com.cflint.plugins.core.QueryParamChecker Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of CFLint Show documentation
Show all versions of CFLint Show documentation
A static code analysis tool for ColdFusion (in the spirit of FindBugs and Lint). With CFLint, you are able to analyze your ColdFusion code base for code violations.
package com.cflint.plugins.core;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import com.cflint.BugList;
import com.cflint.plugins.CFLintScannerAdapter;
import com.cflint.plugins.Context;
import cfml.parsing.cfscript.CFExpression;
import cfml.parsing.cfscript.CFFunctionExpression;
import net.htmlparser.jericho.Element;
public class QueryParamChecker extends CFLintScannerAdapter {
@Override
public void expression(final CFExpression expression, final Context context, final BugList bugs) {
if (expression instanceof CFFunctionExpression) {
final CFFunctionExpression functionExpression = (CFFunctionExpression) expression;
if (functionExpression.getFunctionName().equalsIgnoreCase("setSql")
&& !functionExpression.getArgs().isEmpty()) {
final CFExpression argsExpression = functionExpression.getArgs().get(0);
final Pattern p = Pattern.compile(".*#[^#].*", Pattern.DOTALL);
if (p.matcher(argsExpression.Decompile(0)).matches()) {
context.addMessage("QUERYPARAM_REQ", functionExpression.getName());
}
}
}
}
@Override
public void element(final Element element, final Context context, final BugList bugs) {
if (
element.getName().equals("cfquery") && !"query".equalsIgnoreCase(element.getAttributeValue("dbtype"))) {
String content = element.getContent().toString();
//Todo : cfparser/Jericho does not support parsing out the cfqueryparam very well.
// the following code will not work when there is a > sign in the expression
content = content.replaceAll("]*>", "");
if (content.indexOf("#") > 0) {
final List ignoreLines = determineIgnoreLines(element);
final Matcher matcher = Pattern.compile("#([^#]+?)#").matcher(content);
while (matcher.find()) {
if (matcher.groupCount() >= 1) {
int currentline = context.startLine() + countNewLinesUpTo(content,matcher.start());
final String variableName = matcher.group(1);
if(!ignoreLines.contains(currentline)){
context.addMessage("CFQUERYPARAM_REQ", variableName,currentline);
}
}
}
}
}
}
/**
* Determine the line numbers of the tags
* Both the current and the next line are included
* @param element
* @return
*/
private List determineIgnoreLines(final Element element) {
final List ignoreLines = new ArrayList();
for(Element comment : element.getChildElements()){
if("!---".equals(comment.getName()) && comment.toString().contains("@CFLintIgnore") && comment.toString().contains("CFQUERYPARAM_REQ")){
int ignoreLine = comment.getSource().getRow(comment.getEnd());
ignoreLines.add(ignoreLine);
ignoreLines.add(ignoreLine + 1);
ignoreLines.add(comment.getSource().getRow(comment.getBegin()));
}else{
ignoreLines.addAll(determineIgnoreLines(comment));
}
}
return ignoreLines;
}
/**
* Count the number of new lines
* @author eberlyrh
*
*/
public int countNewLinesUpTo(final String val,final int pos){
final String x = pos>val.length()?val:val.substring(0, pos);
return Math.max(0,x.split("\\R").length-1);
}
}