diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java index e0c0579ce0..6512dd7203 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexBadCryptoRule.java @@ -67,9 +67,9 @@ public class ApexBadCryptoRule extends AbstractApexRule { ASTMethodCallExpression methodCall = var.getFirstChildOfType(ASTMethodCallExpression.class); if (methodCall != null && Helper.isMethodName(methodCall, BLOB, VALUE_OF)) { ASTVariableExpression variable = var.getFirstChildOfType(ASTVariableExpression.class); - StringBuilder sb = new StringBuilder().append(variable.getNode().getDefiningType()).append(":") - .append(variable.getNode().getIdentifier().value); - potentiallyStaticBlob.add(sb.toString()); + if (variable != null) { + potentiallyStaticBlob.add(Helper.getFQVariableName(variable)); + } } } @@ -98,12 +98,9 @@ public class ApexBadCryptoRule extends AbstractApexRule { private void reportIfHardCoded(Object data, Object potentialIV) { if (potentialIV instanceof ASTVariableExpression) { ASTVariableExpression variable = (ASTVariableExpression) potentialIV; - StringBuilder sb = new StringBuilder().append(variable.getNode().getDefiningType()).append(":") - .append(variable.getNode().getIdentifier().value); - if (potentiallyStaticBlob.contains(sb.toString())) { + if (potentiallyStaticBlob.contains(Helper.getFQVariableName(variable))) { addViolation(data, variable); } } } - } diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java index 0cf19d8985..e1860ad082 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java @@ -145,17 +145,17 @@ public class ApexCRUDViolationRule extends AbstractApexRule { checkForCRUD(node, data, IS_MERGEABLE); return data; } - + @Override public Object visit(final ASTAssignmentExpression node, Object data) { final ASTSoqlExpression soql = node.getFirstChildOfType(ASTSoqlExpression.class); if (soql != null) { checkForAccessibility(soql, data); } - + return data; } - + @Override public Object visit(final ASTVariableDeclaration node, Object data) { final ASTSoqlExpression soql = node.getFirstChildOfType(ASTSoqlExpression.class); @@ -250,10 +250,7 @@ public class ApexCRUDViolationRule extends AbstractApexRule { final ASTVariableExpression variable = node.getFirstChildOfType(ASTVariableExpression.class); if (variable != null) { - StringBuilder sb = new StringBuilder().append(node.getNode().getDefiningType().getApexName()).append(":") - .append(variable.getNode().getIdentifier().value); - - final String type = varToTypeMapping.get(sb.toString()); + final String type = varToTypeMapping.get(Helper.getFQVariableName(variable)); if (type != null) { StringBuilder typeCheck = new StringBuilder().append(node.getNode().getDefiningType()).append(":") .append(type); @@ -344,18 +341,14 @@ public class ApexCRUDViolationRule extends AbstractApexRule { final ASTAssignmentExpression assignment = node.getFirstParentOfType(ASTAssignmentExpression.class); if (assignment != null) { final ASTVariableExpression variable = assignment.getFirstChildOfType(ASTVariableExpression.class); - - StringBuilder variableWithClass = new StringBuilder() - .append(variable.getNode().getDefiningType().getApexName()).append(":") - .append(variable.getNode().getIdentifier().value); - - if (varToTypeMapping.containsKey(variableWithClass.toString())) { - String type = varToTypeMapping.get(variableWithClass.toString()); - - validateCRUDCheckPresent(node, data, ANY, type); - + if (variable != null) { + String variableWithClass = Helper.getFQVariableName(variable); + if (varToTypeMapping.containsKey(variableWithClass)) { + String type = varToTypeMapping.get(variableWithClass); + validateCRUDCheckPresent(node, data, ANY, type); + } } } } -} \ No newline at end of file +} diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java index 46989096cb..fb075bc77d 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexInsecureEndpointRule.java @@ -58,7 +58,6 @@ public class ApexInsecureEndpointRule extends AbstractApexRule { ASTBinaryExpression binaryNode = node.getFirstChildOfType(ASTBinaryExpression.class); if (binaryNode != null) { - findInnerInsecureEndpoints(binaryNode, variableNode); } @@ -66,16 +65,13 @@ public class ApexInsecureEndpointRule extends AbstractApexRule { private void findInnerInsecureEndpoints(AbstractApexNode node, ASTVariableExpression variableNode) { ASTLiteralExpression literalNode = node.getFirstChildOfType(ASTLiteralExpression.class); - + if (literalNode != null && variableNode != null) { Object o = literalNode.getNode().getLiteral(); if (o instanceof String) { String literal = (String) o; if (PATTERN.matcher(literal).matches()) { - VariableExpression varExpression = variableNode.getNode(); - StringBuilder sb = new StringBuilder().append(varExpression.getDefiningType()).append(":") - .append(varExpression.getIdentifier().value); - httpEndpointStrings.add(sb.toString()); + httpEndpointStrings.add(Helper.getFQVariableName(variableNode)); } } } @@ -115,14 +111,10 @@ public class ApexInsecureEndpointRule extends AbstractApexRule { ASTVariableExpression variableNode = node.getFirstChildOfType(ASTVariableExpression.class); if (variableNode != null) { - VariableExpression varExpression = variableNode.getNode(); - StringBuffer sb = new StringBuffer().append(varExpression.getDefiningType()).append(":") - .append(varExpression.getIdentifier().value); - if (httpEndpointStrings.contains(sb.toString())) { + if (httpEndpointStrings.contains(Helper.getFQVariableName(variableNode))) { addViolation(data, variableNode); } } } - } diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java index d948b855dd..1328d5a31b 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexOpenRedirectRule.java @@ -49,9 +49,7 @@ public class ApexOpenRedirectRule extends AbstractApexRule { if (literal != null) { ASTVariableExpression variable = node.getFirstChildOfType(ASTVariableExpression.class); if (variable != null) { - StringBuilder sb = new StringBuilder().append(variable.getNode().getDefiningType()).append(":") - .append(variable.getNode().getIdentifier().value); - listOfStringLiteralVariables.add(sb.toString()); + listOfStringLiteralVariables.add(Helper.getFQVariableName(variable)); } } } diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java index 92b73274fe..c5729e85f6 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexSOQLInjectionRule.java @@ -89,15 +89,12 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { // look for String a = 'b'; if (literal != null) { if (left != null) { - final VariableExpression l = left.getNode(); - StringBuilder sb = new StringBuilder().append(l.getDefiningType()).append(":") - .append(l.getIdentifier().value); Object o = literal.getNode().getLiteral(); if (o instanceof String) { if (pattern.matcher((String) o).matches()) { - selectContainingVariables.put(sb.toString(), Boolean.TRUE); + selectContainingVariables.put(Helper.getFQVariableName(left), Boolean.TRUE); } else { - safeVariables.add(sb.toString()); + safeVariables.add(Helper.getFQVariableName(left)); } } } @@ -107,10 +104,7 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { if (right != null) { if (Helper.isMethodName(right, STRING, ESCAPE_SINGLE_QUOTES)) { if (left != null) { - final VariableExpression var = left.getNode(); - StringBuilder sb = new StringBuilder().append(var.getDefiningType().getApexName()).append(":") - .append(var.getIdentifier().value); - safeVariables.add(sb.toString()); + safeVariables.add(Helper.getFQVariableName(left)); } } } @@ -134,9 +128,7 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { boolean isSafeVariable = false; if (concatenatedVar != null) { - StringBuilder sb = new StringBuilder().append(concatenatedVar.getNode().getDefiningType().getApexName()) - .append(":").append(concatenatedVar.getNode().getIdentifier().value); - if (safeVariables.contains(sb.toString())) { + if (safeVariables.contains(Helper.getFQVariableName(concatenatedVar))) { isSafeVariable = true; } } @@ -147,11 +139,9 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { Object o = literal.getNode().getLiteral(); if (o instanceof String) { if (pattern.matcher((String) o).matches()) { - StringBuilder sb = new StringBuilder().append(var.getNode().getDefiningType().getApexName()) - .append(":").append(var.getNode().getIdentifier().value); if (!isSafeVariable) { // select literal + other unsafe vars - selectContainingVariables.put(sb.toString(), Boolean.FALSE); + selectContainingVariables.put(Helper.getFQVariableName(var), Boolean.FALSE); } } } @@ -163,18 +153,16 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { for (ASTBinaryExpression b : binaryExpr) { List vars = b.findDescendantsOfType(ASTVariableExpression.class); for (ASTVariableExpression v : vars) { - final VariableExpression var = v.getNode(); - StringBuilder sb = new StringBuilder().append(var.getDefiningType().getApexName()).append(":") - .append(var.getIdentifier().value); + String fqName = Helper.getFQVariableName(v); - if (selectContainingVariables.containsKey(sb.toString())) { - boolean isLiteral = selectContainingVariables.get(sb.toString()); + if (selectContainingVariables.containsKey(fqName)) { + boolean isLiteral = selectContainingVariables.get(fqName); if (isLiteral) { continue; } } - if (safeVariables.contains(sb.toString())) { + if (safeVariables.contains(fqName)) { continue; } @@ -192,15 +180,13 @@ public class ApexSOQLInjectionRule extends AbstractApexRule { private void reportVariables(final ASTMethodCallExpression m, Object data) { final ASTVariableExpression var = m.getFirstChildOfType(ASTVariableExpression.class); if (var != null) { - StringBuilder sb = new StringBuilder().append(var.getNode().getDefiningType().getApexName()).append(":") - .append(var.getNode().getIdentifier().value); - if (selectContainingVariables.containsKey(sb.toString())) { - boolean isLiteral = selectContainingVariables.get(sb.toString()); + String nameFQ = Helper.getFQVariableName(var); + if (selectContainingVariables.containsKey(nameFQ)) { + boolean isLiteral = selectContainingVariables.get(nameFQ); if (!isLiteral) { addViolation(data, var); } } } } - } diff --git a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java index 9e0ea5edb2..7abdca58da 100644 --- a/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java +++ b/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromEscapeFalseRule.java @@ -25,10 +25,10 @@ public class ApexXSSFromEscapeFalseRule extends AbstractApexRule { @Override public Object visit(ASTUserClass node, Object data) { - if (Helper.isTestMethodOrClass(node)){ + if (Helper.isTestMethodOrClass(node)) { return data; } - + List methodCalls = node.findDescendantsOfType(ASTMethodCallExpression.class); for (ASTMethodCallExpression methodCall : methodCalls) { if (Helper.isMethodName(methodCall, ADD_ERROR)) {