Merge pull request #59 from Trivadis/bugfix/issue-55-g-9501-constant

Bugfix issue 55 - False negative in G-9501 when using constant
Trivadis · Oct 3, 2023 · 6fe9e26 · 6fe9e26
2 parents c86b496 + 2e129a2
commit 6fe9e26
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 3 deletions.
diff --git a/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend b/src/main/java/com/trivadis/tvdcc/validators/SQLInjection.xtend
@@ -46,6 +46,7 @@ import org.eclipse.xtext.EcoreUtil2
 import org.eclipse.xtext.nodemodel.util.NodeModelUtils
 import org.eclipse.xtext.validation.Check
 import org.eclipse.xtext.validation.EValidatorRegistrar
+import com.trivadis.oracle.plsql.plsql.ConstantDeclaration
 
 class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 	HashMap<Integer, PLSQLCopGuideline> guidelines
@@ -315,13 +316,22 @@ class SQLInjection extends PLSQLValidator implements PLSQLCopValidator {
 		}
 		val declareSection = body.declareSection
 		if (declareSection !== null) {
-			val variable = EcoreUtil2.getAllContentsOfType(declareSection, VariableDeclaration).findFirst [
+			var EObject varOrConst = EcoreUtil2.getAllContentsOfType(declareSection, VariableDeclaration).findFirst [
 				it.variable.value.equalsIgnoreCase(n.value) && it.getDefault() !== null
 			]
-			if (variable !== null) {
-				for (name : getRelevantSimplExpressionNameValues(variable.getDefault())) {
+			if (varOrConst !== null) {
+				for (name : getRelevantSimplExpressionNameValues((varOrConst as VariableDeclaration).getDefault())) {
 					expressions.put(name.value.toLowerCase, name)
 				}
+			} else {
+				varOrConst = EcoreUtil2.getAllContentsOfType(declareSection, ConstantDeclaration).findFirst [
+					it.constant.value.equalsIgnoreCase(n.value) && it.getDefault() !== null
+				]
+				if (varOrConst !== null) {
+					for (name : getRelevantSimplExpressionNameValues((varOrConst as ConstantDeclaration).getDefault())) {
+						expressions.put(name.value.toLowerCase, name)
+					}
+				}
 			}
 		}
 		return expressions;

diff --git a/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend b/src/test/java/com/trivadis/tvdcc/validators/tests/SQLInjectionTest.xtend
@@ -486,4 +486,32 @@ class SQLInjectionTest extends AbstractValidatorTest {
 		Assert.assertEquals(1, issues.size)
 	}
 
+	@Test
+	def void issue55_using_unasserted_constant_in_execute_immediate() {
+		val stmt = '''
+			create or replace procedure exec_sql(in_sql in varchar2) is
+			   co_sql constant varchar2(1000 char) := in_sql;
+			begin
+			   execute immediate co_sql;
+			end exec_sql;
+			/
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(1, issues.size)
+	}
+
+	@Test
+	def void issue55_using_asserted_constant_in_execute_immediate() {
+		val stmt = '''
+			create or replace procedure exec_sql(in_sql in varchar2) is
+			   co_sql constant varchar2(1000 char) := sys.dbms_assert.noop(in_sql);
+			begin
+			   execute immediate co_sql;
+			end exec_sql;
+			/
+		'''
+		val issues = stmt.issues
+		Assert.assertEquals(0, issues.size)
+	}
+
 }