Package io.codemodder.remediation.sqlinjection

Class SQLParameterizer

java.lang.Object
io.codemodder.remediation.sqlinjection.SQLParameterizer
public final class SQLParameterizer extends Object
Contains most of the logic for detecting and fixing parameterizable SQL statements for a given MethodCallExpr.

  • Constructor Summary

    Constructors
    Constructor
    Description
    SQLParameterizer(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr)
     
    SQLParameterizer(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr, com.github.javaparser.ast.CompilationUnit cu)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    Optional<com.github.javaparser.ast.expr.MethodCallExpr>
    checkAndFix()
    Checks if methodCall is a query call that needs to be fixed and fixes if that's the case.
    static Set<String>
    fixableJdbcMethodNames()
    Returns a set of fixable JDBC method names.
    static boolean
    isParameterizationCandidate(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr)
    Checks if the MethodCallExpr is of one of the execute calls of Statement whose argument is not a String literal.
    static boolean
    isSupportedJdbcMethodCall(com.github.javaparser.ast.expr.MethodCallExpr methodCall)
    Returns true if this is a fixable JDBC method name.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SQLParameterizer

      public SQLParameterizer(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr)

    • SQLParameterizer

      public SQLParameterizer(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr, com.github.javaparser.ast.CompilationUnit cu)

  • Method Details

    • isParameterizationCandidate

      public static boolean isParameterizationCandidate(com.github.javaparser.ast.expr.MethodCallExpr methodCallExpr)
      Checks if the MethodCallExpr is of one of the execute calls of Statement whose argument is not a String literal.

    • isSupportedJdbcMethodCall

      public static boolean isSupportedJdbcMethodCall(com.github.javaparser.ast.expr.MethodCallExpr methodCall)
      Returns true if this is a fixable JDBC method name.

    • fixableJdbcMethodNames

      public static Set<String> fixableJdbcMethodNames()
      Returns a set of fixable JDBC method names.

    • checkAndFix

      public Optional<com.github.javaparser.ast.expr.MethodCallExpr> checkAndFix()
      Checks if methodCall is a query call that needs to be fixed and fixes if that's the case. If the parameterization happened, returns the PreparedStatement creation.