use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexCRUDViolationRule method checkForAccessibility.
private void checkForAccessibility(final ASTSoqlExpression node, Object data) {
final boolean isCount = node.getNode().getCanonicalQuery().startsWith("SELECT COUNT()");
final Set<String> typesFromSOQL = getTypesFromSOQLQuery(node);
final Set<ASTMethodCallExpression> prevCalls = getPreviousMethodCalls(node);
for (ASTMethodCallExpression prevCall : prevCalls) {
collectCRUDMethodLevelChecks(prevCall);
}
boolean isGetter = false;
String returnType = null;
final ASTMethod wrappingMethod = node.getFirstParentOfType(ASTMethod.class);
final ASTUserClass wrappingClass = node.getFirstParentOfType(ASTUserClass.class);
if (isCount || wrappingClass != null && Helper.isTestMethodOrClass(wrappingClass) || wrappingMethod != null && Helper.isTestMethodOrClass(wrappingMethod)) {
return;
}
if (wrappingMethod != null) {
isGetter = isMethodAGetter(wrappingMethod);
returnType = getReturnType(wrappingMethod);
}
final ASTVariableDeclaration variableDecl = node.getFirstParentOfType(ASTVariableDeclaration.class);
if (variableDecl != null) {
String type = variableDecl.getNode().getLocalInfo().getType().getApexName();
type = getSimpleType(type);
StringBuilder typeCheck = new StringBuilder().append(variableDecl.getNode().getDefiningType().getApexName()).append(":").append(type);
if (!isGetter) {
if (typesFromSOQL.isEmpty()) {
validateCRUDCheckPresent(node, data, ANY, typeCheck.toString());
} else {
for (String typeFromSOQL : typesFromSOQL) {
validateCRUDCheckPresent(node, data, ANY, typeFromSOQL);
}
}
}
}
final ASTAssignmentExpression assignment = node.getFirstParentOfType(ASTAssignmentExpression.class);
if (assignment != null) {
final ASTVariableExpression variable = assignment.getFirstChildOfType(ASTVariableExpression.class);
if (variable != null) {
String variableWithClass = Helper.getFQVariableName(variable);
if (varToTypeMapping.containsKey(variableWithClass)) {
String type = varToTypeMapping.get(variableWithClass);
if (!isGetter) {
if (typesFromSOQL.isEmpty()) {
validateCRUDCheckPresent(node, data, ANY, type);
} else {
for (String typeFromSOQL : typesFromSOQL) {
validateCRUDCheckPresent(node, data, ANY, typeFromSOQL);
}
}
}
}
}
}
final ASTReturnStatement returnStatement = node.getFirstParentOfType(ASTReturnStatement.class);
if (returnStatement != null) {
if (!isGetter) {
if (typesFromSOQL.isEmpty()) {
validateCRUDCheckPresent(node, data, ANY, returnType);
} else {
for (String typeFromSOQL : typesFromSOQL) {
validateCRUDCheckPresent(node, data, ANY, typeFromSOQL);
}
}
}
}
}
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexCRUDViolationRule method checkForCRUD.
private void checkForCRUD(final AbstractApexNode<?> node, final Object data, final String crudMethod) {
final Set<ASTMethodCallExpression> prevCalls = getPreviousMethodCalls(node);
for (ASTMethodCallExpression prevCall : prevCalls) {
collectCRUDMethodLevelChecks(prevCall);
}
final ASTMethod wrappingMethod = node.getFirstParentOfType(ASTMethod.class);
final ASTUserClass wrappingClass = node.getFirstParentOfType(ASTUserClass.class);
if (wrappingClass != null && Helper.isTestMethodOrClass(wrappingClass) || wrappingMethod != null && Helper.isTestMethodOrClass(wrappingMethod)) {
return;
}
final ASTNewKeyValueObjectExpression newObj = node.getFirstChildOfType(ASTNewKeyValueObjectExpression.class);
if (newObj != null) {
final String type = Helper.getFQVariableName(newObj);
validateCRUDCheckPresent(node, data, crudMethod, type);
}
final ASTVariableExpression variable = node.getFirstChildOfType(ASTVariableExpression.class);
if (variable != null) {
final String type = varToTypeMapping.get(Helper.getFQVariableName(variable));
if (type != null) {
StringBuilder typeCheck = new StringBuilder().append(node.getNode().getDefiningType().getApexName()).append(":").append(type);
validateCRUDCheckPresent(node, data, crudMethod, typeCheck.toString());
}
}
}
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexCRUDViolationRule method recursivelyEvaluateCRUDMethodCalls.
private void recursivelyEvaluateCRUDMethodCalls(final AbstractApexNode<?> self, final Set<ASTMethodCallExpression> innerMethodCalls, final ASTBlockStatement blockStatement) {
if (blockStatement != null) {
int numberOfStatements = blockStatement.jjtGetNumChildren();
for (int i = 0; i < numberOfStatements; i++) {
Node n = blockStatement.jjtGetChild(i);
if (n instanceof ASTIfElseBlockStatement) {
List<ASTBlockStatement> innerBlocks = n.findDescendantsOfType(ASTBlockStatement.class);
for (ASTBlockStatement innerBlock : innerBlocks) {
recursivelyEvaluateCRUDMethodCalls(self, innerMethodCalls, innerBlock);
}
}
AbstractApexNode<?> match = n.getFirstDescendantOfType(self.getClass());
if (Objects.equal(match, self)) {
break;
}
ASTMethodCallExpression methodCall = n.getFirstDescendantOfType(ASTMethodCallExpression.class);
if (methodCall != null) {
mapCallToMethodDecl(self, innerMethodCalls, Arrays.asList(methodCall));
}
}
}
}
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexCRUDViolationRule method collectCRUDMethodLevelChecks.
private void collectCRUDMethodLevelChecks(final ASTMethodCallExpression node) {
final String method = node.getNode().getMethodName();
final ASTReferenceExpression ref = node.getFirstChildOfType(ASTReferenceExpression.class);
if (ref == null) {
return;
}
List<Identifier> a = ref.getNode().getNames();
if (!a.isEmpty()) {
extractObjectAndFields(a, method, node.getNode().getDefiningType().getApexName());
} else {
// see if ESAPI
if (Helper.isMethodCallChain(node, ESAPI_ISAUTHORIZED_TO_VIEW)) {
extractObjectTypeFromESAPI(node, IS_ACCESSIBLE);
}
if (Helper.isMethodCallChain(node, ESAPI_ISAUTHORIZED_TO_CREATE)) {
extractObjectTypeFromESAPI(node, IS_CREATEABLE);
}
if (Helper.isMethodCallChain(node, ESAPI_ISAUTHORIZED_TO_UPDATE)) {
extractObjectTypeFromESAPI(node, IS_UPDATEABLE);
}
if (Helper.isMethodCallChain(node, ESAPI_ISAUTHORIZED_TO_DELETE)) {
extractObjectTypeFromESAPI(node, IS_DELETABLE);
}
// see if getDescribe()
final ASTMethodCallExpression nestedMethodCall = ref.getFirstChildOfType(ASTMethodCallExpression.class);
if (nestedMethodCall != null) {
if (isLastMethodName(nestedMethodCall, S_OBJECT_TYPE, GET_DESCRIBE)) {
String resolvedType = getType(nestedMethodCall);
if (!typeToDMLOperationMapping.get(resolvedType).contains(method)) {
typeToDMLOperationMapping.put(resolvedType, method);
}
}
}
}
}
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexSOQLInjectionRule method visit.
@Override
public Object visit(ASTUserClass node, Object data) {
if (Helper.isTestMethodOrClass(node) || Helper.isSystemLevelClass(node)) {
// stops all the rules
return data;
}
final List<ASTMethod> methodExpr = node.findDescendantsOfType(ASTMethod.class);
for (ASTMethod m : methodExpr) {
findSafeVariablesInSignature(m);
}
final List<ASTFieldDeclaration> fieldExpr = node.findDescendantsOfType(ASTFieldDeclaration.class);
for (ASTFieldDeclaration a : fieldExpr) {
findSanitizedVariables(a);
findSelectContainingVariables(a);
}
// String foo = String.escapeSignleQuotes(...);
final List<ASTVariableDeclaration> variableDecl = node.findDescendantsOfType(ASTVariableDeclaration.class);
for (ASTVariableDeclaration a : variableDecl) {
findSanitizedVariables(a);
findSelectContainingVariables(a);
}
// baz = String.escapeSignleQuotes(...);
final List<ASTAssignmentExpression> assignmentCalls = node.findDescendantsOfType(ASTAssignmentExpression.class);
for (ASTAssignmentExpression a : assignmentCalls) {
findSanitizedVariables(a);
findSelectContainingVariables(a);
}
// Database.query(...) check
final List<ASTMethodCallExpression> potentialDbQueryCalls = node.findDescendantsOfType(ASTMethodCallExpression.class);
for (ASTMethodCallExpression m : potentialDbQueryCalls) {
if (!Helper.isTestMethodOrClass(m) && Helper.isMethodName(m, DATABASE, QUERY)) {
reportStrings(m, data);
reportVariables(m, data);
}
}
safeVariables.clear();
selectContainingVariables.clear();
return data;
}
Aggregations