diff --git a/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after b/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after index f74fbc82d..f08df1483 100644 --- a/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after +++ b/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { PreparedStatement statement = connection.prepareStatement(checkUserQuery); statement.setString(1, username_reg); - ResultSet resultSet = statement.execute(); + ResultSet resultSet = statement.executeQuery(); if (resultSet.next()) { if (username_reg.contains("tom'")) { attackResult = success(this).feedback("user.exists").build(); diff --git a/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after b/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after index efde86db4..b5bea8f7f 100644 --- a/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after +++ b/core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { statement.setString(1, name); statement.setString(2, auth_tan); - ResultSet results = statement.execute(); + ResultSet results = statement.executeQuery(); if (results.getStatement() != null) { if (results.first()) { output.append(generateTable(results)); @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); statement.setString(1, sdf.format(cal.getTime())); statement.setString(2, action); - statement.execute(); + statement.executeUpdate(); } catch (SQLException e) { System.err.println(e.getMessage()); } diff --git a/core-codemods/src/test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after b/core-codemods/src/test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after index 781e920e4..b773024f8 100644 --- a/core-codemods/src/test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after +++ b/core-codemods/src/test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after @@ -67,7 +67,7 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint { query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { statement.setString(1, accountName); - ResultSet results = statement.execute(); + ResultSet results = statement.executeQuery(); if ((results != null) && (results.first())) { ResultSetMetaData resultsMetaData = results.getMetaData(); StringBuilder output = new StringBuilder(); diff --git a/core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after b/core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after index efde86db4..b5bea8f7f 100644 --- a/core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after +++ b/core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after @@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { statement.setString(1, name); statement.setString(2, auth_tan); - ResultSet results = statement.execute(); + ResultSet results = statement.executeQuery(); if (results.getStatement() != null) { if (results.first()) { output.append(generateTable(results)); @@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint { PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); statement.setString(1, sdf.format(cal.getTime())); statement.setString(2, action); - statement.execute(); + statement.executeUpdate(); } catch (SQLException e) { System.err.println(e.getMessage()); } diff --git a/core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after b/core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after index f74fbc82d..f08df1483 100644 --- a/core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after +++ b/core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { PreparedStatement statement = connection.prepareStatement(checkUserQuery); statement.setString(1, username_reg); - ResultSet resultSet = statement.execute(); + ResultSet resultSet = statement.executeQuery(); if (resultSet.next()) { if (username_reg.contains("tom'")) { attackResult = success(this).feedback("user.exists").build(); diff --git a/core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after b/core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after index 241dcd490..c725113c3 100644 --- a/core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after +++ b/core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after @@ -18,7 +18,7 @@ public final class SQLTestMixed { String sql = "SELECT * FROM " + validateTableName(input + "") + " where name=?" ; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, scanner.nextLine()); - return stmt.execute(); + return stmt.executeQuery(); } String validateTableName(final String tablename) { diff --git a/core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after b/core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after index f74fbc82d..f08df1483 100644 --- a/core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after +++ b/core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after @@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint { PreparedStatement statement = connection.prepareStatement(checkUserQuery); statement.setString(1, username_reg); - ResultSet resultSet = statement.execute(); + ResultSet resultSet = statement.executeQuery(); if (resultSet.next()) { if (username_reg.contains("tom'")) { attackResult = success(this).feedback("user.exists").build(); diff --git a/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after b/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after index 3cb08a594..b5a9efb59 100644 --- a/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after +++ b/core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after @@ -14,14 +14,14 @@ public final class Test { String sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, input); - return stmt.execute(); + return stmt.executeQuery(); } public ResultSet directStatement(String input) throws SQLException { String sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, input); - var rs = stmt.execute(); + var rs = stmt.executeQuery(); return rs; } @@ -30,7 +30,7 @@ public final class Test { String sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement statement = conn.prepareStatement(sql); statement.setString(1, input); - ResultSet rs = statement.execute(); + ResultSet rs = statement.executeQuery(); stmt++; return rs; } @@ -41,7 +41,7 @@ public final class Test { String sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement stmt1 = conn.prepareStatement(sql); stmt1.setString(1, input); - ResultSet rs = stmt1.execute(); + ResultSet rs = stmt1.executeQuery(); stmt = stmt + statement; return rs; } @@ -50,7 +50,7 @@ public final class Test { String sql = "SELECT * FROM USERS WHERE USER = ?"; try(PreparedStatement stmt = conn.prepareStatement(sql) ){ stmt.setString(1, input); - try (ResultSet rs = stmt.execute()) { + try (ResultSet rs = stmt.executeQuery()) { return rs; } } @@ -61,14 +61,14 @@ public final class Test { PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, "user_" + input + "_name"); stmt.setString(2, input2); - return stmt.execute(); + return stmt.executeQuery(); } public ResultSet referencesAfterExecute(String input) throws SQLException { String sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, input); - var rs = stmt.execute(); + var rs = stmt.executeQuery(); System.out.println(sql); return rs; } @@ -78,7 +78,7 @@ public final class Test { sql = "SELECT * FROM USERS WHERE USER = ?"; PreparedStatement stmt = conn.prepareStatement(sql); stmt.setString(1, input); - var rs = stmt.execute(); + var rs = stmt.executeQuery(); return rs; } @@ -88,7 +88,7 @@ public final class Test { try { stmt = conn.prepareStatement(sql); stmt.setString(1, input); - ResultSet rs = stmt.execute(); + ResultSet rs = stmt.executeQuery(); return rs; } catch (Exception e) { } diff --git a/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after b/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after index d0d749c29..e6fe49f31 100644 --- a/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after +++ b/core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after @@ -15,7 +15,7 @@ public final class Test { String query2 = "SELECT * FROM users WHERE username = ?"; PreparedStatement statement = conn.prepareStatement(query2); statement.setString(1, request.getParameter("username")); - ResultSet rs2 = statement.execute(); + ResultSet rs2 = statement.executeQuery(); stmt = statement; while (rs2.next()) { System.out.println("User: " + rs2.getString("username")); @@ -24,7 +24,7 @@ public final class Test { stmt.close(); PreparedStatement stmt1 = conn.prepareStatement(query3); stmt1.setString(1, request.getParameter("email")); - ResultSet rs3 = stmt1.execute(); + ResultSet rs3 = stmt1.executeQuery(); stmt = stmt1; while (rs3.next()) { System.out.println("User: " + rs3.getString("username")); diff --git a/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java b/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java index 2e931c363..56fceff8c 100644 --- a/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java +++ b/framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java @@ -524,7 +524,6 @@ private MethodCallExpr fix( var topStatement = gatherAndSetParameters(stmtName, executeStmt, queryParameterizer); // (3) - executeCall.setName("execute"); executeCall.setScope(new NameExpr(stmtName)); executeCall.setArguments(new NodeList<>()); @@ -723,9 +722,7 @@ private MethodCallExpr fixByHijackedStatement( ASTTransforms.addStatementBeforeStatement(topStatement, closeOriginal); } - // TODO will this work for every type of execute statement? or just executeQuery? // change execute statement - executeCall.setName("execute"); executeCall.setScope(new NameExpr(pStmtName)); executeCall.setArguments(new NodeList<>());