Fixed error with changing execute statements in SQLi codemods (#494)

Author: andrecsilva

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionChallenge/SqlInjectionChallenge.java.after

@@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
         PreparedStatement statement = connection.prepareStatement(checkUserQuery);
         statement.setString(1, username_reg);
 
-        ResultSet resultSet = statement.execute();
+        ResultSet resultSet = statement.executeQuery();
         if (resultSet.next()) {
           if (username_reg.contains("tom'")) {
             attackResult = success(this).feedback("user.exists").build();

core-codemods/src/test/resources/defectdojo-sql-injection/SqlInjectionLesson8/SqlInjectionLesson8.java.after

@@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
         statement.setString(1, name);
 
         statement.setString(2, auth_tan);
-        ResultSet results = statement.execute();
+        ResultSet results = statement.executeQuery();
         if (results.getStatement() != null) {
           if (results.first()) {
             output.append(generateTable(results));
@@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
       PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
       statement.setString(1, sdf.format(cal.getTime()));
       statement.setString(2, action);
-      statement.execute();
+      statement.executeUpdate();
     } catch (SQLException e) {
       System.err.println(e.getMessage());
     }

core-codemods/src/test/resources/semgrep-sql-injection-formatted-sql-string/SqlInjectionLesson5a.java.after

@@ -67,7 +67,7 @@ public class SqlInjectionLesson5a extends AssignmentEndpoint {
           query,     ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) {
         statement.setString(1, accountName);
 
-        ResultSet results = statement.execute();
+        ResultSet results = statement.executeQuery();
         if ((results != null) && (results.first())) {
           ResultSetMetaData resultsMetaData = results.getMetaData();
           StringBuilder output = new StringBuilder();

core-codemods/src/test/resources/semgrep-sql-injection/SqlInjectionLesson8.java.after

@@ -75,7 +75,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
         statement.setString(1, name);
 
         statement.setString(2, auth_tan);
-        ResultSet results = statement.execute();
+        ResultSet results = statement.executeQuery();
         if (results.getStatement() != null) {
           if (results.first()) {
             output.append(generateTable(results));
@@ -155,7 +155,7 @@ public class SqlInjectionLesson8 extends AssignmentEndpoint {
       PreparedStatement statement = connection.prepareStatement(logQuery, TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE);
       statement.setString(1, sdf.format(cal.getTime()));
       statement.setString(2, action);
-      statement.execute();
+      statement.executeUpdate();
     } catch (SQLException e) {
       System.err.println(e.getMessage());
     }

core-codemods/src/test/resources/sonar-sql-injection-s2077/supported/SqlInjectionChallenge.java.after

@@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
         PreparedStatement statement = connection.prepareStatement(checkUserQuery);
         statement.setString(1, username_reg);
 
-        ResultSet resultSet = statement.execute();
+        ResultSet resultSet = statement.executeQuery();
         if (resultSet.next()) {
           if (username_reg.contains("tom'")) {
             attackResult = success(this).feedback("user.exists").build();

core-codemods/src/test/resources/sonar-sql-injection-s2077/supportedMixedInjections/SQLTestMixed.java.after

@@ -18,7 +18,7 @@ public final class SQLTestMixed {
         String sql = "SELECT * FROM " + validateTableName(input + "") + " where name=?" ;
         PreparedStatement stmt = conn.prepareStatement(sql);
         stmt.setString(1, scanner.nextLine());
-        return stmt.execute();
+        return stmt.executeQuery();
     }
 
     String validateTableName(final String tablename) {

core-codemods/src/test/resources/sonar-sql-injection-s3649/SqlInjectionChallenge.java.after

@@ -69,7 +69,7 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
         PreparedStatement statement = connection.prepareStatement(checkUserQuery);
         statement.setString(1, username_reg);
 
-        ResultSet resultSet = statement.execute();
+        ResultSet resultSet = statement.executeQuery();
         if (resultSet.next()) {
           if (username_reg.contains("tom'")) {
             attackResult = success(this).feedback("user.exists").build();

core-codemods/src/test/resources/sql-parameterizer/defaultTransformation/Test.java.after

@@ -14,14 +14,14 @@ public final class Test {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, input);
-    return stmt.execute();
+    return stmt.executeQuery();
   }
 
   public ResultSet directStatement(String input) throws SQLException {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, input);
-    var rs = stmt.execute();
+    var rs = stmt.executeQuery();
     return rs;
   }
 
@@ -30,7 +30,7 @@ public final class Test {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement statement = conn.prepareStatement(sql);
     statement.setString(1, input);
-    ResultSet rs = statement.execute();
+    ResultSet rs = statement.executeQuery();
     stmt++;
     return rs;
   }
@@ -41,7 +41,7 @@ public final class Test {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement stmt1 = conn.prepareStatement(sql);
     stmt1.setString(1, input);
-    ResultSet rs = stmt1.execute();
+    ResultSet rs = stmt1.executeQuery();
     stmt = stmt + statement;
     return rs;
   }
@@ -50,7 +50,7 @@ public final class Test {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     try(PreparedStatement stmt = conn.prepareStatement(sql) ){
         stmt.setString(1, input);
-        try (ResultSet rs = stmt.execute()) {
+        try (ResultSet rs = stmt.executeQuery()) {
       return rs;
     }
     }
@@ -61,14 +61,14 @@ public final class Test {
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, "user_" + input + "_name");
     stmt.setString(2, input2);
-    return stmt.execute();
+    return stmt.executeQuery();
   }
 
   public ResultSet referencesAfterExecute(String input) throws SQLException {
     String sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, input);
-    var rs = stmt.execute();
+    var rs = stmt.executeQuery();
     System.out.println(sql);
     return rs;
   }
@@ -78,7 +78,7 @@ public final class Test {
     sql = "SELECT * FROM USERS WHERE USER = ?";
     PreparedStatement stmt = conn.prepareStatement(sql);
     stmt.setString(1, input);
-    var rs = stmt.execute();
+    var rs = stmt.executeQuery();
     return rs;
   }
 
@@ -88,7 +88,7 @@ public final class Test {
     try {
       stmt = conn.prepareStatement(sql);
       stmt.setString(1, input);
-      ResultSet rs = stmt.execute();
+      ResultSet rs = stmt.executeQuery();
       return rs;
     } catch (Exception e) {
     }

core-codemods/src/test/resources/sql-parameterizer/hijackTransformation/Test.java.after

@@ -15,7 +15,7 @@ public final class Test {
 	String query2 = "SELECT * FROM users WHERE username = ?";
 	PreparedStatement statement = conn.prepareStatement(query2);
 	statement.setString(1, request.getParameter("username"));
-	ResultSet rs2 = statement.execute();
+	ResultSet rs2 = statement.executeQuery();
 	stmt = statement;
 	while (rs2.next()) {
 		System.out.println("User: " + rs2.getString("username"));
@@ -24,7 +24,7 @@ public final class Test {
 	stmt.close();
 	PreparedStatement stmt1 = conn.prepareStatement(query3);
 	stmt1.setString(1, request.getParameter("email"));
-	ResultSet rs3 = stmt1.execute();
+	ResultSet rs3 = stmt1.executeQuery();
 	stmt = stmt1;
 	while (rs3.next()) {
 		System.out.println("User: " + rs3.getString("username"));

framework/codemodder-base/src/main/java/io/codemodder/remediation/sqlinjection/SQLParameterizer.java

@@ -524,7 +524,6 @@ private MethodCallExpr fix(
     var topStatement = gatherAndSetParameters(stmtName, executeStmt, queryParameterizer);
 
     // (3)
-    executeCall.setName("execute");
     executeCall.setScope(new NameExpr(stmtName));
     executeCall.setArguments(new NodeList<>());
 
@@ -723,9 +722,7 @@ private MethodCallExpr fixByHijackedStatement(
       ASTTransforms.addStatementBeforeStatement(topStatement, closeOriginal);
     }
 
-    // TODO will this work for every type of execute statement? or just executeQuery?
     // change execute statement
-    executeCall.setName("execute");
     executeCall.setScope(new NameExpr(pStmtName));
     executeCall.setArguments(new NodeList<>());