Merge pull request #60 from Trivadis/bugfix/issue-56-assignment-in-declare

PhilippSalvisberg · web-flow · commit e25df0ace79f · 2023-10-04T12:53:39.000+02:00
Bugfix false positive in G-9501 when using assignment in variable/constant of declare section
diff --git a/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend b/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend
@@ -47,6 +47,7 @@ import org.eclipse.xtext.nodemodel.util.NodeModelUtils
 import org.eclipse.xtext.validation.Check
 import org.eclipse.xtext.validation.EValidatorRegistrar
 import com.trivadis.oracle.plsql.plsql.ConstantDeclaration
+import java.util.ArrayList
 
 class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 	HashMap<Integer, PLSQLCopGuideline> guidelines
@@ -215,6 +216,56 @@ class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 		return ""
 	}
 	
+	def contains(EObject obj, String name) {
+		val names = EcoreUtil2.getAllContentsOfType(obj, SimpleExpressionNameValue)
+		for (n : names) {
+			if (n.value.equalsIgnoreCase(name)) {
+				return true
+			}
+		}
+		return false
+	}
+	
+	def getItemsWithDefaults(SimpleExpressionNameValue n) {
+		var Body body = n.body
+		var DeclareSection decl
+		if (body === null) {
+			decl = EcoreUtil2.getContainerOfType(n, DeclareSection)
+		} else {
+			decl = body.declareSection
+		}
+		val items = new ArrayList<SimpleExpressionNameValue>
+		val variables = EcoreUtil2.getAllContentsOfType(decl, VariableDeclaration)
+		for (v : variables) {
+			if (v.getDefault() !== null) {
+				if (v.getDefault().contains(n.value)) {
+					items.add(v.variable)
+				}
+			}
+		}
+		val constants = EcoreUtil2.getAllContentsOfType(decl, ConstantDeclaration)
+		for (c: constants) {
+			if (c.getDefault() !== null) {
+				if (c.getDefault().contains(n.value)) {
+					items.add(c.constant)
+				}
+			}
+		}
+		if (body !== null) {
+			val bodyItems = new ArrayList<SimpleExpressionNameValue>
+			val names = EcoreUtil2.getAllContentsOfType(body, SimpleExpressionNameValue)
+			for (name : names) {
+				for (item : items) {
+					if (name.value.equalsIgnoreCase(item.value)) {
+						bodyItems.add(name)
+					}
+						
+				}
+			}
+			items.addAll(bodyItems)
+		}
+		return items;
+	}
 	
 	def isAsserted(SimpleExpressionNameValue n) {
 		var EObject obj = EcoreUtil2.getContainerOfType(n, Body)
@@ -232,6 +283,20 @@ class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 		}
 		return false
 	}
+	
+	def isAssertedInParameterOrConstantsOrVariables(SimpleExpressionNameValue n) {
+		// check parameter fist
+		if (n.isAsserted) {
+			return true
+		}
+		// check constants and variables with an assignment of the parameter
+		for (item : getItemsWithDefaults(n)) {
+			if (isAsserted(item)) {
+				return true
+			}
+		}
+		return false
+	}
 
 	def isParameterName(SimpleExpressionNameValue n) {
 		if (n.eContainer instanceof FunctionOrParenthesisParameter) {
@@ -252,7 +317,7 @@ class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 	def void check(SimpleExpressionNameValue n, HashMap<String, SimpleExpressionNameValue> expressions) {
 		if (!n.parameterName) {
 			if (n.isParameter) {
-				if (!n.isAsserted) {
+				if (!n.isAssertedInParameterOrConstantsOrVariables) {
 					warning(9501, n, n)
 					return
 				}
@@ -294,6 +359,33 @@ class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 		}
 		return declareSection;		
 	}
+	
+	def Body getBody(EObject obj) {
+		val parent = obj.eContainer
+		var Body body
+		if (parent instanceof CreateFunction) {
+			body = parent.body 
+		} else if (parent instanceof CreateProcedure) {
+			body = parent.body
+		} else if (parent instanceof FuncDeclInType) {
+			body = parent.body
+		} else if (parent instanceof ProcDeclInType) {
+			body = parent.body
+		} else if (parent instanceof ConstructorDeclaration) {
+			body = parent.body
+		} else if (parent instanceof PlsqlBlock) {
+			body = parent.body
+		} else if (parent instanceof FunctionDefinition) {
+			body = parent.body
+		} else if (parent instanceof ProcedureDefinition) {
+			body = parent.body
+		} else if (parent === null) {
+			body = null;
+		} else {
+			body = getBody(parent);
+		}
+		return body;
+	}
 
 	def HashMap<String, SimpleExpressionNameValue> getSimpleExpressinNamesFromAssignments(SimpleExpressionNameValue n) {
 		val expressions = new HashMap<String, SimpleExpressionNameValue>
diff --git a/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend b/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend
@@ -514,4 +514,36 @@ class SQLInjectionTest extends AbstractValidatorTest {
 		Assert.assertEquals(0, issues.size)
 	}
 
+	@Test
+	def void issue56_using_asserted_variable_with_default_in_execute_immediate() {
+		val stmt = '''
+			create or replace procedure exec_sql(in_sql in varchar2) is
+			   l_sql          varchar2(1000 char) := in_sql;
+			   l_sql_asserted varchar2(1000 char);
+			begin
+			   l_sql_asserted := sys.dbms_assert.noop(l_sql);
+			   execute immediate l_sql_asserted;
+			end exec_sql;
+			/
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(0, issues.size)
+	}
+
+	@Test
+	def void issue56_using_asserted_constant_with_default_in_execute_immediate() {
+		val stmt = '''
+			create or replace procedure exec_sql(in_sql in varchar2) is
+			   co_sql         constant varchar2(1000 char) := in_sql;
+			   l_sql_asserted varchar2(1000 char);
+			begin
+			   l_sql_asserted := sys.dbms_assert.noop(co_sql);
+			   execute immediate l_sql_asserted;
+			end exec_sql;
+			/
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(0, issues.size)
+	}
+
 }
