Add (failing) test case for Sonar SQL finding (#608)

Add (failing) test case for Sonar SQL parameterization finding

Author: drdavella

src/core_codemods/sonar/results.py

@@ -91,5 +91,5 @@ def from_json(cls, json_file: str | Path) -> Self:
 
             return result_set
         except Exception:
-            logger.debug("Could not parse sonar json %s", json_file)
+            logger.exception("Could not parse sonar json %s", json_file)
         return cls()

tests/codemods/sonar/test_sonar_sql_parameterization.py

@@ -1,8 +1,15 @@
 import json
+from pathlib import Path
+
+import pytest
 
 from codemodder.codemods.test import BaseSASTCodemodTest
 from core_codemods.sonar.sonar_sql_parameterization import SonarSQLParameterization
 
+SAMPLE_FILE_PATH = (
+    Path(__file__).parents[2] / "samples" / "sonar" / "sql_parameterization.json"
+)
+
 
 class TestSonarSQLParameterization(BaseSASTCodemodTest):
     codemod = SonarSQLParameterization
@@ -58,3 +65,65 @@ def f():
             ]
         }
         self.run_and_assert(tmpdir, input_code, expected, results=json.dumps(issues))
+
+    @pytest.mark.xfail(reason="TODO: See issue #607")
+    def test_more_complicated_example(self, tmpdir):
+        input_code = """
+        from django.shortcuts import redirect
+        from django.http import HttpResponse
+
+        import sqlite3
+        import json
+
+
+        def do_useful_things(request):
+            if request.method == "POST":
+                user = request.POST.get("user")
+
+                sql = "SELECT user FROM users WHERE user = '%s'"
+                conn = sqlite3.connect("example")
+                result = conn.cursor().execute(sql % user)
+
+                json_response = json.dumps({"user": result.fetchone()[0]})
+                return HttpResponse(json_response.encode("utf-8"))
+            else:
+                return redirect("/")
+        """.lstrip(
+            "\n"
+        )
+        expected = """
+        from django.shortcuts import redirect
+        from django.http import HttpResponse
+
+        import sqlite3
+        import json
+
+
+        def do_useful_things(request):
+            if request.method == "POST":
+                user = request.POST.get("user")
+
+                sql = "SELECT user FROM users WHERE user = ?"
+                conn = sqlite3.connect("example")
+                result = conn.cursor().execute(sql, (user, ))
+
+                json_response = json.dumps({"user": result.fetchone()[0]})
+                return HttpResponse(json_response.encode("utf-8"))
+            else:
+                return redirect("/")
+        """.lstrip(
+            "\n"
+        )
+
+        issues = json.loads(SAMPLE_FILE_PATH.read_text())
+
+        filename = Path(tmpdir) / "introduction" / "new_view.py"
+        filename.parent.mkdir(parents=True)
+
+        self.run_and_assert(
+            tmpdir,
+            input_code,
+            expected,
+            files=[filename],
+            results=json.dumps(issues),
+        )

tests/samples/sonar/sql_parameterization.json

@@ -0,0 +1 @@
+{"total":2,"p":1,"ps":100,"paging":{"pageIndex":1,"pageSize":100,"total":2},"effortTotal":35,"debtTotal":35,"issues":[{"key":"AY_KW3q9kpLwWuMztk6B","rule":"python:S6552","severity":"MAJOR","component":"drdavella_pygoat-sonar2:introduction/new_view.py","project":"drdavella_pygoat-sonar2","line":13,"hash":"91d1a8baa6977afdf844ab3f2870df56","textRange":{"startLine":13,"endLine":13,"startOffset":0,"endOffset":27},"flows":[],"status":"OPEN","message":"Move this \u0027@receiver\u0027 decorator to the top of the other decorators.","effort":"5min","debt":"5min","tags":[],"creationDate":"2024-05-30T18:34:05+0200","updateDate":"2024-05-30T18:35:24+0200","type":"BUG","organization":"drdavella","pullRequest":"5","cleanCodeAttribute":"LOGICAL","cleanCodeAttributeCategory":"INTENTIONAL","impacts":[{"softwareQuality":"RELIABILITY","severity":"MEDIUM"}]},{"key":"AY_KW3q9kpLwWuMztk6D","rule":"pythonsecurity:S3649","severity":"BLOCKER","component":"drdavella_pygoat-sonar2:introduction/new_view.py","project":"drdavella_pygoat-sonar2","line":20,"hash":"cc503242d422d9ba9c4f02e0c7e243cb","textRange":{"startLine":20,"endLine":20,"startOffset":17,"endOffset":51},"flows":[{"locations":[{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":20,"endLine":20,"startOffset":17,"endOffset":51},"msg":"Sink: this invocation is not safe; a malicious value can be used as argument"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":8,"endOffset":92},"msg":"A malicious value can be assigned to variable ‘query’"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":16,"endOffset":92},"msg":"This concatenation can propagate malicious content to the newly created string"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":54,"endOffset":58},"msg":"The malicious content is concatenated into the string"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":16,"endLine":16,"startOffset":8,"endOffset":39},"msg":"A malicious value can be assigned to variable ‘name’"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":16,"endLine":16,"startOffset":15,"endOffset":39},"msg":"Source: a user can craft an HTTP request with malicious content"}]},{"locations":[{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":20,"endLine":20,"startOffset":17,"endOffset":51},"msg":"Sink: this invocation is not safe; a malicious value can be used as argument"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":8,"endOffset":92},"msg":"A malicious value can be assigned to variable ‘query’"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":16,"endOffset":92},"msg":"This concatenation can propagate malicious content to the newly created string"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":19,"endLine":19,"startOffset":81,"endOffset":86},"msg":"The malicious content is concatenated into the string"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":17,"endLine":17,"startOffset":8,"endOffset":41},"msg":"A malicious value can be assigned to variable ‘phone’"},{"component":"drdavella_pygoat-sonar2:introduction/new_view.py","textRange":{"startLine":17,"endLine":17,"startOffset":16,"endOffset":41},"msg":"Source: a user can craft an HTTP request with malicious content"}]}],"status":"OPEN","message":"Change this code to not construct SQL queries directly from user-controlled data.","effort":"30min","debt":"30min","tags":["cwe","sql"],"creationDate":"2024-05-30T18:34:05+0200","updateDate":"2024-05-30T18:35:24+0200","type":"VULNERABILITY","organization":"drdavella","pullRequest":"5","cleanCodeAttribute":"COMPLETE","cleanCodeAttributeCategory":"INTENTIONAL","impacts":[{"softwareQuality":"SECURITY","severity":"HIGH"}]}],"components":[{"organization":"drdavella","key":"drdavella_pygoat-sonar2:introduction/new_view.py","uuid":"AY_KW3gxkpLwWuMztk5a","enabled":true,"qualifier":"FIL","name":"new_view.py","longName":"introduction/new_view.py","path":"introduction/new_view.py","pullRequest":"5"},{"organization":"drdavella","key":"drdavella_pygoat-sonar2","uuid":"AY_KWyTh-nOrCSyUsFgG","enabled":true,"qualifier":"TRK","name":"pygoat-sonar","longName":"pygoat-sonar","pullRequest":"5"}],"organizations":[{"key":"drdavella","name":"Dan D\u0027Avella"}],"facets":[]}