Fix Processing error in AvoidSqlInExpression #302

jborgers · Apr 3, 2024 · 1e56992 · 1e56992
1 parent f2d02ed
commit 1e56992
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 10 deletions.
diff --git a/src/main/resources/category/java/sql.xml b/src/main/resources/category/java/sql.xml
@@ -79,17 +79,14 @@ count(.//PrimaryExpression/PrimaryPrefix/Name[ends-with(@Image, '.getSingleResul
 /../MemberValue//PrimaryExpression/PrimaryPrefix/Literal[contains(@Image, 'WHERE') and
 (contains(@Image, ' IN(:') or contains(@Image, ' IN (:') or contains(@Image, ' IN :') or contains(@Image, ' IN ( :')) ]
 |
-//LocalVariableDeclaration/VariableDeclarator/VariableInitializer//PrimaryPrefix[Literal[contains(@Image, ' IN') and contains(@Image, ':')]
-and starts-with(Literal[(contains(@Image, ' IN') and contains(@Image, ':'))]/
-substring-after(substring-after(@Image, ' IN'), ':')
-,
-ancestor::MethodDeclaration//BlockStatement//PrimaryPrefix/Name[ends-with(@Image, '.setParameter')]
-/../../PrimarySuffix/Arguments/ArgumentList[Expression/PrimaryExpression/PrimaryPrefix/Name[@Image != 'Arrays.asList']]/Expression/PrimaryExpression/PrimaryPrefix/Literal/substring-before(substring-after(@Image, '"'),'"'))
-and
+//LocalVariableDeclaration/VariableDeclarator/VariableInitializer//PrimaryPrefix/Literal[
+contains(@Image, ' IN') and contains(@Image, ':')]
+[replace(@Image, '^.+\s+(IN|in)[\s\(]*:([A-z0-9_]+).*$', '"$2"')
+=
 ancestor::MethodDeclaration//BlockStatement//PrimaryPrefix/Name[ends-with(@Image, '.setParameter')]
-/../../PrimarySuffix/Arguments/ArgumentList/Expression/PrimaryExpression/PrimaryPrefix/Name[@Image != 'Arrays.asList']
-]
-,
+(: Arrays.asList is typically used with just a few parameter values, so no problem :)
+/../../PrimarySuffix/Arguments/ArgumentList[Expression/PrimaryExpression/PrimaryPrefix/Name[@Image != 'Arrays.asList']]
+/Expression/PrimaryExpression/PrimaryPrefix/Literal/@Image],
 (: Criteria API: cust.get("postalCode").in(codes) :)
 //PrimaryExpression/PrimaryPrefix[pmd-java:typeIs('javax.persistence.criteria.Root')]/..//PrimarySuffix//ArgumentList/ancestor::Expression//PrimarySuffix[@Image='in']
 ,

diff --git a/src/test/resources/com/jpinpoint/perf/lang/java/ruleset/sql/xml/AvoidSqlInExpression.xml b/src/test/resources/com/jpinpoint/perf/lang/java/ruleset/sql/xml/AvoidSqlInExpression.xml
@@ -215,4 +215,24 @@ public class Tryout {
 }
      ]]></code>
     </test-code>
+
+    <test-code>
+        <description>violation: Avoid sql in expressions with multiple params, no processing error, issue #302</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>6</expected-linenumbers>
+        <code><![CDATA[
+import javax.persistence.TypedQuery;
+
+public class PmdProcessingError {
+    void example() {
+        String number = "", kinds = "";
+        String queryStr = "SELECT M FROM MessageEntity m WHERE m.kind IN :kinds"; // bad
+        final TypedQuery<Object> query = null;
+        query.setParameter("num", number);
+        query.setParameter("kinds", kinds);
+    }
+}
+     ]]></code>
+    </test-code>
+
 </test-data>