• Home
• com.github.cflint
• CFLint
• 0.10.0
• source code
• QueryParamChecker.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.cflint.plugins.core.QueryParamChecker Maven / Gradle / Ivy

package com.cflint.plugins.core;

import java.util.regex.Matcher;
import java.util.regex.Pattern;

import com.cflint.BugList;
import com.cflint.plugins.CFLintScannerAdapter;
import com.cflint.plugins.Context;

import cfml.parsing.cfscript.CFExpression;
import cfml.parsing.cfscript.CFFunctionExpression;
import net.htmlparser.jericho.Element;

public class QueryParamChecker extends CFLintScannerAdapter {

	@Override
	public void expression(final CFExpression expression, final Context context, final BugList bugs) {
		if (expression instanceof CFFunctionExpression) {
			final CFFunctionExpression functionExpression = (CFFunctionExpression) expression;
			if (functionExpression.getFunctionName().equalsIgnoreCase("setSql")
					&& !functionExpression.getArgs().isEmpty()) {
				final CFExpression argsExpression = functionExpression.getArgs().get(0);
				final Pattern p = Pattern.compile(".*#[^#].*", Pattern.DOTALL);
				if (p.matcher(argsExpression.Decompile(0)).matches()) {
					context.addMessage("QUERYPARAM_REQ", functionExpression.getName());
				}
			}
		}
	}

	@Override
	public void element(final Element element, final Context context, final BugList bugs) {
		if (// element.getName().equals("cfcomponent") ||
		element.getName().equals("cfquery") && !"query".equalsIgnoreCase(element.getAttributeValue("dbtype"))) {
			final String content = element.getTextExtractor().toString();
			if (content.indexOf("#") > 0) {
				final Pattern pattern = Pattern.compile("#(.+?)#");
				final Matcher matcher = pattern.matcher(content);
				while (matcher.find()) {
					if (matcher.groupCount() >= 1) {
						// final String variableName = matcher.group(1);
						context.addMessage("CFQUERYPARAM_REQ", element.getAttributeValue("NAME"));
					}
				}
			}
		}
	}

}