Example 11 with ASTMethodCallExpression
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexDangerousMethodsRule method visit.
public Object visit(ASTUserClass node, Object data) {
if (Helper.isTestMethodOrClass(node)) {
return data;
}
collectBenignVariables(node);
List<ASTMethodCallExpression> methodCalls = node.findDescendantsOfType(ASTMethodCallExpression.class);
for (ASTMethodCallExpression methodCall : methodCalls) {
if (Helper.isMethodName(methodCall, CONFIGURATION, DISABLE_CRUD)) {
addViolation(data, methodCall);
}
if (Helper.isMethodName(methodCall, SYSTEM, DEBUG)) {
validateParameters(methodCall, data);
}
}
whiteListedVariables.clear();
return data;
}
Also used :
ASTMethodCallExpression(net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)
Example 12 with ASTMethodCallExpression
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexSOQLInjectionRule method findSanitizedVariables.
private void findSanitizedVariables(AbstractApexNode<?> node) {
final ASTVariableExpression left = node.getFirstChildOfType(ASTVariableExpression.class);
final ASTLiteralExpression literal = node.getFirstChildOfType(ASTLiteralExpression.class);
final ASTMethodCallExpression right = node.getFirstChildOfType(ASTMethodCallExpression.class);
// look for String a = 'b';
if (literal != null) {
if (left != null) {
Object o = literal.getNode().getLiteral();
if (o instanceof Integer || o instanceof Boolean || o instanceof Double) {
safeVariables.add(Helper.getFQVariableName(left));
}
if (o instanceof String) {
if (SELECT_PATTERN.matcher((String) o).matches()) {
selectContainingVariables.put(Helper.getFQVariableName(left), Boolean.TRUE);
} else {
safeVariables.add(Helper.getFQVariableName(left));
}
}
}
}
// look for String a = String.escapeSingleQuotes(foo);
if (right != null) {
if (Helper.isMethodName(right, STRING, ESCAPE_SINGLE_QUOTES)) {
if (left != null) {
safeVariables.add(Helper.getFQVariableName(left));
}
}
}
if (node instanceof ASTVariableDeclaration) {
VariableDeclaration o = (VariableDeclaration) node.getNode();
switch(o.getLocalInfo().getType().getApexName().toLowerCase(Locale.ROOT)) {
case INTEGER:
case ID:
case BOOLEAN:
case DECIMAL:
case LONG:
case DOUBLE:
safeVariables.add(Helper.getFQVariableName(left));
break;
default:
break;
}
}
}
Also used :
ASTVariableExpression(net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression)
ASTLiteralExpression(net.sourceforge.pmd.lang.apex.ast.ASTLiteralExpression)
ASTVariableDeclaration(net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration)
VariableDeclaration(apex.jorje.semantic.ast.statement.VariableDeclaration)
ASTVariableDeclaration(net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration)
ASTMethodCallExpression(net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)
Example 13 with ASTMethodCallExpression
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexSOQLInjectionRule method recursivelyCheckForSelect.
private void recursivelyCheckForSelect(final ASTVariableExpression var, final ASTBinaryExpression node) {
final ASTBinaryExpression right = node.getFirstChildOfType(ASTBinaryExpression.class);
if (right != null) {
recursivelyCheckForSelect(var, right);
}
final ASTVariableExpression concatenatedVar = node.getFirstChildOfType(ASTVariableExpression.class);
boolean isSafeVariable = false;
if (concatenatedVar != null) {
if (safeVariables.contains(Helper.getFQVariableName(concatenatedVar))) {
isSafeVariable = true;
}
}
final ASTMethodCallExpression methodCall = node.getFirstChildOfType(ASTMethodCallExpression.class);
if (methodCall != null) {
if (Helper.isMethodName(methodCall, STRING, ESCAPE_SINGLE_QUOTES)) {
isSafeVariable = true;
}
}
final ASTLiteralExpression literal = node.getFirstChildOfType(ASTLiteralExpression.class);
if (literal != null) {
Object o = literal.getNode().getLiteral();
if (o instanceof String) {
if (SELECT_PATTERN.matcher((String) o).matches()) {
if (!isSafeVariable) {
// select literal + other unsafe vars
selectContainingVariables.put(Helper.getFQVariableName(var), Boolean.FALSE);
} else {
safeVariables.add(Helper.getFQVariableName(var));
}
}
}
} else {
if (!isSafeVariable) {
selectContainingVariables.put(Helper.getFQVariableName(var), Boolean.FALSE);
}
}
}
Also used :
ASTBinaryExpression(net.sourceforge.pmd.lang.apex.ast.ASTBinaryExpression)
ASTVariableExpression(net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression)
ASTLiteralExpression(net.sourceforge.pmd.lang.apex.ast.ASTLiteralExpression)
ASTMethodCallExpression(net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)
Example 14 with ASTMethodCallExpression
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexXSSFromURLParamRule method processEscapingMethodCalls.
private void processEscapingMethodCalls(ASTMethodCallExpression methodNode, Object data) {
ASTMethodCallExpression nestedCall = methodNode.getFirstChildOfType(ASTMethodCallExpression.class);
if (nestedCall != null) {
processEscapingMethodCalls(nestedCall, data);
}
final ASTVariableExpression variable = methodNode.getFirstChildOfType(ASTVariableExpression.class);
if (variable != null) {
if (urlParameterStrings.contains(Helper.getFQVariableName(variable))) {
if (!isEscapingMethod(methodNode)) {
addViolation(data, variable);
}
}
}
}
Also used :
ASTVariableExpression(net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression)
ASTMethodCallExpression(net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)
Example 15 with ASTMethodCallExpression
use of net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression in project pmd by pmd.
the class ApexXSSFromURLParamRule method visit.
@Override
public Object visit(ASTReturnStatement node, Object data) {
ASTBinaryExpression binaryExpression = node.getFirstChildOfType(ASTBinaryExpression.class);
if (binaryExpression != null) {
processBinaryExpression(binaryExpression, data);
}
ASTMethodCallExpression methodCall = node.getFirstChildOfType(ASTMethodCallExpression.class);
if (methodCall != null) {
String retType = getReturnType(node);
if ("string".equalsIgnoreCase(retType)) {
processInlineMethodCalls(methodCall, data, true);
}
}
List<ASTVariableExpression> nodes = node.findChildrenOfType(ASTVariableExpression.class);
for (ASTVariableExpression varExpression : nodes) {
if (urlParameterStrings.contains(Helper.getFQVariableName(varExpression))) {
addViolation(data, nodes.get(0));
}
}
return data;
}
Also used :
ASTBinaryExpression(net.sourceforge.pmd.lang.apex.ast.ASTBinaryExpression)
ASTVariableExpression(net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression)
ASTMethodCallExpression(net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)
Aggregations
ASTMethodCallExpression (net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression)18
ASTVariableExpression (net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression)10
ASTVariableDeclaration (net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration)7
ASTBinaryExpression (net.sourceforge.pmd.lang.apex.ast.ASTBinaryExpression)5
ASTMethod (net.sourceforge.pmd.lang.apex.ast.ASTMethod)4
ASTBlockStatement (net.sourceforge.pmd.lang.apex.ast.ASTBlockStatement)3
HashSet (java.util.HashSet)2
ASTAssignmentExpression (net.sourceforge.pmd.lang.apex.ast.ASTAssignmentExpression)2
ASTFieldDeclaration (net.sourceforge.pmd.lang.apex.ast.ASTFieldDeclaration)2
ASTLiteralExpression (net.sourceforge.pmd.lang.apex.ast.ASTLiteralExpression)2
ASTUserClass (net.sourceforge.pmd.lang.apex.ast.ASTUserClass)2
Identifier (apex.jorje.data.Identifier)1
VariableDeclaration (apex.jorje.semantic.ast.statement.VariableDeclaration)1
ArrayList (java.util.ArrayList)1
List (java.util.List)1
ASTField (net.sourceforge.pmd.lang.apex.ast.ASTField)1
ASTIfElseBlockStatement (net.sourceforge.pmd.lang.apex.ast.ASTIfElseBlockStatement)1
ASTNewKeyValueObjectExpression (net.sourceforge.pmd.lang.apex.ast.ASTNewKeyValueObjectExpression)1
ASTReferenceExpression (net.sourceforge.pmd.lang.apex.ast.ASTReferenceExpression)1
ASTReturnStatement (net.sourceforge.pmd.lang.apex.ast.ASTReturnStatement)1
