From 637d8cc589da62c40f6a6ff63d09441ceb41be86 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Fri, 6 Jun 2025 09:39:45 -0300 Subject: [PATCH 1/2] CodetfV2 will now use more common types --- src/codemodder/codetf/v2/codetf.py | 32 +++++++++++------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/src/codemodder/codetf/v2/codetf.py b/src/codemodder/codetf/v2/codetf.py index 5ef1fde2..3953e7e2 100644 --- a/src/codemodder/codetf/v2/codetf.py +++ b/src/codemodder/codetf/v2/codetf.py @@ -15,13 +15,18 @@ from codemodder import __version__ -from ..common import ( - CaseInsensitiveEnum, -) +from ..common import Action as CommonAction from ..common import Change as CommonChange from ..common import ( CodeTFWriter, +) +from ..common import DiffSide as CommonDiffSide +from ..common import ( FixQuality, +) +from ..common import PackageAction as CommonPackageAction +from ..common import PackageResult as CommonPackageResult +from ..common import ( Rule, ) @@ -29,26 +34,13 @@ from codemodder.context import CodemodExecutionContext -class Action(CaseInsensitiveEnum): - ADD = "add" - REMOVE = "remove" - - -class PackageResult(CaseInsensitiveEnum): - COMPLETED = "completed" - FAILED = "failed" - SKIPPED = "skipped" - +Action = CommonAction -class DiffSide(CaseInsensitiveEnum): - LEFT = "left" - RIGHT = "right" +PackageResult = CommonPackageResult +DiffSide = CommonDiffSide -class PackageAction(BaseModel): - action: Action - result: PackageResult - package: str +PackageAction = CommonPackageAction class Change(BaseModel): From 2403ced94cce0fb36352fcaaef4d9dba4e624a01 Mon Sep 17 00:00:00 2001 From: andrecs <12188364+andrecsilva@users.noreply.github.com> Date: Fri, 6 Jun 2025 09:45:05 -0300 Subject: [PATCH 2/2] Added test --- tests/test_codetf.py | 72 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 71 insertions(+), 1 deletion(-) diff --git a/tests/test_codetf.py b/tests/test_codetf.py index f23b7360..1b97da7a 100644 --- a/tests/test_codetf.py +++ b/tests/test_codetf.py @@ -16,8 +16,15 @@ Result, Rule, ) +from codemodder.codetf.v2.codetf import ( + Action, + DetectionTool, + PackageAction, + PackageResult, + Strategy, +) from codemodder.codetf.v3.codetf import Finding as FindingV3 -from codemodder.codetf.v3.codetf import FixStatusType, from_v2 +from codemodder.codetf.v3.codetf import FixStatusType, from_v2, from_v2_result @pytest.fixture(autouse=True) @@ -189,6 +196,69 @@ def test_v3_finding_id_not_optional(): FindingV3(id=None, rule=Rule(id="foo", name="whatever")) # type: ignore[arg-type] +def test_v2_result_to_v3(): + result = Result( + codemod="codeql:java/log-injection", + summary="Introduced protections against Log Inject ion / Forging attacks", + description='This change ensures that log messages can\'t contain newline characters, leaving you vulnerable to Log Forging / Log Injection.\n\nIf malicious users can get newline characters into a log message, they can inject and forge new log entries that look like they came from the server, and trick log analysis tools, administrators, and more . This leads to vulnerabilities like Log Injection, Log Forging, and more attacks from there.\n\nOur change simply strips out newline characters from log messages, ensuring that they can \'t be used to forge new log entries.\n```diff\n+ import io.github.pixee.security.Newlines;\n ...\n String orderId = getUserOrderId();\n- log.info("User order ID: " + orderId);\n+ log. info("User order ID: " + Newlines.stripNewlines(orderId));\n```\n', + detectionTool=DetectionTool(name="CodeQL"), + references=[ + Reference( + url="https://owasp.org/www-community/attacks/Log_Inj ection", + description="https://owasp.org/www-community/attacks/Log_Injection", + ), + Reference( + url="https://knowledge-base.secureflag.com/vulnerabilities/inadequate_input_validation/log_inject ion_vulnerability.html", + description="https://knowledge-base.secureflag.com/vulnerabilities/inadequate_input_validation/log_injection_vulnerability.html", + ), + Reference( + url="https://cwe.mit re.org/data/definitions/117.html", + description="https://cwe.mitre.org/data/definitions/117.html", + ), + ], + properties={}, + failedFiles=[], + changeset=[ + ChangeSet( + path="app/src/main/java/org/apache /roller/planet/business/fetcher/RomeFeedFetcher.java", + diff='--- RomeFeedFetcher.java\n+++ RomeFeedFetcher.java\n@@ -26,6 +26,7 @@\n import com.rometools.rome.io.FeedException;\n import com.rometools.rome.io.SyndFeedInput;\n import com.rometools.rome.io.XmlReader;\n+import static io.github.pixee.security.Newlines.stripAll;\n \n import java.io.IOException;\n import java. net.URI;\n@@ -87,7 +88,7 @@\n }\n \n // fetch the feed\n- log.debug("Fetching feed: "+feedURL);\n+ log.debug("Fetching feed: "+stripAll(feedURL));\n SyndFeed feed;\n try {\n feed = fetchFeed(feedURL);', + changes=[ + Change( + lineNumber=90, + description="Added a call to replace any newlines the value", + diffSide=DiffSide.LEFT, + properties={}, + packageActions=[ + PackageAction( + action=Action.ADD, + result=PackageResult.FAILED, + package="pkg:maven/io.github.pixee/java-security -toolkit@1.2.1", + ) + ], + fixedFindings=[ + Finding( + id="e5ceaca8-4a05-4f8d-ac74-6a822ac69d8f", + rule=Rule( + id="log-injection", + name="Log Injection", + url="https://codeql.github.com/codeql-query-help/ java/java-log-injection/", + ), + ) + ], + ) + ], + ai=None, + strategy=Strategy.deterministic, + provisional=False, + fixedFindings=None, + fixQuality=None, + ) + ], + unfixedFindings=[], + ) + assert from_v2_result(result) + + def test_v2_to_v3_conversion(): with open("tests/samples/codetfv2_sample.codetf", "r") as f: codetfv2 = CodeTF.model_validate_json(f.read())