SONARJAVA-5909 FN on S3752 when @RequestMapping in class#5412
SONARJAVA-5909 FN on S3752 when @RequestMapping in class#5412asya-vorobeva merged 3 commits intomasterfrom
Conversation
asya-vorobeva
force-pushed
the
asya/s3752-fn
branch
from
d736347 to
061c51b
Compare
| } | ||
|
|
||
| private static boolean mixSafeAndUnsafeMethods(ExpressionTree requestMethodsAssignment) { | ||
| private boolean mixSafeAndUnsafeMethods(ExpressionTree requestMethodsAssignment) { |
There was a problem hiding this comment.
Nitpick: Could we rename the method to have a more interrogative name such as mixesSafeAndUnsafeMethods or isMixingSafeAndUnsafeMethods?
java-checks/src/main/java/org/sonar/java/checks/spring/SpringRequestMappingMethodCheck.java
Show resolved
Hide resolved
| private boolean mixSafeAndUnsafeMethods(ExpressionTree requestMethodsAssignment) { | ||
| HttpMethodVisitor visitor = new HttpMethodVisitor(); | ||
| requestMethodsAssignment.accept(visitor); | ||
| if (isClassVisited) { |
There was a problem hiding this comment.
We introduced the isClassVisited flag so that visiting the method=<VERBS> on a class or a method behaves slightly differently. Could we get rid of the field and use 2 separate methods instead?
There was a problem hiding this comment.
We can of course, but it will duplicate a code. I try to minimize such things. But if you think it will be better from maintainability view, we can. Another approach is to extract
if (isClassVisited) {
classHasSafeMethods = visitor.hasSafeMethods;
classHasUnsafeMethods = visitor.hasUnsafeMethods;
} else {
methodHasSafeMethods = visitor.hasSafeMethods;
methodHasUnsafeMethods = visitor.hasUnsafeMethods;
}
to a separate method.
There was a problem hiding this comment.
In the spirit of minimizing state of the check, I would prefer that the isClassVisited flag be passed as a parameter or replaced by 2 methods. I have no particular opinion over which is best but it make maintanability of the rule a little easier
| private static final String REQUEST_METHOD = "method"; | ||
| public static final String MESSAGE = "Make sure allowing safe and unsafe HTTP methods is safe here."; | ||
|
|
||
| private boolean classHasSafeMethods = false; |
There was a problem hiding this comment.
We initialize these 4 new fields to false when an instance of the check is created (which should be once per module visited). But it looks like we don't reset them when moving from one file/class to another. Could we ensure to reset them when visiting a new class or entering a new file?
There was a problem hiding this comment.
For each new class (as well as for each new method) we recalculate these fields. So it shouldn't be a problem. (and as we see, corresponding sample works pretty well)
There was a problem hiding this comment.
Indeed, it looks like we properly reset he values everytime in the current implementation. However, we have had issues in the past where after rework some checks no longer reset their state properly (we no longer passed through the reset path in some cases or the check would fail with a NPE on a file and then proceed to the next file with a invalid state). So we generally would explicitly reset the state on entry of the check. If you don't mind, I would prefer that reseting the state when entering visitNode to ease debugging
dorian-burihabwa-sonarsource
left a comment
dorian-burihabwa-sonarsource
left a comment
There was a problem hiding this comment.
Thank your for the changes, I added some more comments about patterns in managing the state of checks
dorian-burihabwa-sonarsource
left a comment
dorian-burihabwa-sonarsource
left a comment
There was a problem hiding this comment.
Thanks for the quick turn aroudn, the PR LGTM!
|
2 participants
Fixed FN in case when we mix safe and unsafe methods on class and method. See SONARJAVA-5909.