Improving open redirect detection for strings prefixed with /

2017-01-04 13:33:06 -08:00
parent c9514e563a
commit 9c85a78884
2 changed files with 52 additions and 3 deletions
--- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java
+++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java
@@ -64,15 +64,33 @@ public class ApexOpenRedirectRule extends AbstractApexRule {
    }

    private void findSafeLiterals(AbstractApexNode<?> node) {
+        ASTBinaryExpression binaryExp = node.getFirstChildOfType(ASTBinaryExpression.class);
+        if (binaryExp != null) {
+            findSafeLiterals(binaryExp);
+        }
+
        ASTLiteralExpression literal = node.getFirstChildOfType(ASTLiteralExpression.class);
        if (literal != null) {
-            ASTVariableExpression variable = node.getFirstChildOfType(ASTVariableExpression.class);
-            if (variable != null) {
-                listOfStringLiteralVariables.add(Helper.getFQVariableName(variable));
+            int index = literal.jjtGetChildIndex();
+            if (index == 0) {
+                if (node instanceof ASTVariableDeclaration) {
+                    addVariable(node);
+                } else {
+                    ASTVariableDeclaration parent = node.getFirstParentOfType(ASTVariableDeclaration.class);
+                    addVariable(parent);
+
+                }
            }
        }
    }

+    private void addVariable(AbstractApexNode<?> node) {
+        ASTVariableExpression variable = node.getFirstChildOfType(ASTVariableExpression.class);
+        if (variable != null) {
+            listOfStringLiteralVariables.add(Helper.getFQVariableName(variable));
+        }
+    }
+
    /**
     * Traverses all new declarations to find PageReferences
     * 
--- a/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexOpenRedirect.xml
+++ b/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexOpenRedirect.xml
@@ -136,8 +136,39 @@ public class Foo {
 	static PageReference redirect() {
 	    return pr;
 	}
+}
+		]]></code>
+	</test-code> 
+	
+	<test-code>
+		<description>Unsafe pageReference object</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+
+	static PageReference redirect(String otherStuff) {
+		String test1 = otherStuff + '/';
+    	PageReference pr = new PageReference(test1);
+	    return pr;
+	}
 }
 		]]></code>
 	</test-code>
 	
+	<test-code>
+		<description>Safe pageReference object</description>
+		<expected-problems>0</expected-problems>
+		<code><![CDATA[
+public class Foo {
+
+	static PageReference redirect(String otherStuff) {
+		String test1 = '/' + otherStuff;
+    	PageReference pr = new PageReference(test1);
+	    return pr;
+	}
+}
+		]]></code>
+	</test-code>
+
+	
 </test-data>