From ba1222083d669b73defdb0a0ec1709dc1194e3f5 Mon Sep 17 00:00:00 2001
From: Sergey <sergey.gorbaty@salesforce.com>
Date: Wed, 30 Nov 2016 16:11:19 -0800
Subject: [PATCH] Adding detection nested binary expressions

---
 .../security/ApexXSSFromURLParamRule.java     |  5 ++
 .../rule/security/xml/ApexXSSFromURLParam.xml | 68 ++++++++++++-------
 2 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java
index de46e70bf5..f4102789b6 100644
--- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java
+++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java
@@ -209,6 +209,11 @@ public class ApexXSSFromURLParamRule extends AbstractApexRule {
 	}
 
 	private void processBinaryExpression(AbstractApexNode<?> node, Object data) {
+		ASTBinaryExpression nestedBinaryExpression = node.getFirstChildOfType(ASTBinaryExpression.class);
+		if (nestedBinaryExpression != null) {
+			processBinaryExpression(nestedBinaryExpression, data);
+		}
+		
 		ASTMethodCallExpression methodCallAssignment = node.getFirstChildOfType(ASTMethodCallExpression.class);
 		if (methodCallAssignment != null) {
 			processInlineMethodCalls(methodCallAssignment, data, true);
diff --git a/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexXSSFromURLParam.xml b/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexXSSFromURLParam.xml
index 5328e63bec..aa38686fb1 100644
--- a/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexXSSFromURLParam.xml
+++ b/pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexXSSFromURLParam.xml
@@ -13,8 +13,8 @@ public class Foo {
 }
 		]]></code>
 	</test-code>
-	
-		<test-code>
+
+	<test-code>
 		<description>URL parameter in return statement concatenation</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
@@ -27,7 +27,8 @@ public class Foo {
 	</test-code>
 
 	<test-code>
-		<description>URL parameter used without being escaped in return statement</description>
+		<description>URL parameter used without being escaped in return
+			statement</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
 public class Foo {
@@ -40,7 +41,8 @@ public class Foo {
 	</test-code>
 
 	<test-code>
-		<description>URL parameter used without being escaped in return statement concatenation</description>
+		<description>URL parameter used without being escaped in return
+			statement concatenation</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
 public class Foo {
@@ -52,7 +54,21 @@ public class Foo {
 		]]></code>
 	</test-code>
 
-	  <test-code>
+	<test-code>
+		<description>URL parameter used without being escaped in return
+			statement concatenation 2</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public String test1() {
+		String bas = ApexPages.currentPage().getParameters().get('foo');
+		return 'text' + bas + 'ttt';
+	}		
+}
+		]]></code>
+	</test-code>
+
+	<test-code>
 		<description>URL parameter used without being escaped 1</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
@@ -166,9 +182,9 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
-	 <test-code>
+	</test-code>
+
+	<test-code>
 		<description>URL parameter passed to a function</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
@@ -178,8 +194,8 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
+	</test-code>
+
 	<test-code>
 		<description>Safe URL parameter passed to a function</description>
 		<expected-problems>0</expected-problems>
@@ -190,10 +206,11 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
+	</test-code>
+
 	<test-code>
-		<description>URL parameter passed to a function with variable declaration</description>
+		<description>URL parameter passed to a function with variable
+			declaration</description>
 		<expected-problems>1</expected-problems>
 		<code><![CDATA[
 public class Foo {
@@ -203,9 +220,10 @@ public class Foo {
 }
 		]]></code>
 	</test-code>
-	
+
 	<test-code>
-		<description>Safe URL parameter passed to a function with variable declaration</description>
+		<description>Safe URL parameter passed to a function with variable
+			declaration</description>
 		<expected-problems>0</expected-problems>
 		<code><![CDATA[
 public class Foo {
@@ -214,9 +232,9 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
-	 <test-code>
+	</test-code>
+
+	<test-code>
 		<description>URL parameter concatenated with variable
 		</description>
 		<expected-problems>1</expected-problems>
@@ -227,8 +245,8 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
+	</test-code>
+
 	<test-code>
 		<description>Safe URL parameter concatenated with variable
 		</description>
@@ -240,8 +258,8 @@ public class Foo {
 	}		
 }
 		]]></code>
-	</test-code> 
-	
+	</test-code>
+
 	<test-code>
 		<description>URL parameter type casting is a safety check</description>
 		<expected-problems>0</expected-problems>
@@ -255,7 +273,7 @@ public class Foo {
 }
 		]]></code>
 	</test-code>
-	
+
 	<test-code>
 		<description>URL parameter method passing</description>
 		<expected-problems>1</expected-problems>
@@ -268,8 +286,8 @@ public class Foo {
 	}		
 }
 		]]></code>
-		
-		
+
+
 	</test-code>
 
 </test-data>