Extra cleanup for SQLParameterizer (#329)

Adds:
- A new transformation for replacing concatenations of string literals
with a single literal.
- The aforementioned transformation as a cleanup step for
SQLParameterizer.
- A new transformation that combines the SQLParamterizer with the extra
cleanup steps.

Closes #300 and #327.

Author: andrecsilva

core-codemods/src/main/java/io/codemodder/codemods/DefectDojoSqlInjectionCodemod.java

@@ -1,10 +1,8 @@
 package io.codemodder.codemods;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.body.CallableDeclaration;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
-import io.codemodder.ast.ASTTransforms;
 import io.codemodder.codetf.DetectionTool;
 import io.codemodder.codetf.DetectorFinding;
 import io.codemodder.codetf.DetectorRule;
@@ -91,16 +89,8 @@ public CodemodFileScanningResult visit(
       }
 
       MethodCallExpr methodCallExpr = supportedSqlMethodCallsOnThatLine.get(0);
-      SQLParameterizer parameterizer = new SQLParameterizer(methodCallExpr);
-
-      if (parameterizer.checkAndFix()) {
-        final var maybeMethodDecl = methodCallExpr.findAncestor(CallableDeclaration.class);
-        // Cleanup, removes empty string concatenations and unused variables
-        maybeMethodDecl.ifPresent(cd -> ASTTransforms.removeEmptyStringConcatenation(cd));
-        // TODO hits a bug with javaparser, where adding nodes won't result in the correct children
-        // order. This causes the following to remove actually used variables
-        // maybeMethodDecl.ifPresent(md -> ASTTransforms.removeUnusedLocalVariables(md));
 
+      if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
         DetectorFinding fixedFinding = new DetectorFinding(id, true, null);
         allFindings.add(fixedFinding);
         changes.add(CodemodChange.from(line, "Fixes issue " + id + " by parameterizing SQL"));

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizer.java

@@ -21,7 +21,7 @@
  * Contains most of the logic for detecting and fixing parameterizable SQL statements for a given
  * {@link MethodCallExpr}.
  */
-public final class SQLParameterizer {
+final class SQLParameterizer {
 
   private static final String preparedStatementNamePrefix = "stmt";
   private static final String preparedStatementNamePrefixAlternative = "statement";
@@ -382,7 +382,7 @@ private Expression buildParameter(
    *
    * <p>(3) Change <stmtCreation>.execute*() to pstmt.execute().
    */
-  private void fix(
+  private MethodCallExpr fix(
       final Either<MethodCallExpr, LocalVariableDeclaration> stmtCreation,
       final QueryParameterizer queryParameterizer,
       final MethodCallExpr executeCall) {
@@ -448,16 +448,16 @@ private void fix(
     executeCall.setScope(new NameExpr(stmtName));
     executeCall.setArguments(new NodeList<>());
 
+    MethodCallExpr pstmtCreation;
     // (2.a)
     if (stmtCreation.isLeft()) {
+      pstmtCreation =
+          new MethodCallExpr(stmtCreation.getLeft().getScope().get(), "prepareStatement", args);
       final var pstmtCreationStmt =
           new ExpressionStmt(
               new VariableDeclarationExpr(
                   new VariableDeclarator(
-                      StaticJavaParser.parseType("PreparedStatement"),
-                      stmtName,
-                      new MethodCallExpr(
-                          stmtCreation.getLeft().getScope().get(), "prepareStatement", args))));
+                      StaticJavaParser.parseType("PreparedStatement"), stmtName, pstmtCreation)));
       ASTTransforms.addStatementBeforeStatement(topStatement, pstmtCreationStmt);
 
       // (2.b)
@@ -476,7 +476,10 @@ private void fix(
           .getVariableDeclarator()
           .getInitializer()
           .ifPresent(expr -> expr.asMethodCallExpr().setArguments(args));
+      pstmtCreation =
+          stmtCreation.getRight().getVariableDeclarator().getInitializer().get().asMethodCallExpr();
     }
+    return pstmtCreation;
   }
 
   private boolean assignedOrDefinedInScope(NameExpr name, LocalVariableDeclaration lvd) {
@@ -500,13 +503,13 @@ private boolean assignedOrDefinedInScope(NameExpr name, LocalVariableDeclaration
 
   /**
    * Checks if {@code methodCall} is a query call that needs to be fixed and fixes if that's the
-   * case.
+   * case. If the parameterization happened, returns the PreparedStatement creation.
    */
-  public boolean checkAndFix() {
+  public Optional<MethodCallExpr> checkAndFix() {
     if (executeCall.findCompilationUnit().isPresent()) {
       this.compilationUnit = executeCall.findCompilationUnit().get();
     } else {
-      return false;
+      return Optional.empty();
     }
     // validate the call itself first
     if (isParameterizationCandidate(executeCall) && validateExecuteCall(executeCall).isPresent()) {
@@ -518,7 +521,7 @@ public boolean checkAndFix() {
         final QueryParameterizer queryp;
         // should not be emtpy
         if (executeCall.getArguments().isEmpty()) {
-          return false;
+          return Optional.empty();
         }
         queryp = new QueryParameterizer(executeCall.getArgument(0));
 
@@ -546,13 +549,12 @@ public boolean checkAndFix() {
                             .anyMatch(name -> assignedOrDefinedInScope(name, stmtLVD)));
 
         if (queryp.getInjections().isEmpty() || resolvedInScope || nameInScope) {
-          return false;
+          return Optional.empty();
         }
 
-        fix(stmtObject.get(), queryp, executeCall);
-        return true;
+        return Optional.of(fix(stmtObject.get(), queryp, executeCall));
       }
     }
-    return false;
+    return Optional.empty();
   }
 }

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizerCodemod.java

@@ -1,10 +1,8 @@
 package io.codemodder.codemods;
 
 import com.github.javaparser.ast.CompilationUnit;
-import com.github.javaparser.ast.body.CallableDeclaration;
 import com.github.javaparser.ast.expr.MethodCallExpr;
 import io.codemodder.*;
-import io.codemodder.ast.ASTTransforms;
 import io.codemodder.javaparser.JavaParserChanger;
 import java.util.List;
 import java.util.Optional;
@@ -18,13 +16,7 @@
 public final class SQLParameterizerCodemod extends JavaParserChanger {
 
   private Optional<CodemodChange> onNodeFound(final MethodCallExpr methodCallExpr) {
-    if (new SQLParameterizer(methodCallExpr).checkAndFix()) {
-      var maybeMethodDecl = methodCallExpr.findAncestor(CallableDeclaration.class);
-      // Cleanup, removes empty string concatenations and unused variables
-      maybeMethodDecl.ifPresent(cd -> ASTTransforms.removeEmptyStringConcatenation(cd));
-      // TODO hits a bug with javaparser, where adding nodes won't result in the correct children
-      // order. This causes the following to remove actually used variables
-      // maybeMethodDecl.ifPresent(md -> ASTTransforms.removeUnusedLocalVariables(md));
+    if (SQLParameterizerWithCleanup.checkAndFix(methodCallExpr)) {
       return Optional.of(CodemodChange.from(methodCallExpr.getBegin().get().line));
     } else {
       return Optional.empty();

core-codemods/src/main/java/io/codemodder/codemods/SQLParameterizerWithCleanup.java

@@ -0,0 +1,30 @@
+package io.codemodder.codemods;
+
+import com.github.javaparser.ast.body.CallableDeclaration;
+import com.github.javaparser.ast.expr.MethodCallExpr;
+import io.codemodder.ast.ASTTransforms;
+
+public final class SQLParameterizerWithCleanup {
+
+  private SQLParameterizerWithCleanup() {}
+
+  public static boolean checkAndFix(final MethodCallExpr methodCallExpr) {
+    var maybeFixed = new SQLParameterizer(methodCallExpr).checkAndFix();
+    if (maybeFixed.isPresent()) {
+      // Cleanup
+      var maybeMethodDecl = methodCallExpr.findAncestor(CallableDeclaration.class);
+      // Remove concatenation with empty strings e.g "first" +  "" -> "first";
+      maybeMethodDecl.ifPresent(ASTTransforms::removeEmptyStringConcatenation);
+      // TODO hits a bug with javaparser, where adding nodes won't result in the correct children
+      // order. This causes the following to remove actually used variables
+      // maybeMethodDecl.ifPresent(md -> ASTTransforms.removeUnusedLocalVariables(md));
+
+      // Merge concatenated literals, e.g. "first" + " and second" -> "first and second"
+      maybeFixed
+          .flatMap(mce -> mce.getArguments().getFirst())
+          .ifPresent(ASTTransforms::mergeConcatenatedLiterals);
+      return true;
+    }
+    return false;
+  }
+}

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after

@@ -64,8 +64,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
   protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) {
     StringBuilder output = new StringBuilder();
     String query =
-        "SELECT * FROM employees WHERE last_name = ?"
-            + " AND auth_tan = ?";
+        "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?";
 
     try (Connection connection = dataSource.getConnection()) {
       try {
@@ -151,7 +150,7 @@ query,                 ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDAT
     String time = sdf.format(cal.getTime());
 
     String logQuery =
-        "INSERT INTO access_log (time, action) VALUES (?" + ", ?" + ")";
+        "INSERT INTO access_log (time, action) VALUES (?, ?)";
 
     try {
       PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);

core-codemods/src/test/resources/sql-parameterizer/Test.java.after

@@ -55,7 +55,7 @@ public final class Test {
   }
 
   public ResultSet stringAfterQuote(String input, String input2) throws SQLException {
-    String sql = "SELECT * FROM USERS WHERE USER = ?" + " AND PHONE=?";
+    String sql = "SELECT * FROM USERS WHERE USER = ? AND PHONE=?";
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, "user_" + input + "_name");
     stmt.setString(2, input2);

framework/codemodder-base/src/main/java/io/codemodder/ast/ASTTransforms.java

@@ -6,8 +6,10 @@
 import com.github.javaparser.ast.NodeList;
 import com.github.javaparser.ast.body.VariableDeclarator;
 import com.github.javaparser.ast.expr.BinaryExpr;
+import com.github.javaparser.ast.expr.EnclosedExpr;
 import com.github.javaparser.ast.expr.Expression;
 import com.github.javaparser.ast.expr.LambdaExpr;
+import com.github.javaparser.ast.expr.NameExpr;
 import com.github.javaparser.ast.expr.StringLiteralExpr;
 import com.github.javaparser.ast.expr.VariableDeclarationExpr;
 import com.github.javaparser.ast.nodeTypes.NodeWithBody;
@@ -19,6 +21,7 @@
 import com.github.javaparser.ast.stmt.Statement;
 import com.github.javaparser.ast.stmt.TryStmt;
 import com.github.javaparser.ast.type.ClassOrInterfaceType;
+import com.github.javaparser.resolution.types.ResolvedType;
 import java.util.Optional;
 
 public final class ASTTransforms {
@@ -219,10 +222,7 @@ public static void removeImportIfUnused(final CompilationUnit cu, final String c
   private static boolean isEmptyString(final Expression expr) {
     // TODO declared as empty with one assignment
     var resolved = ASTs.resolveLocalExpression(expr);
-    if (resolved.isStringLiteralExpr() && resolved.asStringLiteralExpr().getValue().equals("")) {
-      return true;
-    }
-    return false;
+    return resolved.isStringLiteralExpr() && resolved.asStringLiteralExpr().getValue().isEmpty();
   }
 
   /**
@@ -253,7 +253,8 @@ public static Expression removeEmptyStringConcatenation(final BinaryExpr binexp)
 
   /** Removes all concatenations with empty strings in the given subtree. */
   public static void removeEmptyStringConcatenation(Node subtree) {
-    subtree.findAll(BinaryExpr.class, Node.TreeTraversal.POSTORDER).stream()
+    subtree
+        .findAll(BinaryExpr.class, Node.TreeTraversal.POSTORDER)
         .forEach(binexp -> binexp.replace(removeEmptyStringConcatenation(binexp)));
   }
 
@@ -268,7 +269,7 @@ public static void removeUnusedLocalVariables(final Node subtree) {
         var lvd = maybelvd.get();
         var allReferences = ASTs.findAllReferences(lvd);
         // No references?
-        if (allReferences.size() == 0) {
+        if (allReferences.isEmpty()) {
           maybelvd.get().getStatement().remove();
         }
 
@@ -279,7 +280,7 @@ public static void removeUnusedLocalVariables(final Node subtree) {
             if (allAssignments.size() == 1) {
               var aexprStmt =
                   Optional.of(allAssignments.get(0))
-                      .flatMap(ae -> ae.getParentNode())
+                      .flatMap(Node::getParentNode)
                       .map(p -> p instanceof ExpressionStmt ? (ExpressionStmt) p : null);
               if (aexprStmt.isPresent()) {
                 aexprStmt.get().remove();
@@ -291,4 +292,75 @@ public static void removeUnusedLocalVariables(final Node subtree) {
       }
     }
   }
+
+  private static Optional<StringLiteralExpr> removeAndReturnRightmostExpression(
+      final BinaryExpr binExpr) {
+    if (binExpr.getRight().isStringLiteralExpr()) {
+      var right = binExpr.asBinaryExpr().getRight().asStringLiteralExpr();
+      binExpr.replace(binExpr.getLeft());
+      return Optional.of(right);
+    }
+    if (binExpr.isStringLiteralExpr()) {
+      return Optional.of(binExpr.asStringLiteralExpr());
+    }
+    return Optional.empty();
+  }
+
+  /**
+   * Given a string expression, merge any literals that are directly concatenated. This transform
+   * will recurse over any Names referenced.
+   */
+  public static void mergeConcatenatedLiterals(final Expression e) {
+    // EnclosedExpr and BinaryExpr are considered as internal nodes, so we recurse
+    if (e instanceof EnclosedExpr) {
+      if (calculateResolvedType(e)
+          .filter(rt -> rt.describe().equals("java.lang.String"))
+          .isPresent()) {
+        mergeConcatenatedLiterals(e.asEnclosedExpr().getInner());
+      }
+    }
+    // Only BinaryExpr between strings should be considered
+    else if (e instanceof BinaryExpr
+        && e.asBinaryExpr().getOperator().equals(BinaryExpr.Operator.PLUS)) {
+      mergeConcatenatedLiterals(e.asBinaryExpr().getLeft());
+      mergeConcatenatedLiterals(e.asBinaryExpr().getRight());
+      var left = e.asBinaryExpr().getLeft();
+      var right = e.asBinaryExpr().getRight();
+
+      if (right.isStringLiteralExpr()) {
+        if (left.isStringLiteralExpr()) {
+          e.replace(
+              new StringLiteralExpr(
+                  left.asStringLiteralExpr().getValue() + right.asStringLiteralExpr().getValue()));
+        }
+        if (left.isBinaryExpr()) {
+          var maybeLiteral = removeAndReturnRightmostExpression(left.asBinaryExpr());
+          maybeLiteral.ifPresent(
+              sl ->
+                  right.replace(
+                      new StringLiteralExpr(
+                          sl.getValue() + right.asStringLiteralExpr().getValue())));
+        }
+      }
+
+    }
+    // NameExpr of String types should be recursively searched for more expressions.
+    else if (e instanceof NameExpr
+        && calculateResolvedType(e)
+            .filter(rt -> rt.describe().equals("java.lang.String"))
+            .isPresent()) {
+      final var resolved = ASTs.resolveLocalExpression(e);
+      if (resolved != e) {
+        mergeConcatenatedLiterals(resolved);
+      }
+    }
+  }
+
+  private static Optional<ResolvedType> calculateResolvedType(final Expression e) {
+    try {
+      return Optional.of(e.calculateResolvedType());
+    } catch (final RuntimeException exception) {
+      return Optional.empty();
+    }
+  }
 }