@abaplint/core/build/src/rules/dangerous_statement.js

abaplint - Core API

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.DangerousStatement = exports.DangerousStatementConf = void 0;
const Statements = require("../abap/2_statements/statements");
const Expressions = require("../abap/2_statements/expressions");
const issue_1 = require("../issue");
const _abap_rule_1 = require("./_abap_rule");
const _basic_rule_config_1 = require("./_basic_rule_config");
const _irule_1 = require("./_irule");
class DangerousStatementConf extends _basic_rule_config_1.BasicRuleConfig {
    constructor() {
        super(...arguments);
        /** Detects execSQL (dynamic SQL) */
        this.execSQL = true;
        /** Detects kernel calls */
        this.kernelCall = true;
        /** Detects SYSTEM-CALL */
        this.systemCall = true;
        /** Detects INSERT REPORT */
        this.insertReport = true;
        this.generateDynpro = true;
        this.generateReport = true;
        this.generateSubroutine = true;
        this.deleteReport = true;
        this.deleteTextpool = true;
        this.insertTextpool = true;
        this.deleteDynpro = true;
        this.exportDynpro = true;
        /** Finds instances of dynamic SQL: SELECT, UPDATE, DELETE, INSERT, MODIFY */
        this.dynamicSQL = true;
    }
}
exports.DangerousStatementConf = DangerousStatementConf;
class DangerousStatement extends _abap_rule_1.ABAPRule {
    constructor() {
        super(...arguments);
        this.conf = new DangerousStatementConf();
    }
    getMetadata() {
        return {
            key: "dangerous_statement",
            title: "Dangerous statement",
            shortDescription: `Detects potentially dangerous statements`,
            extendedInformation: `Dynamic SQL: Typically ABAP logic does not need dynamic SQL,
dynamic SQL can potentially create SQL injection problems`,
            tags: [_irule_1.RuleTag.SingleFile, _irule_1.RuleTag.Security],
        };
    }
    getDescription(statement) {
        return "Potential dangerous statement " + statement;
    }
    getConfig() {
        return this.conf;
    }
    setConfig(conf) {
        this.conf = conf;
    }
    runParsed(file) {
        const issues = [];
        for (const statementNode of file.getStatements()) {
            const statement = statementNode.get();
            let message = undefined;
            if (this.conf.execSQL && statement instanceof Statements.ExecSQL) {
                message = "EXEC SQL";
            }
            else if (this.conf.kernelCall && statement instanceof Statements.CallKernel) {
                message = "KERNEL CALL";
            }
            else if (this.conf.systemCall && statement instanceof Statements.SystemCall) {
                message = "SYSTEM-CALL";
            }
            else if (this.conf.insertReport && statement instanceof Statements.InsertReport) {
                message = "INSERT REPORT";
            }
            else if (this.conf.generateDynpro && statement instanceof Statements.GenerateDynpro) {
                message = "GENERATE DYNPRO";
            }
            else if (this.conf.generateReport && statement instanceof Statements.GenerateReport) {
                message = "GENERATE REPORT";
            }
            else if (this.conf.generateSubroutine && statement instanceof Statements.GenerateSubroutine) {
                message = "GENERATE SUBROUTINE";
            }
            else if (this.conf.deleteReport && statement instanceof Statements.DeleteReport) {
                message = "DELETE REPORT";
            }
            else if (this.conf.deleteTextpool && statement instanceof Statements.DeleteTextpool) {
                message = "DELETE TEXTPOOL";
            }
            else if (this.conf.insertTextpool && statement instanceof Statements.InsertTextpool) {
                message = "INSERT TEXTPOOL";
            }
            else if (this.conf.deleteDynpro && statement instanceof Statements.DeleteDynpro) {
                message = "DELETE DYNPRO";
            }
            else if (this.conf.exportDynpro && statement instanceof Statements.ExportDynpro) {
                message = "EXPORT DYNPRO";
            }
            if (message) {
                issues.push(issue_1.Issue.atStatement(file, statementNode, this.getDescription(message), this.getMetadata().key, this.conf.severity));
            }
            if (this.conf.dynamicSQL) {
                message = this.findDynamicSQL(statementNode);
                if (message) {
                    issues.push(issue_1.Issue.atStatement(file, statementNode, this.getDescription(message), this.getMetadata().key, this.conf.severity));
                }
            }
        }
        return issues;
    }
    findDynamicSQL(statementNode) {
        const statement = statementNode.get();
        if (statement instanceof Statements.UpdateDatabase
            || statement instanceof Statements.Select
            || statement instanceof Statements.SelectLoop
            || statement instanceof Statements.InsertDatabase
            || statement instanceof Statements.ModifyDatabase
            || statement instanceof Statements.DeleteDatabase) {
            const dyn = statementNode.findFirstExpression(Expressions.Dynamic);
            if (dyn && dyn.findDirectExpression(Expressions.Constant) === undefined) {
                return "Dynamic SQL";
            }
        }
        return undefined;
    }
}
exports.DangerousStatement = DangerousStatement;
//# sourceMappingURL=dangerous_statement.js.map