Skip to content

Fixed error with changing execute statements in SQLi codemods #494

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrecsilva merged 2 commits into from
Feb 7, 2025
Merged

Fixed error with changing execute statements in SQLi codemods #494

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2e5a0ab
Fixed error with changing execute statements in SQLi codemods
andrecsilva Feb 7, 2025
941e63f
Removed stale TODO
andrecsilva Feb 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
4 changes: 2 additions & 2 deletions ...est/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
statement.setString(1, name);

statement.setString(2, auth_tan);
ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
Expand Down Expand Up @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.setString(1, sdf.format(cal.getTime()));
statement.setString(2, action);
statement.execute();
statement.executeUpdate();
} catch (SQLException e) {
System.err.println(e.getMessage());
}
Expand Down
2 changes: 1 addition & 1 deletion ...test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
statement.setString(1, accountName);

ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if ((results != null) && (results.first())) {
ResultSetMetaData resultsMetaData = results.getMetaData();
StringBuilder output = new StringBuilder();
Expand Down
4 changes: 2 additions & 2 deletions core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
statement.setString(1, name);

statement.setString(2, auth_tan);
ResultSet results = statement.execute();
ResultSet results = statement.executeQuery();
if (results.getStatement() != null) {
if (results.first()) {
output.append(generateTable(results));
Expand Down Expand Up @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
statement.setString(1, sdf.format(cal.getTime()));
statement.setString(2, action);
statement.execute();
statement.executeUpdate();
} catch (SQLException e) {
System.err.println(e.getMessage());
}
Expand Down
2 changes: 1 addition & 1 deletion ...s/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
2 changes: 1 addition & 1 deletion ...test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ public final class SQLTestMixed {
String sql = "SELECT * FROM " + validateTableName(input + "") + " where name=?" ;
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, scanner.nextLine());
return stmt.execute();
return stmt.executeQuery();
}

String validateTableName(final String tablename) {
Expand Down
2 changes: 1 addition & 1 deletion core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
PreparedStatement statement = connection.prepareStatement(checkUserQuery);
statement.setString(1, username_reg);

ResultSet resultSet = statement.execute();
ResultSet resultSet = statement.executeQuery();
if (resultSet.next()) {
if (username_reg.contains("tom'")) {
attackResult = success(this).feedback("user.exists").build();
Expand Down
18 changes: 9 additions & 9 deletions core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,14 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
return stmt.execute();
return stmt.executeQuery();
}

public ResultSet directStatement(String input) throws SQLException {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
return rs;
}

Expand All @@ -30,7 +30,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement statement = conn.prepareStatement(sql);
statement.setString(1, input);
ResultSet rs = statement.execute();
ResultSet rs = statement.executeQuery();
stmt++;
return rs;
}
Expand All @@ -41,7 +41,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt1 = conn.prepareStatement(sql);
stmt1.setString(1, input);
ResultSet rs = stmt1.execute();
ResultSet rs = stmt1.executeQuery();
stmt = stmt + statement;
return rs;
}
Expand All @@ -50,7 +50,7 @@ public final class Test {
String sql = "SELECT * FROM USERS WHERE USER = ?";
try(PreparedStatement stmt = conn.prepareStatement(sql) ){
stmt.setString(1, input);
try (ResultSet rs = stmt.execute()) {
try (ResultSet rs = stmt.executeQuery()) {
return rs;
}
}
Expand All @@ -61,14 +61,14 @@ public final class Test {
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, "user_" + input + "_name");
stmt.setString(2, input2);
return stmt.execute();
return stmt.executeQuery();
}

public ResultSet referencesAfterExecute(String input) throws SQLException {
String sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
System.out.println(sql);
return rs;
}
Expand All @@ -78,7 +78,7 @@ public final class Test {
sql = "SELECT * FROM USERS WHERE USER = ?";
PreparedStatement stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
var rs = stmt.execute();
var rs = stmt.executeQuery();
return rs;
}

Expand All @@ -88,7 +88,7 @@ public final class Test {
try {
stmt = conn.prepareStatement(sql);
stmt.setString(1, input);
ResultSet rs = stmt.execute();
ResultSet rs = stmt.executeQuery();
return rs;
} catch (Exception e) {
}
Expand Down
4 changes: 2 additions & 2 deletions core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ public final class Test {
String query2 = "SELECT * FROM users WHERE username = ?";
PreparedStatement statement = conn.prepareStatement(query2);
statement.setString(1, request.getParameter("username"));
ResultSet rs2 = statement.execute();
ResultSet rs2 = statement.executeQuery();
stmt = statement;
while (rs2.next()) {
System.out.println("User: " + rs2.getString("username"));
Expand All @@ -24,7 +24,7 @@ public final class Test {
stmt.close();
PreparedStatement stmt1 = conn.prepareStatement(query3);
stmt1.setString(1, request.getParameter("email"));
ResultSet rs3 = stmt1.execute();
ResultSet rs3 = stmt1.executeQuery();
stmt = stmt1;
while (rs3.next()) {
System.out.println("User: " + rs3.getString("username"));
Expand Down
2 changes: 0 additions & 2 deletions ...odemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -524,7 +524,6 @@ private MethodCallExpr fix(
var topStatement = gatherAndSetParameters(stmtName, executeStmt, queryParameterizer);

// (3)
executeCall.setName("execute");
executeCall.setScope(new NameExpr(stmtName));
executeCall.setArguments(new NodeList<>());

Expand Down Expand Up @@ -725,7 +724,6 @@ private MethodCallExpr fixByHijackedStatement(

// TODO will this work for every type of execute statement? or just executeQuery?
Copy link
Contributor

@nahsra nahsra Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this comment need to be adjusted?

Copy link
Contributor Author

@andrecsilva andrecsilva Feb 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't remember exactly why it's there, but we can probably safely remove this one, the transformation is restricted to only 4 types of execute statements. All of these have an equivalent version in PreparedStatement objects.

// change execute statement
executeCall.setName("execute");
executeCall.setScope(new NameExpr(pStmtName));
executeCall.setArguments(new NodeList<>());

Expand Down
Loading