Adjusted tests/codemods for bug in node matching fixed previously

Author: andrecsilva

core-codemods/src/main/java/io/codemodder/codemods/SonarXXECodemod.java

@@ -59,7 +59,7 @@ public CodemodFileScanningResult visit(
                 : Optional.empty(),
         i ->
             i.getTextRange() != null
-                ? Optional.of(i.getTextRange().getStartOffset() + 1)
+                ? Optional.of(i.getTextRange().getStartOffset())
                 : Optional.empty());
   }
 }

core-codemods/src/main/java/io/codemodder/codemods/codeql/CodeQLErrorMessageExposureCodemod.java

@@ -8,10 +8,8 @@
 import io.codemodder.remediation.GenericRemediationMetadata;
 import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.errorexposure.ErrorMessageExposureRemediator;
-import io.codemodder.remediation.xxe.XXEIntermediateXMLStreamReaderRemediator;
-
-import javax.inject.Inject;
 import java.util.Optional;
+import javax.inject.Inject;
 
 /** A codemod for automatically fixing SQL injection from CodeQL. */
 @Codemod(
@@ -24,7 +22,8 @@ public final class CodeQLErrorMessageExposureCodemod extends CodeQLRemediationCo
   private final Remediator<Result> remediator;
 
   @Inject
-  public CodeQLErrorMessageExposureCodemod(@ProvidedCodeQLScan(ruleId = "java/error-message-exposure") final RuleSarif sarif) {
+  public CodeQLErrorMessageExposureCodemod(
+      @ProvidedCodeQLScan(ruleId = "java/error-message-exposure") final RuleSarif sarif) {
     super(GenericRemediationMetadata.ERROR_MESSAGE_EXPOSURE.reporter(), sarif);
     this.remediator = new ErrorMessageExposureRemediator<>();
   }
@@ -40,18 +39,18 @@ public DetectorRule detectorRule() {
   @Override
   public CodemodFileScanningResult visit(
       final CodemodInvocationContext context, final CompilationUnit cu) {
-      return remediator.remediateAll(
-              cu,
-              context.path().toString(),
-              detectorRule(),
-              ruleSarif.getResultsByLocationPath(context.path()),
-              SarifFindingKeyUtil::buildFindingId,
-              r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
-              r ->
-                      Optional.ofNullable(
-                              r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
-              r ->
-                      Optional.ofNullable(
-                              r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
+    return remediator.remediateAll(
+        cu,
+        context.path().toString(),
+        detectorRule(),
+        ruleSarif.getResultsByLocationPath(context.path()),
+        SarifFindingKeyUtil::buildFindingId,
+        r -> r.getLocations().get(0).getPhysicalLocation().getRegion().getStartLine(),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getEndLine()),
+        r ->
+            Optional.ofNullable(
+                r.getLocations().get(0).getPhysicalLocation().getRegion().getStartColumn()));
   }
 }

framework/codemodder-base/src/main/java/io/codemodder/remediation/errorexposure/ErrorMessageExposureFixStrategy.java

@@ -2,69 +2,76 @@
 
 import com.github.javaparser.ast.CompilationUnit;
 import com.github.javaparser.ast.Node;
-import com.github.javaparser.ast.NodeList;
 import com.github.javaparser.ast.expr.Expression;
 import com.github.javaparser.ast.expr.MethodCallExpr;
-import com.github.javaparser.ast.expr.StringLiteralExpr;
 import com.github.javaparser.ast.stmt.ExpressionStmt;
 import com.github.javaparser.ast.stmt.Statement;
-import io.codemodder.CodemodFileScanningResult;
 import io.codemodder.ast.ASTs;
-import io.codemodder.codetf.DetectorRule;
-import io.codemodder.javaparser.ChangesResult;
 import io.codemodder.remediation.*;
-import io.codemodder.remediation.headerinjection.HeaderInjectionFixStrategy;
-import javassist.expr.MethodCall;
-
-import java.lang.reflect.Method;
-import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
-import java.util.Set;
-import java.util.function.Function;
 
-/**
- * Removes exposure from error messages.
- */
+/** Removes exposure from error messages. */
 public final class ErrorMessageExposureFixStrategy extends MatchAndFixStrategy {
 
-    private static List<String> printErrorMethods = List.of("printStackTrace");
-    private static List<String> printMethods = List.of("println", "print", "sendError");
+  private static List<String> printErrorMethods = List.of("printStackTrace");
+  private static List<String> printMethods = List.of("println", "print", "sendError");
 
-    /**
-     * Test if the node is an expression that is the argument of a method call
-     * @param node
-     * @return
-     */
-    @Override
-    public boolean match(final Node node) {
-        return Optional.empty()
-                // is an argument of a call e.g. (response.sendError(418,<expression>))
-                .or(() -> Optional.of(node).map(n -> n instanceof Expression? (Expression) n : null).flatMap(ASTs::isArgumentOfMethodCall).filter(mce -> printMethods.contains(mce.getNameAsString())))
-                // is itself a method call that send errors: e.g. err.printStackTrace()
-                .or(() -> Optional.of(node).map(n -> n instanceof Expression? (Expression) n : null).flatMap(e -> e.toMethodCallExpr()).filter(mce -> printErrorMethods.contains(mce.getNameAsString())))
-                .isPresent()
-                ;
-    }
+  /**
+   * Test if the node is an expression that is the argument of a method call
+   *
+   * @param node
+   * @return
+   */
+  @Override
+  public boolean match(final Node node) {
+    return Optional.empty()
+        // is an argument of a call e.g. (response.sendError(418,<expression>))
+        .or(
+            () ->
+                Optional.of(node)
+                    .map(n -> n instanceof Expression ? (Expression) n : null)
+                    .flatMap(ASTs::isArgumentOfMethodCall)
+                    .filter(mce -> printMethods.contains(mce.getNameAsString())))
+        // is itself a method call that send errors: e.g. err.printStackTrace()
+        .or(
+            () ->
+                Optional.of(node)
+                    .map(n -> n instanceof Expression ? (Expression) n : null)
+                    .flatMap(e -> e.toMethodCallExpr())
+                    .filter(mce -> printErrorMethods.contains(mce.getNameAsString())))
+        .isPresent();
+  }
 
-    @Override
-    public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
-        // we know from the match that this is true
-        Expression expr = (Expression) node;
-        // find encompassing statement
-        Optional<Statement> maybeStmt = Optional.<MethodCallExpr>empty()
-                // grab the relevant method call from the two cases
-                .or(() -> Optional.of(node).map(n -> n instanceof Expression? (Expression) n : null).flatMap(ASTs::isArgumentOfMethodCall).filter(mce -> printMethods.contains(mce.getNameAsString())))
-                // is itself a method call that send errors: e.g. err.printStackTrace()
-                .or(() -> Optional.of(node).map(n -> n instanceof Expression? (Expression) n : null).flatMap(e -> e.toMethodCallExpr()).filter(mce -> printErrorMethods.contains(mce.getNameAsString())))
-                // check if the method call is in a statement by itself
-                .flatMap(mce -> mce.getParentNode())
-                .map(p -> p instanceof ExpressionStmt? (ExpressionStmt) p : null);
-        // Remove it
-        if (maybeStmt.isPresent()){
-            maybeStmt.get().remove();
-            return SuccessOrReason.success();
-        }
-        return SuccessOrReason.reason("The call is not a statement");
+  @Override
+  public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
+    // we know from the match that this is true
+    Expression expr = (Expression) node;
+    // find encompassing statement
+    Optional<Statement> maybeStmt =
+        Optional.<MethodCallExpr>empty()
+            // grab the relevant method call from the two cases
+            .or(
+                () ->
+                    Optional.of(node)
+                        .map(n -> n instanceof Expression ? (Expression) n : null)
+                        .flatMap(ASTs::isArgumentOfMethodCall)
+                        .filter(mce -> printMethods.contains(mce.getNameAsString())))
+            // is itself a method call that send errors: e.g. err.printStackTrace()
+            .or(
+                () ->
+                    Optional.of(node)
+                        .map(n -> n instanceof Expression ? (Expression) n : null)
+                        .flatMap(e -> e.toMethodCallExpr())
+                        .filter(mce -> printErrorMethods.contains(mce.getNameAsString())))
+            // check if the method call is in a statement by itself
+            .flatMap(mce -> mce.getParentNode())
+            .map(p -> p instanceof ExpressionStmt ? (ExpressionStmt) p : null);
+    // Remove it
+    if (maybeStmt.isPresent()) {
+      maybeStmt.get().remove();
+      return SuccessOrReason.success();
     }
+    return SuccessOrReason.reason("The call is not a statement");
+  }
 }

framework/codemodder-base/src/main/java/io/codemodder/remediation/errorexposure/ErrorMessageExposureRemediator.java

@@ -1,19 +1,12 @@
 package io.codemodder.remediation.errorexposure;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.Node;
-import com.github.javaparser.ast.expr.MethodCallExpr;
-import com.github.javaparser.ast.expr.StringLiteralExpr;
 import io.codemodder.CodemodFileScanningResult;
 import io.codemodder.codetf.DetectorRule;
-import io.codemodder.remediation.FixCandidateSearcher;
 import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.SearcherStrategyRemediator;
-import io.codemodder.remediation.headerinjection.HeaderInjectionFixStrategy;
-
 import java.util.Collection;
 import java.util.Optional;
-import java.util.Set;
 import java.util.function.Function;
 
 /**
@@ -28,7 +21,7 @@ public final class ErrorMessageExposureRemediator<T> implements Remediator<T> {
   public ErrorMessageExposureRemediator() {
     this.searchStrategyRemediator =
         new SearcherStrategyRemediator.Builder<T>()
-                .withMatchAndFixStrategy(new ErrorMessageExposureFixStrategy())
+            .withMatchAndFixStrategy(new ErrorMessageExposureFixStrategy())
             .build();
   }
 

framework/codemodder-base/src/main/java/io/codemodder/remediation/regexinjection/RegexInjectionRemediator.java

@@ -7,6 +7,7 @@
 import com.github.javaparser.ast.expr.Expression;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.ast.ASTs;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.remediation.*;
 import java.util.Collection;
@@ -27,7 +28,8 @@ public RegexInjectionRemediator() {
                     .withMatcher(
                         node ->
                             Optional.of(node)
-                                .map(n -> n instanceof MethodCallExpr ? (MethodCallExpr) n : null)
+                                .map(n -> n instanceof Expression e ? e : null)
+                                .flatMap(ASTs::isArgumentOfMethodCall)
                                 .filter(RegexInjectionRemediator::isCompileCall)
                                 .isPresent())
                     .build(),
@@ -37,7 +39,12 @@ public RegexInjectionRemediator() {
                     .withMatcher(
                         node ->
                             Optional.of(node)
-                                .map(n -> n instanceof MethodCallExpr ? (MethodCallExpr) n : null)
+                                .map(n -> n instanceof Expression e ? e : null)
+                                // Must be the first argument
+                                .flatMap(
+                                    e ->
+                                        ASTs.isArgumentOfMethodCall(e)
+                                            .filter(mce -> mce.getArgument(0) == e))
                                 .filter(RegexInjectionRemediator::isReplaceFirstCall)
                                 .isPresent())
                     .build(),
@@ -49,7 +56,7 @@ public RegexInjectionRemediator() {
   private static class FixPatternCompileStrategy implements RemediationStrategy {
     @Override
     public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
-      final MethodCallExpr compileCall = (MethodCallExpr) node;
+      final MethodCallExpr compileCall = ASTs.isArgumentOfMethodCall((Expression) node).get();
       Expression argument = compileCall.getArgument(0);
       wrap(argument).withStaticMethod(Pattern.class.getName(), "quote", false);
       return SuccessOrReason.success();
@@ -75,7 +82,7 @@ private static boolean isReplaceFirstCall(final MethodCallExpr methodCallExpr) {
   private static class FixStringReplaceFirstStrategy implements RemediationStrategy {
     @Override
     public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
-      final MethodCallExpr replaceFirstCall = (MethodCallExpr) node;
+      final MethodCallExpr replaceFirstCall = ASTs.isArgumentOfMethodCall((Expression) node).get();
       Expression argument = replaceFirstCall.getArgument(0);
       wrap(argument).withStaticMethod(Pattern.class.getName(), "quote", false);
       return SuccessOrReason.success();

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XXEIntermediateXMLStreamReaderFixStrategy.java

@@ -6,21 +6,24 @@
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import com.github.javaparser.ast.expr.NameExpr;
 import com.github.javaparser.ast.stmt.Statement;
+import io.codemodder.ast.ASTs;
 import io.codemodder.remediation.RemediationStrategy;
 import io.codemodder.remediation.SuccessOrReason;
 import java.util.Optional;
 
 /**
- * Fix strategy for XXE vulnerabilities anchored to the XMLStreamReader calls. Finds the parser's
- * declaration and add statements disabling external entities and features.
+ * Fix strategy for XXE vulnerabilities anchored to arguments of a XMLStreamReader calls. Finds the
+ * parser's declaration and add statements disabling external entities and features.
  */
 final class XXEIntermediateXMLStreamReaderFixStrategy implements RemediationStrategy {
 
   @Override
   public SuccessOrReason fix(final CompilationUnit cu, final Node node) {
 
     var maybeCall =
-        Optional.of(node).map(m -> m instanceof MethodCallExpr ? (MethodCallExpr) node : null);
+        Optional.of(node)
+            .map(m -> m instanceof Expression e ? e : null)
+            .flatMap(ASTs::isArgumentOfMethodCall);
     if (maybeCall.isEmpty()) {
       return SuccessOrReason.reason("Not a method call");
     }

framework/codemodder-base/src/main/java/io/codemodder/remediation/xxe/XXEIntermediateXMLStreamReaderRemediator.java

@@ -1,8 +1,10 @@
 package io.codemodder.remediation.xxe;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.expr.MethodCallExpr;
+import com.github.javaparser.ast.Node;
+import com.github.javaparser.ast.expr.Expression;
 import io.codemodder.CodemodFileScanningResult;
+import io.codemodder.ast.ASTs;
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.remediation.FixCandidateSearcher;
 import io.codemodder.remediation.Remediator;
@@ -23,9 +25,9 @@ public XXEIntermediateXMLStreamReaderRemediator() {
                     .withMatcher(
                         node ->
                             Optional.of(node)
-                                .map(n -> n instanceof MethodCallExpr mce ? mce : null)
-                                .filter(mce -> mce.hasScope())
-                                .filter(mce -> mce.getArguments().isNonEmpty())
+                                .map(n -> n instanceof Expression e ? e : null)
+                                .flatMap(ASTs::isArgumentOfMethodCall)
+                                .filter(Node::hasScope)
                                 .isPresent())
                     .build(),
                 new XXEIntermediateXMLStreamReaderFixStrategy())

framework/codemodder-base/src/test/java/io/codemodder/remediation/xxe/DefaultXXERemediatorTest.java

@@ -8,6 +8,7 @@
 import io.codemodder.CodemodChange;
 import io.codemodder.CodemodFileScanningResult;
 import io.codemodder.codetf.DetectorRule;
+import io.codemodder.remediation.WithoutScopePositionMatcher;
 import java.util.List;
 import java.util.Optional;
 import org.junit.jupiter.api.BeforeEach;
@@ -20,7 +21,7 @@ final class DefaultXXERemediatorTest {
 
   @BeforeEach
   void setup() {
-    this.remediator = new XXERemediator<>();
+    this.remediator = new XXERemediator<>(new WithoutScopePositionMatcher());
     this.rule = new DetectorRule("xxe", "XXE", null);
   }
 
@@ -48,7 +49,7 @@ public void foo() {
             }
             """;
 
-    List<XXEFinding> findings = List.of(new XXEFinding("foo", 11, 16));
+    List<XXEFinding> findings = List.of(new XXEFinding("foo", 11, 15));
     CompilationUnit cu = StaticJavaParser.parse(vulnerableCode);
     LexicalPreservingPrinter.setup(cu);
     CodemodFileScanningResult result =

framework/codemodder-base/src/test/java/io/codemodder/remediation/xxe/DocumentBuilderFactoryAtParseFixerTest.java

@@ -75,7 +75,8 @@ private static Stream<Arguments> unfixableSamples() {
   void setup() {
     fixer =
         new SearcherStrategyRemediator.Builder<>()
-            .withMatchAndFixStrategy(new DocumentBuilderFactoryAtParseFixStrategy())
+            .withMatchAndFixStrategyAndNodeMatcher(
+                new DocumentBuilderFactoryAtParseFixStrategy(), new WithoutScopePositionMatcher())
             .build();
   }
 
@@ -133,7 +134,7 @@ public void foo() {
             o -> "id",
             o -> 11,
             o -> Optional.empty(),
-            o -> Optional.ofNullable(16));
+            o -> Optional.ofNullable(15));
     assertThat(result.changes().isEmpty()).isFalse();
 
     String fixedCode =

framework/codemodder-base/src/test/java/io/codemodder/remediation/xxe/TransformerFactoryAtCreationFixerTest.java

@@ -8,6 +8,7 @@
 import io.codemodder.codetf.DetectorRule;
 import io.codemodder.remediation.Remediator;
 import io.codemodder.remediation.SearcherStrategyRemediator;
+import io.codemodder.remediation.WithoutScopePositionMatcher;
 import java.util.List;
 import java.util.Optional;
 import org.junit.jupiter.api.BeforeEach;
@@ -21,7 +22,8 @@ final class TransformerFactoryAtCreationFixerTest {
   void setup() {
     fixer =
         new SearcherStrategyRemediator.Builder<>()
-            .withMatchAndFixStrategy(new TransformerFactoryAtCreationFixStrategy())
+            .withMatchAndFixStrategyAndNodeMatcher(
+                new TransformerFactoryAtCreationFixStrategy(), new WithoutScopePositionMatcher())
             .build();
   }