SONARPY-542 Validate behavior of S4784 and S2077 with assignment expr… (SonarSource#631)

guillaume-dequenne · web-flow · commit ac9027fa8423 · 2020-03-12T12:16:16.000+01:00
diff --git a/its/ruling/src/test/resources/expected/python-S4784.json b/its/ruling/src/test/resources/expected/python-S4784.json
@@ -132,9 +132,6 @@
 'project:buildbot-slave-0.8.6p1/buildslave/scripts/runner.py':[
 160,
 ],
-'project:django-2.2.3/django/contrib/admin/options.py':[
-1641,
-],
 'project:django-2.2.3/django/contrib/admindocs/urls.py':[
 41,
 ],
@@ -151,6 +148,7 @@
 87,
 ],
 'project:django-2.2.3/django/contrib/gis/geometry.py':[
+7,
 13,
 ],
 'project:django-2.2.3/django/contrib/humanize/templatetags/humanize.py':[
@@ -219,6 +217,9 @@
 14,
 18,
 23,
+30,
+42,
+57,
 ],
 'project:django-2.2.3/django/utils/html.py':[
 22,
@@ -278,6 +279,7 @@
 2791,
 ],
 'project:numpy-1.16.4/numpy/core/_internal.py':[
+146,
 150,
 ],
 'project:numpy-1.16.4/numpy/core/code_generators/genapi.py':[
@@ -299,6 +301,7 @@
 158,
 159,
 160,
+265,
 ],
 'project:numpy-1.16.4/numpy/distutils/cpuinfo.py':[
 218,
@@ -394,7 +397,6 @@
 604,
 606,
 609,
-620,
 640,
 734,
 872,
diff --git a/python-checks/src/main/java/org/sonar/python/checks/hotspots/RegexCheck.java b/python-checks/src/main/java/org/sonar/python/checks/hotspots/RegexCheck.java
@@ -27,6 +27,7 @@
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.tree.Argument;
+import org.sonar.plugins.python.api.tree.AssignmentExpression;
 import org.sonar.plugins.python.api.tree.BinaryExpression;
 import org.sonar.plugins.python.api.tree.CallExpression;
 import org.sonar.plugins.python.api.tree.Expression;
@@ -61,7 +62,7 @@ public void initialize(Context context) {
   }
 
   private static void checkRegexArgument(Argument arg, SubscriptionContext ctx) {
-    String literal = arg.firstToken().value();
+    String literal = null;
     IssueLocation secondaryLocation = null;
     if (!arg.is(Tree.Kind.REGULAR_ARGUMENT)) {
       return;
@@ -73,6 +74,11 @@ private static void checkRegexArgument(Argument arg, SubscriptionContext ctx) {
         secondaryLocation = IssueLocation.preciseLocation(expression, "");
         literal = Expressions.unescape((StringLiteral) expression);
       }
+    } else if (argExpression.is(Tree.Kind.STRING_LITERAL)) {
+      literal = Expressions.unescape((StringLiteral) argExpression);
+    }
+    if (literal == null) {
+      return;
     }
     if (isSuspiciousRegex(literal)) {
       PreciseIssue preciseIssue = ctx.addIssue(arg, MESSAGE);
@@ -83,12 +89,16 @@ private static void checkRegexArgument(Argument arg, SubscriptionContext ctx) {
   }
 
   private static Expression getExpression(@Nullable Expression expr) {
+    expr = Expressions.removeParentheses(expr);
     if (expr == null) {
       return null;
     }
     if (expr.is(Tree.Kind.MODULO) || expr.is(Tree.Kind.PLUS)) {
       return getExpression(((BinaryExpression) expr).leftOperand());
     }
+    if (expr.is(Tree.Kind.ASSIGNMENT_EXPRESSION)) {
+      return getExpression(((AssignmentExpression) expr).expression());
+    }
     return expr;
   }
 
diff --git a/python-checks/src/main/java/org/sonar/python/checks/hotspots/SQLQueriesCheck.java b/python-checks/src/main/java/org/sonar/python/checks/hotspots/SQLQueriesCheck.java
@@ -24,11 +24,13 @@
 import java.util.Objects;
 import java.util.Optional;
 import java.util.Set;
+import javax.annotation.Nullable;
 import org.sonar.check.Rule;
 import org.sonar.plugins.python.api.PythonSubscriptionCheck;
 import org.sonar.plugins.python.api.SubscriptionContext;
 import org.sonar.plugins.python.api.tree.AliasedName;
 import org.sonar.plugins.python.api.tree.Argument;
+import org.sonar.plugins.python.api.tree.AssignmentExpression;
 import org.sonar.plugins.python.api.tree.BaseTreeVisitor;
 import org.sonar.plugins.python.api.tree.BinaryExpression;
 import org.sonar.plugins.python.api.tree.CallExpression;
@@ -134,7 +136,7 @@ private static Optional<Tree> sensitiveArgumentValue(CallExpression callExpressi
     if (!arg.is(Tree.Kind.REGULAR_ARGUMENT)) {
       return Optional.empty();
     }
-    Expression expression = ((RegularArgument) arg).expression();
+    Expression expression = getExpression(((RegularArgument) arg).expression());
     if (expression.is(Tree.Kind.NAME)) {
       expression = Expressions.singleAssignedValue((Name) expression);
     }
@@ -166,6 +168,14 @@ private static boolean isAssignment(RegularArgument arg) {
     return arg.equalToken() != null;
   }
 
+  private static Expression getExpression(@Nullable Expression expr) {
+    expr = Expressions.removeParentheses(expr);
+    if (expr.is(Tree.Kind.ASSIGNMENT_EXPRESSION)) {
+      return getExpression(((AssignmentExpression) expr).expression());
+    }
+    return expr;
+  }
+
   private static class FormattedStringVisitor extends BaseTreeVisitor {
     boolean hasFormattedString = false;
 
diff --git a/python-checks/src/test/resources/checks/hotspots/regex.py b/python-checks/src/test/resources/checks/hotspots/regex.py
@@ -16,7 +16,10 @@ def build_validator(regex):
 RegexValidator('(a{1})+') # Noncompliant
 RegexValidator('(a+)+') # Noncompliant
 RegexValidator('(a{1}){2}') # Noncompliant
-
+RegexValidator(x:='(a+)+') # Noncompliant
+RegexValidator((x:='(a+)+')) # Noncompliant
+RegexValidator(x:='a+')
+RegexValidator(42)
 
 
 def define_http_endpoint(path, view):
@@ -25,6 +28,8 @@ def define_http_endpoint(path, view):
     RegexValidator(regexp) # Noncompliant [[secondary=-1]]
 #                  ^^^^^^
     RegexValidator(*path)
+    something = 42
+    RegexValidator(something)
 
 import re
 from re import compile
@@ -58,3 +63,6 @@ def test_valid_numpy_version():
         res = re.match(version_pattern, np.__version__) # Noncompliant
     else:
         res = re.match(version_pattern + dev_suffix, np.__version__) # Noncompliant
+
+def formatted_regex():
+  pattern = re.compile(r'{}-\d+-{}$'.format(foo, bar))
diff --git a/python-checks/src/test/resources/checks/hotspots/sqlQuery.py b/python-checks/src/test/resources/checks/hotspots/sqlQuery.py
@@ -19,11 +19,15 @@ def query_my_user(request, params):
         MyUser.objects.raw('SELECT * FROM mytable WHERE name = "%s"'.format(value))  # Noncompliant
         MyUser.objects.raw(f"SELECT * FROM mytable WHERE name = '{value}'")  # Noncompliant
         MyUser.objects.raw(F"SELECT * FROM mytable WHERE name = '{value}'")  # Noncompliant
+        MyUser.objects.raw(x := F"SELECT * FROM mytable WHERE name = '{value}'")  # Noncompliant
         MyUser.objects.raw(request)  # OK
         MyUser.objects.raw(hardcoded_request)  # OK
+        MyUser.objects.raw(x := hardcoded_request)  # OK
         MyUser.objects.raw(formatted_request)  #  Noncompliant [[secondary=-14]]
         MyUser.objects.raw(formatted_request2)  # Noncompliant
         MyUser.objects.raw(formatted_request3)  # Noncompliant
+        MyUser.objects.raw(y := formatted_request3)  # Noncompliant
+        MyUser.objects.raw((y := formatted_request3))  # Noncompliant
         MyUser.objects.raw(formatted_request4)  # FN, multiple assignments
         MyUser.objects.raw(formatted_request5)  # OK
         MyUser.objects.raw(*formatted_request5)  # OK
