Added tests for read/queries. Changed to use set-based multimaps as duplicate entries aren't useful.

This commit is contained in:
Scott Wells 2021-10-21 15:54:39 -05:00
parent 4e1c17e297
commit 57626f44d2
2 changed files with 44 additions and 8 deletions

View File

@ -55,8 +55,7 @@ import net.sourceforge.pmd.lang.ast.Node;
import net.sourceforge.pmd.properties.PropertyDescriptor;
import com.google.common.base.Objects;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ListMultimap;
import com.google.common.collect.HashMultimap;
import org.apache.commons.lang3.StringUtils;
/**
@ -132,9 +131,9 @@ public class ApexCRUDViolationRule extends AbstractApexRule {
};
private Map<String, String> varToTypeMapping;
private ListMultimap<String, String> typeToDMLOperationMapping;
private HashMultimap<String, String> typeToDMLOperationMapping;
private Map<String, String> checkedTypeToDMLOperationViaESAPI;
private ListMultimap<String, String> checkedTypeToDMLOperationsViaAuthPattern;
private HashMultimap<String, String> checkedTypeToDMLOperationsViaAuthPattern;
private Map<String, ASTMethod> classMethods;
private String className;
@ -157,9 +156,9 @@ public class ApexCRUDViolationRule extends AbstractApexRule {
// At the start of each rule execution, these member variables need to be fresh. So they're initialized in the
// .start() method instead of the constructor, since .start() is called before every execution.
varToTypeMapping = new HashMap<>();
typeToDMLOperationMapping = ArrayListMultimap.create();
typeToDMLOperationMapping = HashMultimap.create();
checkedTypeToDMLOperationViaESAPI = new HashMap<>();
checkedTypeToDMLOperationsViaAuthPattern = ArrayListMultimap.create();
checkedTypeToDMLOperationsViaAuthPattern = HashMultimap.create();
classMethods = new WeakHashMap<>();
className = null;
super.start(ctx);
@ -637,7 +636,7 @@ public class ApexCRUDViolationRule extends AbstractApexRule {
} else {
boolean properChecksHappened = false;
List<String> dmlOperationsChecked = typeToDMLOperationMapping.get(typeCheck);
Set<String> dmlOperationsChecked = typeToDMLOperationMapping.get(typeCheck);
for (String dmlOp : dmlOperationsChecked) {
if (dmlOp.equalsIgnoreCase(crudMethod)) {
properChecksHappened = true;
@ -866,7 +865,7 @@ public class ApexCRUDViolationRule extends AbstractApexRule {
return true;
}
final List<String> dmlOperationsChecked = checkedTypeToDMLOperationsViaAuthPattern.get(typeToCheck);
final Set<String> dmlOperationsChecked = checkedTypeToDMLOperationsViaAuthPattern.get(typeToCheck);
return dmlOperationsChecked.contains(dmlOperation);
}

View File

@ -1226,6 +1226,43 @@ public class Foo {
]]></code>
</test-code>
<test-code>
<description>>#3576 - Verify use of readAuthMethodPattern, negative test</description>
<expected-problems>2</expected-problems>
<code><![CDATA[
public class Foo {
public void foo() {
if (AuthorizationUtil.isAccessible(Account.SObjectType)) {
List<Account> accounts = [SELECT Id FROM Account];
}
AuthorizationUtil.assertAccessible(Account.SObjectType);
// TODO: Evidently this rule doesn't check Database.query() yet
List<Account> accounts = [SELECT Id FROM Account];
}
}
]]></code>
</test-code>
<test-code>
<description>>#3576 - Verify use of readAuthMethodPattern, positive test</description>
<rule-property name="readAuthMethodPattern">AuthorizationUtil\.(is|assert)Accessible</rule-property>
<expected-problems>0</expected-problems>
<code><![CDATA[
public class Foo {
public void foo() {
if (AuthorizationUtil.isAccessible(Account.SObjectType)) {
List<Account> accounts = [SELECT Id FROM Account];
}
AuthorizationUtil.assertAccessible(Account.SObjectType);
// TODO: Evidently this rule doesn't check Database.query() yet
List<Account> accounts = [SELECT Id FROM Account];
}
}
]]></code>
</test-code>
<test-code>
<description>>#3576 - Verify use of updateAuthMethodPattern, negative test</description>
<expected-problems>2</expected-problems>