Merge pull request #30 from Trivadis/bugfix/issue-23-9501-false-negative

PhilippSalvisberg · web-flow · commit 8b799895b760 · 2020-09-04T11:30:00.000+02:00
Bugfix/issue 23 9501 false negative
diff --git a/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend b/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend
@@ -21,18 +21,21 @@ import com.trivadis.oracle.plsql.plsql.Body
 import com.trivadis.oracle.plsql.plsql.ConstructorDeclaration
 import com.trivadis.oracle.plsql.plsql.CreateFunction
 import com.trivadis.oracle.plsql.plsql.CreateProcedure
+import com.trivadis.oracle.plsql.plsql.DeclareSection
 import com.trivadis.oracle.plsql.plsql.ExecuteImmediateStatement
 import com.trivadis.oracle.plsql.plsql.FuncDeclInType
 import com.trivadis.oracle.plsql.plsql.FunctionDefinition
 import com.trivadis.oracle.plsql.plsql.FunctionOrParenthesisParameter
 import com.trivadis.oracle.plsql.plsql.OpenForStatement
 import com.trivadis.oracle.plsql.plsql.ParameterDeclaration
+import com.trivadis.oracle.plsql.plsql.PlsqlBlock
 import com.trivadis.oracle.plsql.plsql.ProcDeclInType
 import com.trivadis.oracle.plsql.plsql.ProcedureCallOrAssignmentStatement
 import com.trivadis.oracle.plsql.plsql.ProcedureDefinition
 import com.trivadis.oracle.plsql.plsql.SimpleExpressionNameValue
 import com.trivadis.oracle.plsql.plsql.SimpleExpressionStringValue
 import com.trivadis.oracle.plsql.plsql.UserDefinedType
+import com.trivadis.oracle.plsql.plsql.VariableDeclaration
 import com.trivadis.oracle.plsql.validation.PLSQLCopGuideline
 import com.trivadis.oracle.plsql.validation.PLSQLCopValidator
 import com.trivadis.oracle.plsql.validation.PLSQLJavaValidator
@@ -213,8 +216,11 @@ class SQLInjection extends PLSQLJavaValidator implements PLSQLCopValidator {
 	
 	
 	def isAsserted(SimpleExpressionNameValue n) {
-		val body = EcoreUtil2.getContainerOfType(n, Body)
-		val usages = EcoreUtil2.getAllContentsOfType(body, SimpleExpressionNameValue).filter[it.value.equalsIgnoreCase(n.value)]
+		var EObject obj = EcoreUtil2.getContainerOfType(n, Body)
+		if (obj === null) {
+			obj = EcoreUtil2.getContainerOfType(n, DeclareSection)
+		}
+		val usages = EcoreUtil2.getAllContentsOfType(obj, SimpleExpressionNameValue).filter[it.value.equalsIgnoreCase(n.value)]
 		for (usage : usages) {
 			val name = usage.qualifiedFunctionName
 			for (assertPackage : ASSERT_PACKAGES) {
@@ -262,6 +268,32 @@ class SQLInjection extends PLSQLJavaValidator implements PLSQLCopValidator {
 		}
 	}
 	
+	def getDeclareSection(Body body) {
+		val parent = body.eContainer
+		var DeclareSection declareSection;
+		if (parent instanceof CreateFunction) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof CreateProcedure) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof FuncDeclInType) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof ProcDeclInType) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof ConstructorDeclaration) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof PlsqlBlock) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof FunctionDefinition) {
+			declareSection = parent.declareSection
+		} else if (parent instanceof ProcedureDefinition) {
+			declareSection = parent.declareSection
+		} else {
+			// CreatePackageBody, CreateTrigger, CreateTypeBody
+			declareSection = null;
+		}
+		return declareSection;		
+	}
+
 	def HashMap<String, SimpleExpressionNameValue> getSimpleExpressinNamesFromAssignments(SimpleExpressionNameValue n) {
 		val expressions = new HashMap<String, SimpleExpressionNameValue>
 		val body = EcoreUtil2.getContainerOfType(n, Body)
@@ -281,8 +313,16 @@ class SQLInjection extends PLSQLJavaValidator implements PLSQLCopValidator {
 				}
 			}
 		}
-		if (expressions.size == 0) {
-			expressions.put(n.value.toLowerCase, n);
+		val declareSection = body.declareSection
+		if (declareSection !== null) {
+			val variable = EcoreUtil2.getAllContentsOfType(declareSection, VariableDeclaration).findFirst [
+				it.variable.value.equalsIgnoreCase(n.value) && it.getDefault() !== null
+			]
+			if (variable !== null) {
+				for (name : getRelevantSimplExpressionNameValues(variable.getDefault())) {
+					expressions.put(name.value.toLowerCase, name)
+				}
+			}
 		}
 		return expressions;
 	}
@@ -292,6 +332,9 @@ class SQLInjection extends PLSQLJavaValidator implements PLSQLCopValidator {
 		if (obj !== null) {
 			if (obj instanceof SimpleExpressionNameValue) {
 				expressions.putAll(obj.simpleExpressinNamesFromAssignments)
+				if (expressions.size == 0) {
+					expressions.put(obj.value.toLowerCase, obj);
+				}
 			} else {
 				for (name : getRelevantSimplExpressionNameValues(obj)) {
 					expressions.put(name.value.toLowerCase, name)
diff --git a/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend b/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend
@@ -415,6 +415,62 @@ class SQLInjectionTest extends AbstractValidatorTest {
 		Assert.assertEquals(7, issues.get(0).lineNumber)
 		Assert.assertEquals(7, issues.get(1).lineNumber)
 	}
+	
+	@Test
+	def void issue23_assign_parameter_in_declare_section_nok() {
+		val stmt = '''
+			CREATE OR REPLACE PROCEDURE get_record (
+			   user_name     IN   VARCHAR2,
+			   service_type  IN   VARCHAR2,
+			   rec           OUT  VARCHAR2
+			) IS
+			   l_user_name     VARCHAR2(4000) := user_name;
+			   l_service_type  VARCHAR2(4000) := service_type;
+			   query           VARCHAR2(4000);
+			BEGIN
+			   -- Following SELECT statement is vulnerable to modification
+			   -- because it uses concatenation to build WHERE clause.
+			   query := q'[SELECT value FROM secret_records WHERE user_name=']'
+			            || l_user_name
+			            || q'[' AND service_type=']'
+			            || l_service_type
+			            || q'[']';
+			   DBMS_OUTPUT.PUT_LINE('Query: ' || query);
+			   EXECUTE IMMEDIATE query INTO rec;
+			   DBMS_OUTPUT.PUT_LINE('Rec: ' || rec);
+			END;
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(2, issues.size)
+	}
+
+	@Test
+	def void issue23_assign_parameter_in_declare_section_ok() {
+		val stmt = '''
+			CREATE OR REPLACE PROCEDURE get_record (
+			   user_name     IN   VARCHAR2,
+			   service_type  IN   VARCHAR2,
+			   rec           OUT  VARCHAR2
+			) IS
+			   l_user_name     VARCHAR2(4000) := sys.dbms_assert.enquote_name(user_name);
+			   l_service_type  VARCHAR2(4000) := sys.dbms_assert.enquote_name(service_type);
+			   query           VARCHAR2(4000);
+			BEGIN
+			   -- Following SELECT statement is vulnerable to modification
+			   -- because it uses concatenation to build WHERE clause.
+			   query := q'[SELECT value FROM secret_records WHERE user_name=']'
+			            || l_user_name
+			            || q'[' AND service_type=']'
+			            || l_service_type
+			            || q'[']';
+			   DBMS_OUTPUT.PUT_LINE('Query: ' || query);
+			   EXECUTE IMMEDIATE query INTO rec;
+			   DBMS_OUTPUT.PUT_LINE('Rec: ' || rec);
+			END;
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(0, issues.size)
+	}
 
 	@Test
 	def void issue24_using_parameter_without_expression_in_execute_immediate() {
@@ -429,5 +485,5 @@ class SQLInjectionTest extends AbstractValidatorTest {
 		val issues = stmt.issues
 		Assert.assertEquals(1, issues.size)
 	}
-
+	
 }
