Skip to content

Commit

Permalink
Fixed error with changing execute statements in SQLi codemods (#494)
Browse files Browse the repository at this point in the history
  • Loading branch information
@andrecsilva
andrecsilva authored Feb 7, 2025
1 parent 6a7eedf commit 0c387e4
Show file tree
Hide file tree
Showing 10 changed files with 20 additions and 23 deletions.
2 changes: 1 addition & 1 deletion ...resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
4 changes: 2 additions & 2 deletions ...est/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
statement.setString(1, name);

statement.setString(2, auth_tan);
ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
Expand Down Expand Up @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.setString(1, sdf.format(cal.getTime()));
statement.setString(2, action);
statement.execute();
statement.executeUpdate();
} catch (SQLException e) {
System.err.println(e.getMessage());
}
Expand Down
2 changes: 1 addition & 1 deletion ...test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
statement.setString(1, accountName);

ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
Expand Down
4 changes: 2 additions & 2 deletions core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
statement.setString(1, name);

statement.setString(2, auth_tan);
ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
Expand Down Expand Up @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.setString(1, sdf.format(cal.getTime()));
statement.setString(2, action);
statement.execute();
statement.executeUpdate();
} catch (SQLException e) {
System.err.println(e.getMessage());
}
Expand Down
2 changes: 1 addition & 1 deletion ...s/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
2 changes: 1 addition & 1 deletion ...test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ public final class SQLTestMixed {
String sql = "SELECT * FROM " + validateTableName(input + "") + " where name=?" ;
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, scanner.nextLine());
return stmt.execute();
return stmt.executeQuery();
}

String validateTableName(final String tablename) {
Expand Down
2 changes: 1 addition & 1 deletion core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
18 changes: 9 additions & 9 deletions core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
return stmt.execute();
return stmt.executeQuery();
}

public ResultSet directStatement(String input) throws SQLException {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
return rs;
}

Expand All @@ -30,7 +30,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement statement = conn.prepareStatement(sql);
statement.setString(1, input);
ResultSet rs = statement.execute();
ResultSet rs = statement.executeQuery();
stmt++;
return rs;
}
Expand All @@ -41,7 +41,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt1 = conn.prepareStatement(sql);
stmt1.setString(1, input);
ResultSet rs = stmt1.execute();
ResultSet rs = stmt1.executeQuery();
stmt = stmt + statement;
return rs;
}
Expand All @@ -50,7 +50,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
try(PreparedStatement stmt = conn.prepareStatement(sql) ){
stmt.setString(1, input);
try (ResultSet rs = stmt.execute()) {
try (ResultSet rs = stmt.executeQuery()) {
return rs;
}
}
Expand All @@ -61,14 +61,14 @@ public final class Test {
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, "user_" + input + "_name");
stmt.setString(2, input2);
return stmt.execute();
return stmt.executeQuery();
}

public ResultSet referencesAfterExecute(String input) throws SQLException {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
System.out.println(sql);
return rs;
}
Expand All @@ -78,7 +78,7 @@ public final class Test {
sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
return rs;
}

Expand All @@ -88,7 +88,7 @@ public final class Test {
try {
stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
ResultSet rs = stmt.execute();
ResultSet rs = stmt.executeQuery();
return rs;
} catch (Exception e) {
}
Expand Down
4 changes: 2 additions & 2 deletions core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ public final class Test {
String query2 = "SELECT * FROM users WHERE username = ?";
PreparedStatement statement = conn.prepareStatement(query2);
statement.setString(1, request.getParameter("username"));
ResultSet rs2 = statement.execute();
ResultSet rs2 = statement.executeQuery();
stmt = statement;
while (rs2.next()) {
System.out.println("User: " + rs2.getString("username"));
Expand All @@ -24,7 +24,7 @@ public final class Test {
stmt.close();
PreparedStatement stmt1 = conn.prepareStatement(query3);
stmt1.setString(1, request.getParameter("email"));
ResultSet rs3 = stmt1.execute();
ResultSet rs3 = stmt1.executeQuery();
stmt = stmt1;
while (rs3.next()) {
System.out.println("User: " + rs3.getString("username"));
Expand Down
3 changes: 0 additions & 3 deletions ...odemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,6 @@ private MethodCallExpr fix(
var topStatement = gatherAndSetParameters(stmtName, executeStmt, queryParameterizer);

// (3)
executeCall.setName("execute");
executeCall.setScope(new NameExpr(stmtName));
executeCall.setArguments(new NodeList<>());

Expand Down Expand Up @@ -723,9 +722,7 @@ private MethodCallExpr fixByHijackedStatement(
ASTTransforms.addStatementBeforeStatement(topStatement, closeOriginal);
}

// TODO will this work for every type of execute statement? or just executeQuery?
// change execute statement
executeCall.setName("execute");
executeCall.setScope(new NameExpr(pStmtName));
executeCall.setArguments(new NodeList<>());

Expand Down

0 comments on commit 0c387e4

Please sign in to comment.