvocationContext context, final CompilationUnit cu) {
+    List<Hotspot> issuesForFile = issues.getResultsByPath(context.path());
+    return remediationStrategy.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        issuesForFile,
+        SonarFinding::getKey,
+        i -> i.getTextRange() != null ? i.getTextRange().getStartLine() : i.getLine(),
+        i ->
+            i.getTextRange() != null
+                ? Optional.of(i.getTextRange().getEndLine())
+                : Optional.empty(),
+        i -> Optional.empty());
+  }
+}

core-codemods/src/test/java/io/codemodder/codemods/sonar/SonarWeakRandomCodemodTest.java

@@ -0,0 +1,18 @@
+package io.codemodder.codemods.sonar;
+
+import io.codemodder.testutils.CodemodTestMixin;
+import io.codemodder.testutils.Metadata;
+import org.junit.jupiter.api.Nested;
+
+final class SonarWeakRandomCodemodTest {
+
+  @Nested
+  @Metadata(
+      codemodType = SonarWeakRandomCodemod.class,
+      testResourceDir = "sonar-weak-prng-2245",
+      renameTestFile = "src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java",
+      expectingFixesAtLines = {59},
+      doRetransformTest = false,
+      dependencies = {})
+  final class CSRFGetFlagTest implements CodemodTestMixin {}
+}

core-codemods/src/test/resources/remove-redundant-static-s2786/sonar-issues.json

@@ -44,7 +44,7 @@
       "effort": "2min",
       "debt": "2min",
       "assignee": "nahsra@github",
-      "author": "arshan.dabirsiaghi@gmail.com",
+      "author": "foo@gmail.com",
       "tags": [
         "redundant"
       ],

core-codemods/src/test/resources/replace-collectors-toList-s6204/sonar-issues.json

@@ -29,8 +29,8 @@
       "message": "Replace this usage of 'Stream.collect(Collectors.toList())' with 'Stream.toList()'",
       "effort": "5min",
       "debt": "5min",
-      "assignee": "nahsra@github",
-      "author": "arshan.dabirsiaghi@gmail.com",
+      "assignee": "foo@github",
+      "author": "foo@gmail.com",
       "tags": [
         "java16"
       ],

core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/sonar-hotspots.json

@@ -15,7 +15,7 @@
       "line": 69,
       "message": "Make sure using a dynamically formatted SQL query is safe here.",
       "assignee": "AYu2RswFLuhbfWU895e4",
-      "author": "arshan.dabirsiaghi@gmail.com",
+      "author": "foo@gmail.com",
       "creationDate": "2023-12-06T18:40:23+0100",
       "updateDate": "2023-12-06T18:48:19+0100",
       "textRange": {

core-codemods/src/test/resources/sonar-sql-injection-s2077/unsupported/sonar-hotspots.json

@@ -14,7 +14,7 @@
       "status": "TO_REVIEW",
       "line": 52,
       "message": "Make sure using a dynamically formatted SQL query is safe here.",
-      "author": "arshan.dabirsiaghi@gmail.com",
+      "author": "foo@gmail.com",
       "creationDate": "2023-12-06T18:40:23+0100",
       "updateDate": "2024-04-25T23:46:59+0200",
       "textRange": {

core-codemods/src/test/resources/sonar-weak-prng-2245/CSRFGetFlag.java.after

@@ -0,0 +1,86 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.csrf;
+
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/** Created by jason on 9/30/17. */
+@RestController
+public class CSRFGetFlag {
+
+  @Autowired UserSessionData userSessionData;
+  @Autowired private PluginMessages pluginMessages;
+
+  @RequestMapping(
+      path = "/csrf/basic-get-flag",
+      produces = {"application/json"},
+      method = RequestMethod.POST)
+  @ResponseBody
+  public Map<String, Object> invoke(HttpServletRequest req) {
+
+    Map<String, Object> response = new HashMap<>();
+
+    String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
+    String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
+    String[] refererArr = referer.split("/");
+
+    if (referer.equals("NULL")) {
+      if ("true".equals(req.getParameter("csrf"))) {
+        Random random = new SecureRandom();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      } else {
+        Random random = new Random();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      }
+    } else if (refererArr[2].equals(host)) {
+      response.put("success", false);
+      response.put("message", "Appears the request came from the original host");
+      response.put("flag", null);
+    } else {
+      Random random = new Random();
+      userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+      response.put("success", true);
+      response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+      response.put("flag", userSessionData.getValue("csrf-get-success"));
+    }
+
+    return response;
+  }
+}

core-codemods/src/test/resources/sonar-weak-prng-2245/CSRFGetFlag.java.before

@@ -0,0 +1,85 @@
+/*
+ * This file is part of WebGoat, an Open Web Application Security Project utility. For details, please see http://www.owasp.org/
+ *
+ * Copyright (c) 2002 - 2019 Bruce Mayhew
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
+ * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along with this program; if
+ * not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+ * 02111-1307, USA.
+ *
+ * Getting Source ==============
+ *
+ * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository for free software projects.
+ */
+
+package org.owasp.webgoat.lessons.csrf;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+import javax.servlet.http.HttpServletRequest;
+import org.owasp.webgoat.container.i18n.PluginMessages;
+import org.owasp.webgoat.container.session.UserSessionData;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestController;
+
+/** Created by jason on 9/30/17. */
+@RestController
+public class CSRFGetFlag {
+
+  @Autowired UserSessionData userSessionData;
+  @Autowired private PluginMessages pluginMessages;
+
+  @RequestMapping(
+      path = "/csrf/basic-get-flag",
+      produces = {"application/json"},
+      method = RequestMethod.POST)
+  @ResponseBody
+  public Map<String, Object> invoke(HttpServletRequest req) {
+
+    Map<String, Object> response = new HashMap<>();
+
+    String host = (req.getHeader("host") == null) ? "NULL" : req.getHeader("host");
+    String referer = (req.getHeader("referer") == null) ? "NULL" : req.getHeader("referer");
+    String[] refererArr = referer.split("/");
+
+    if (referer.equals("NULL")) {
+      if ("true".equals(req.getParameter("csrf"))) {
+        Random random = new Random();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      } else {
+        Random random = new Random();
+        userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+        response.put("success", true);
+        response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+        response.put("flag", userSessionData.getValue("csrf-get-success"));
+      }
+    } else if (refererArr[2].equals(host)) {
+      response.put("success", false);
+      response.put("message", "Appears the request came from the original host");
+      response.put("flag", null);
+    } else {
+      Random random = new Random();
+      userSessionData.setValue("csrf-get-success", random.nextInt(65536));
+      response.put("success", true);
+      response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
+      response.put("flag", userSessionData.getValue("csrf-get-success"));
+    }
+
+    return response;
+  }
+}

core-codemods/src/test/resources/sonar-weak-prng-2245/sonar-hotspots.json

@@ -0,0 +1,48 @@
+{
+  "paging": {
+    "pageIndex": 1,
+    "pageSize": 100,
+    "total": 1
+  },
+  "hotspots": [
+    {
+      "key": "AZPB23jjwGhA7VQ2UjF_",
+      "component": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java",
+      "project": "nahsra_WebGoatSonarDemo",
+      "securityCategory": "weak-cryptography",
+      "vulnerabilityProbability": "MEDIUM",
+      "status": "TO_REVIEW",
+      "line": 59,
+      "message": "Make sure that using this pseudorandom number generator is safe here.",
+      "assignee": "AYu2RswFLuhbfWU895e4",
+      "author": "[email protected]",
+      "creationDate": "2024-12-13T22:06:37+0100",
+      "updateDate": "2024-12-13T22:09:25+0100",
+      "textRange": {
+        "startLine": 59,
+        "endLine": 59,
+        "startOffset": 28,
+        "endOffset": 34
+      },
+      "flows": [],
+      "ruleKey": "java:S2245"
+    }
+  ],
+  "components": [
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo:src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java",
+      "qualifier": "FIL",
+      "name": "CSRFGetFlag.java",
+      "longName": "src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java",
+      "path": "src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java"
+    },
+    {
+      "organization": "nahsra",
+      "key": "nahsra_WebGoatSonarDemo",
+      "qualifier": "TRK",
+      "name": "WebGoatSonarDemo",
+      "longName": "WebGoatSonarDemo"
+    }
+  ]
+}