Detection of XSS in method return statement

pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexXSSFromURLParamRule.java

@@ -12,6 +12,7 @@ import net.sourceforge.pmd.lang.apex.ast.ASTDottedExpression;
 import net.sourceforge.pmd.lang.apex.ast.ASTFieldDeclaration;
 import net.sourceforge.pmd.lang.apex.ast.ASTMethodCallExpression;
 import net.sourceforge.pmd.lang.apex.ast.ASTReferenceExpression;
+import net.sourceforge.pmd.lang.apex.ast.ASTReturnStatement;
 import net.sourceforge.pmd.lang.apex.ast.ASTVariableDeclaration;
 import net.sourceforge.pmd.lang.apex.ast.ASTVariableExpression;
 import net.sourceforge.pmd.lang.apex.ast.AbstractApexNode;
@@ -70,6 +71,32 @@ public class ApexXSSFromURLParamRule extends AbstractApexRule {
 		processInlineMethodCalls(node, data, false);
 		return data;
 	}
+	
+	@Override
+	public Object visit(ASTReturnStatement node, Object data) {
+		ASTBinaryExpression binaryExpression = node.getFirstChildOfType(ASTBinaryExpression.class);
+		if (binaryExpression != null) {
+			processBinaryExpression(binaryExpression, data);
+		}
+
+		ASTMethodCallExpression methodCall = node.getFirstChildOfType(ASTMethodCallExpression.class);
+		if (methodCall != null) {
+			processInlineMethodCalls(methodCall, data, true);
+		}
+		
+		List<ASTVariableExpression> nodes = node.findChildrenOfType(ASTVariableExpression.class);
+		
+		for (ASTVariableExpression varExpression : nodes) {
+			StringBuilder sb = new StringBuilder().append(varExpression.getNode().getDefiningType().getApexName()).append(":")
+					.append(varExpression.getNode().getIdentifier().value);
+
+			if (urlParameterString.contains(sb.toString())) {
+				addViolation(data, nodes.get(0));
+			}
+		}
+		
+		return data;
+	}
 
 	private boolean isEscapingMethod(ASTMethodCallExpression methodNode) {
 		return isMethodCallChain(methodNode, HTML_ESCAPING) || isMethodCallChain(methodNode, JS_ESCAPING)
@@ -159,6 +186,7 @@ public class ApexXSSFromURLParamRule extends AbstractApexRule {
 					processBinaryExpression(o, data);
 				}
 			}
+			
 		}
 			break;
 		case 2: {

pmd-apex/src/test/resources/net/sourceforge/pmd/lang/apex/rule/security/xml/ApexXSSFromURLParam.xml

@@ -2,6 +2,56 @@
 
 <test-data>
 
+	<test-code>
+		<description>URL parameter in return statement</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public String test1() {
+		return ApexPages.currentPage().getParameters().get('foo');
+	}		
+}
+		]]></code>
+	</test-code>
+	
+		<test-code>
+		<description>URL parameter in return statement concatenation</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public String test1() {
+		return 'text' + ApexPages.currentPage().getParameters().get('foo');
+	}		
+}
+		]]></code>
+	</test-code>
+
+	<test-code>
+		<description>URL parameter used without being escaped in return statement</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public String test1() {
+		String bas = ApexPages.currentPage().getParameters().get('foo');
+		return bas;
+	}		
+}
+		]]></code>
+	</test-code>
+
+	<test-code>
+		<description>URL parameter used without being escaped in return statement concatenation</description>
+		<expected-problems>1</expected-problems>
+		<code><![CDATA[
+public class Foo {
+	public String test1() {
+		String bas = ApexPages.currentPage().getParameters().get('foo');
+		return 'text' + bas;
+	}		
+}
+		]]></code>
+	</test-code>
+
 	  <test-code>
 		<description>URL parameter used without being escaped 1</description>
 		<expected-problems>1</expected-problems>
@@ -222,5 +272,4 @@ public class Foo {
 		
 	</test-code>
 
-
 </test-data>