Initial implementation of transformation

andrecsilva · andrecsilva · commit 5a5d1dbe6c87 · 2025-01-23T10:53:54.000-03:00
diff --git a/src/core_codemods/docs/sonar_python_use-secure-protocols.md b/src/core_codemods/docs/sonar_python_use-secure-protocols.md
@@ -0,0 +1,21 @@
+Communication using clear-text protocols allows an attacker to sniff or tamper with the transported data.
+
+This codemod will replace any detected clear text protocol with their cryptographic enabled version.
+
+Our changes look like the following:
+```diff
+- url = "http://example.com"
++ url = "https://example.com"
+
+- ftp_con = ftplib.FTP("ftp.example.com")
++ ftp_con = ftplib.FTP_TLS("ftp.example.com")
+smtp_con = smtplib.SMTP("smtp.example.com", port=587)
++ smtp_context = ssl.create_default_context()
++ smtp_context.verify_mode = ssl.CERT_REQUIRED
++ smtp_context.check_hostname = True
++ smtp.starttls(context=smtp_context)
+
+
+- smtp_con_2 = smtplib.SMTP("smtp.gmail.com")
++ smtp_con_2 = smtplib.SMTP_SSL("smtp.gmail.com")
+```
diff --git a/src/core_codemods/sonar/api.py b/src/core_codemods/sonar/api.py
@@ -10,6 +10,25 @@
 
 
 class SonarCodemod(SASTCodemod):
+
+    def __init__(
+        self,
+        *,
+        metadata: Metadata,
+        transformer: BaseTransformerPipeline,
+        default_extensions: list[str] | None = None,
+        requested_rules: list[str] | None = None,
+        provider: str | None = None,
+    ):
+        super().__init__(
+            metadata=metadata,
+            detector=SonarDetector(),
+            transformer=transformer,
+            default_extensions=default_extensions,
+            requested_rules=requested_rules,
+            provider=provider,
+        )
+
     @property
     def origin(self):
         return "sonar"
@@ -38,7 +57,6 @@ def from_core_codemod_with_multiple_rules(
                 ),
             ),
             transformer=transformer if transformer else other.transformer,
-            detector=SonarDetector(),
             default_extensions=other.default_extensions,
             requested_rules=[tr.id for tr in rules],
         )
diff --git a/src/core_codemods/sonar/sonar_use_secure_protocols.py b/src/core_codemods/sonar/sonar_use_secure_protocols.py
@@ -1,8 +1,11 @@
+import libcst as cst
+
 from codemodder.codemods.base_codemod import Metadata, ReviewGuidance, ToolRule
 from codemodder.codemods.libcst_transformer import (
     LibcstResultTransformer,
     LibcstTransformerPipeline,
 )
+from codemodder.codemods.utils_mixin import NameAndAncestorResolutionMixin
 from codemodder.codetf import Reference
 from core_codemods.sonar.api import SonarCodemod
 
@@ -15,10 +18,134 @@
 ]
 
 
-class SonarUseSecureProtocolsTransformer(LibcstResultTransformer):
+class SonarUseSecureProtocolsTransformer(
+    LibcstResultTransformer, NameAndAncestorResolutionMixin
+):
     change_description = "Modified URLs or calls to use secure protocols"
 
+    def _match_and_handle_statement(
+        self, possible_smtp_call, original_node_statement, updated_node_statement
+    ):
+        maybe_name = self.find_base_name(possible_smtp_call)
+        match possible_smtp_call:
+            case cst.Call() if maybe_name == "smtplib.SMTP":
+                new_statements = []
+                new_statements.append(
+                    cst.parse_statement("smtp_context = ssl.create_default_context()")
+                )
+                new_statements.append(
+                    cst.parse_statement("smtp_context.verify_mode = ssl.CERT_REQUIRED")
+                )
+                new_statements.append(
+                    cst.parse_statement("smtp_context.check_hostname = True")
+                )
+                new_statements.append(updated_node_statement)
+                # TODO don't append this if we changed the call to SSL version
+                new_statements.append(
+                    cst.parse_statement("smtp.starttls(context=smtp_context)")
+                )
+                self.add_needed_import("smtp")
+                self.add_needed_import("ssl")
+                self.report_change(possible_smtp_call)
+                return cst.FlattenSentinel(new_statements)
+        return updated_node_statement
+
+    def leave_SimpleStatementLine(self, original_node, updated_node):
+        match original_node.body:
+            # match the first statement that is either selected or is an assignment whose value is selected
+            case [cst.Assign() as a, *_] if self.node_is_selected(a.value):
+
+                return self._match_and_handle_statement(
+                    a.value, original_node, updated_node
+                )
+            case [s, *_] if self.node_is_selected(s):
+                return self._match_and_handle_statement(s, original_node, updated_node)
+        return updated_node
+
     def leave_Call(self, original_node, updated_node):
+        if self.node_is_selected(original_node):
+            match self.find_base_name(original_node):
+                case "ftplib.FTP":
+                    new_func = cst.parse_expression("ftplib.FTP_TLS")
+                    self.report_change(original_node)
+                    self.add_needed_import("ftplib")
+                    return updated_node.with_changes(func=new_func)
+                case "smtplib.SMTP":
+                    # port is the second positional, check that
+                    maybe_port_value = (
+                        original_node.args[1]
+                        if len(original_node.args) >= 2
+                        and original_node.args[1].keyword is None
+                        else None
+                    )
+                    # find port keyword, if any
+                    maybe_port_value = maybe_port_value or next(
+                        iter(
+                            [
+                                a
+                                for a in original_node.args
+                                if a.keyword and a.keyword.value == "port"
+                            ]
+                        ),
+                        None,
+                    )
+                    maybe_port_value = (
+                        maybe_port_value.value if maybe_port_value else None
+                    )
+                    match maybe_port_value:
+                        case None:
+                            new_func = cst.parse_expression("smtplib.SMTP_SSL")
+                            self.report_change(original_node)
+                            self.add_needed_import("smtplib")
+                            new_args = [
+                                *original_node.args,
+                                cst.Arg(
+                                    keyword=cst.Name("context"),
+                                    value=cst.Name("smtp_context"),
+                                ),
+                            ]
+                            return updated_node.with_changes(
+                                func=new_func, args=new_args
+                            )
+                        # TODO still needs the context object statements here
+                        # TODO only change this if it mathces the statement pattern in leave_statemenet
+                        # TODO use a flag for this in visit_SimpleStatement
+                        case cst.Integer() if maybe_port_value == "0":
+                            new_func = cst.parse_expression("smtplib.SMTP_SSL")
+                            self.report_change(original_node)
+                            self.add_needed_import("smtplib")
+                            new_args = [
+                                *original_node.args,
+                                cst.Arg(
+                                    keyword=cst.Name("context"),
+                                    value=cst.Name("smtp_context"),
+                                ),
+                            ]
+                            return updated_node.with_changes(func=new_func)
+
+        return updated_node
+
+    def leave_SimpleString(
+        self, original_node: cst.SimpleString, updated_node: cst.SimpleString
+    ) -> cst.BaseExpression:
+        if self.node_is_selected(original_node):
+            match original_node.raw_value:
+                case original_node.raw_value as s if s.startswith("http"):
+                    self.report_change(original_node)
+                    return updated_node.with_changes(
+                        value=original_node.prefix
+                        + original_node.quote
+                        + s.replace("http", "https", 1)
+                        + original_node.quote
+                    )
+                case original_node.raw_value as s if s.startswith("ftp"):
+                    self.report_change(original_node)
+                    return updated_node.with_changes(
+                        value=original_node.prefix
+                        + original_node.quote
+                        + s.replace("ftp", "sftp", 1)
+                        + original_node.quote
+                    )
         return updated_node
 
 
