SONARJAVA-4866 S2077: Support detection of formatted SQL queries in Spring (#4750)

irina-batinic-sonarsource · web-flow · commit 38a69d4512a2 · 2024-04-03T11:18:37.000+02:00
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S2077.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S2077.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S2077",
   "hasTruePositives": true,
-  "falseNegatives": 10,
+  "falseNegatives": 47,
   "falsePositives": 0
-}
+}
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S3740.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S3740.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S3740",
   "hasTruePositives": true,
-  "falseNegatives": 50,
+  "falseNegatives": 51,
   "falsePositives": 0
-}
+}
diff --git a/java-checks-test-sources/spring-3.2/pom.xml b/java-checks-test-sources/spring-3.2/pom.xml
@@ -58,6 +58,16 @@
       <version>6.2.3</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-core</artifactId>
+      <version>6.2.3</version>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-jdbc</artifactId>
+      <version>6.1.5</version>
+    </dependency>
   </dependencies>
     
   <profiles>
diff --git a/java-checks-test-sources/spring-3.2/src/main/java/checks/SQLInjectionCheckSample.java b/java-checks-test-sources/spring-3.2/src/main/java/checks/SQLInjectionCheckSample.java
@@ -0,0 +1,75 @@
+package checks;
+
+import org.springframework.jdbc.core.JdbcOperations;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.PreparedStatementCallback;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.core.RowMapperResultSetExtractor;
+import org.springframework.jdbc.core.namedparam.BeanPropertySqlParameterSource;
+import org.springframework.jdbc.core.namedparam.EmptySqlParameterSource;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
+import org.springframework.jdbc.core.namedparam.SqlParameterSource;
+import org.springframework.jdbc.core.simple.JdbcClient;
+import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
+import org.springframework.security.provisioning.JdbcUserDetailsManager;
+
+public class SQLInjectionCheckSample {
+
+  void testJdbcClient(String input, JdbcClient jdbcClient) {
+    jdbcClient.sql("SELECT " + input).query(); // Noncompliant
+  }
+
+  void testJdbcDao(String input, JdbcDaoImpl jdbcDao) {
+    jdbcDao.setAuthoritiesByUsernameQuery("SELECT " + input); // Noncompliant
+    jdbcDao.setGroupAuthoritiesByUsernameQuery("SELECT " + input); // Noncompliant
+    jdbcDao.setUsersByUsernameQuery("SELECT " + input); // Noncompliant
+  }
+
+  void testJdbcOperations(String input, JdbcOperations jdbcOperations, RowMapper<String> rowMapper) {
+    jdbcOperations.execute("SELECT " + input); // Noncompliant
+    jdbcOperations.queryForStream("SELECT " + input, rowMapper); // Noncompliant
+  }
+
+  void testJdbcTemplate(String input, JdbcTemplate jdbcTemplate, RowMapper<String> rowMapper) {
+    jdbcTemplate.execute("SELECT " + input); // Noncompliant
+    jdbcTemplate.queryForStream("SELECT " + input, rowMapper); // Noncompliant
+  }
+
+  void testNamedParameterJdbcTemplate(String input, NamedParameterJdbcTemplate namedParameterJdbcTemplate, RowMapper<String> rowMapper,
+    PreparedStatementCallback<String> preparedStatementCallback) {
+    namedParameterJdbcTemplate.batchUpdate("SELECT " + input, new SqlParameterSource[1]); // Noncompliant
+    namedParameterJdbcTemplate.execute("SELECT " + input, preparedStatementCallback); // Noncompliant
+    namedParameterJdbcTemplate.query("SELECT " + input, new BeanPropertySqlParameterSource(new Object()), new RowMapperResultSetExtractor(rowMapper)); // Noncompliant
+    namedParameterJdbcTemplate.queryForList("SELECT " + input, EmptySqlParameterSource.INSTANCE); // Noncompliant
+    namedParameterJdbcTemplate.queryForMap("SELECT " + input, EmptySqlParameterSource.INSTANCE); // Noncompliant
+    namedParameterJdbcTemplate.queryForObject("SELECT " + input, EmptySqlParameterSource.INSTANCE, rowMapper); // Noncompliant
+    namedParameterJdbcTemplate.queryForRowSet("SELECT " + input, EmptySqlParameterSource.INSTANCE); // Noncompliant
+    namedParameterJdbcTemplate.queryForStream("SELECT " + input, EmptySqlParameterSource.INSTANCE, rowMapper); // Noncompliant
+    namedParameterJdbcTemplate.update("SELECT " + input, EmptySqlParameterSource.INSTANCE); // Noncompliant
+  }
+
+  void testJdbcUserDetailsManager(String input) {
+    JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
+    jdbcUserDetailsManager.setChangePasswordSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setCreateAuthoritySql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setCreateUserSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteGroupAuthoritiesSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteGroupAuthoritySql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteGroupMemberSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteGroupMembersSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteGroupSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteUserAuthoritiesSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setDeleteUserSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setFindAllGroupsSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setFindGroupIdSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setFindUsersInGroupSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setGroupAuthoritiesSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setInsertGroupAuthoritySql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setInsertGroupMemberSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setInsertGroupSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setRenameGroupSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setUpdateUserSql("SELECT " + input); // Noncompliant
+    jdbcUserDetailsManager.setUserExistsSql("SELECT " + input); // Noncompliant
+  }
+
+}
diff --git a/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java b/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java
@@ -19,8 +19,8 @@
  */
 package org.sonar.java.checks;
 
-import java.util.Arrays;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -70,9 +70,9 @@ public class SQLInjectionCheck extends IssuableSubscriptionVisitor {
       .names("createNativeQuery", "createQuery")
       .withAnyParameters()
       .build(),
-    MethodMatchers.create().ofSubTypes(SPRING_JDBC_OPERATIONS)
+    MethodMatchers.create().ofSubTypes(SPRING_JDBC_OPERATIONS, "org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate")
       .names("batchUpdate", "execute", "query", "queryForList", "queryForMap", "queryForObject",
-        "queryForRowSet", "queryForInt", "queryForLong", "update")
+        "queryForRowSet", "queryForInt", "queryForLong", "update", "queryForStream")
       .withAnyParameters()
       .build(),
     MethodMatchers.create()
@@ -89,8 +89,32 @@ public class SQLInjectionCheck extends IssuableSubscriptionVisitor {
       .ofSubTypes("javax.jdo.Query")
       .names("setFilter", "setGrouping")
       .withAnyParameters()
+      .build(),
+    MethodMatchers.create()
+      .ofSubTypes("org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl")
+      .names("setAuthoritiesByUsernameQuery", "setGroupAuthoritiesByUsernameQuery", "setUsersByUsernameQuery")
+      .withAnyParameters()
+      .build(),
+    MethodMatchers.create()
+      .ofSubTypes("org.springframework.security.provisioning.JdbcUserDetailsManager")
+      .names("setChangePasswordSql", "setCreateAuthoritySql", "setCreateUserSql", "setDeleteGroupAuthoritiesSql",
+        "setDeleteGroupAuthoritySql", "setDeleteGroupMemberSql", "setDeleteGroupMembersSql", "setDeleteGroupSql",
+        "setDeleteUserAuthoritiesSql", "setDeleteUserSql", "setFindAllGroupsSql", "setFindGroupIdSql", "setFindUsersInGroupSql",
+        "setGroupAuthoritiesSql", "setInsertGroupAuthoritySql", "setInsertGroupMemberSql", "setInsertGroupSql", "setRenameGroupSql",
+        "setUpdateUserSql", "setUserExistsSql")
+      .withAnyParameters()
+      .build(),
+    MethodMatchers.create()
+      .ofSubTypes("org.springframework.jdbc.core.simple.JdbcClient")
+      .names("sql")
+      .withAnyParameters()
+      .build(),
+    MethodMatchers.create()
+      .ofTypes("org.springframework.data.r2dbc.repository.query.StringBasedR2dbcQuery")
+      .names(CONSTRUCTOR)
+      .withAnyParameters()
       .build());
-  
+
   private static final String MAIN_MESSAGE = "Make sure using a dynamically formatted SQL query is safe here.";
 
   @Override
@@ -128,7 +152,8 @@ private static List<JavaFileScannerContext.Location> secondaryLocations(@Nullabl
     List<AssignmentExpressionTree> reassignments,
     String identifierName) {
     List<JavaFileScannerContext.Location> secondaryLocations = reassignments.stream()
-      .map(assignment -> new JavaFileScannerContext.Location(String.format("SQL Query is assigned to '%s'", getVariableName(assignment)), assignment.expression()))
+      .map(assignment -> new JavaFileScannerContext.Location(String.format("SQL Query is assigned to '%s'", getVariableName(assignment)),
+        assignment.expression()))
       .collect(Collectors.toCollection(ArrayList::new));
 
     if (initializerOrExpression != null) {
@@ -138,7 +163,7 @@ private static List<JavaFileScannerContext.Location> secondaryLocations(@Nullabl
     }
     return secondaryLocations;
   }
-  
+
   private static String getVariableName(AssignmentExpressionTree assignment) {
     ExpressionTree variable = assignment.variable();
     return ((IdentifierTree) variable).name();
diff --git a/java-checks/src/test/java/org/sonar/java/checks/SQLInjectionCheckTest.java b/java-checks/src/test/java/org/sonar/java/checks/SQLInjectionCheckTest.java
@@ -19,13 +19,19 @@
  */
 package org.sonar.java.checks;
 
+import java.io.File;
+import java.util.List;
 import org.junit.jupiter.api.Test;
 import org.sonar.java.checks.verifier.CheckVerifier;
+import org.sonar.java.test.classpath.TestClasspathUtils;
 
 import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPath;
+import static org.sonar.java.checks.verifier.TestUtils.mainCodeSourcesPathInModule;
 
 class SQLInjectionCheckTest {
 
+  private static final List<File> SPRING_3_2_CLASSPATH = TestClasspathUtils.loadFromFile(Constants.SPRING_3_2_CLASSPATH);
+
   @Test
   void test() {
     CheckVerifier.newVerifier()
@@ -34,4 +40,13 @@ void test() {
       .verifyIssues();
   }
 
+  @Test
+  void test_with_spring_3_2() {
+    CheckVerifier.newVerifier()
+      .onFile(mainCodeSourcesPathInModule(Constants.SPRING_3_2, "checks/SQLInjectionCheckSample.java"))
+      .withCheck(new SQLInjectionCheck())
+      .withClassPath(SPRING_3_2_CLASSPATH)
+      .verifyIssues();
+  }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"ruleKey": "S2077",`
`3`	`3`	`"hasTruePositives": true,`
`4`		`- "falseNegatives": 10,`
	`4`	`+ "falseNegatives": 47,`
`5`	`5`	`"falsePositives": 0`
`6`		`-}`
	`6`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"ruleKey": "S3740",`
`3`	`3`	`"hasTruePositives": true,`
`4`		`- "falseNegatives": 50,`
	`4`	`+ "falseNegatives": 51,`
`5`	`5`	`"falsePositives": 0`
`6`		`-}`
	`6`	`+}`