From 10ac3cc724e755b95ea2d173fde639393817bef6 Mon Sep 17 00:00:00 2001 From: RenFengJiang <1111> Date: Fri, 26 Jan 2024 18:48:42 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=EF=BC=9A=E4=BC=98=E5=8C=96?= =?UTF-8?q?=E8=AF=AF=E6=8A=A5=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../checkers/UserStatusVerifyChecker.java | 7 +--- .../test/files/UserStatusVerifyChecker.java | 40 +++++++++++-------- 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UserStatusVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UserStatusVerifyChecker.java index 40e953a..13a430b 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UserStatusVerifyChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UserStatusVerifyChecker.java @@ -48,14 +48,12 @@ public class UserStatusVerifyChecker extends IssuableSubscriptionVisitor { context.reportIssue(this, methodTree.simpleName(), "对用户进行身份鉴别并建立一个新的会话时让原来的会话失效"); } - }else { - context.reportIssue(this, methodTree.simpleName(), "对用户进行身份鉴别并建立一个新的会话时让原来的会话失效"); } } public static boolean verifyMethod(MethodTree methodTree) { - //判断是否是doFilter或doFilter方法 - if ("doFilter".equals(methodTree.simpleName().name()) || "doFilter".equals(methodTree.simpleName().name())) { + //preHandle + if ("doFilter".equals(methodTree.simpleName().name()) || "preHandle".equals(methodTree.simpleName().name())) { //获取参数 List parameters = methodTree.parameters(); for (VariableTree variable : parameters) { @@ -119,6 +117,5 @@ public class UserStatusVerifyChecker extends IssuableSubscriptionVisitor { } } } - } } diff --git a/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java b/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java index df914f4..cbe3d82 100644 --- a/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java +++ b/sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java @@ -1,29 +1,32 @@ -/* - * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. - * 项目名称:信息安全性设计准则检查插件 - * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 - * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 - */ - +import com.fasterxml.classmate.Filter; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; -import javax.servlet.*; +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import java.io.IOException; -public class ExampleServlet { +public class UserStatusVerifyChecker { + private static final long serialVersionUID = 1391640560504378168L; + static class UserService { + public static boolean validate(String username, String password) { + return true; + } + } + public class AuthenticationFilter implements Filter { public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}} -// HttpServletRequest request = (HttpServletRequest) req; -// boolean isValidUser = false; + HttpServletRequest request = (HttpServletRequest) req; + boolean isValidUser = false; // String username = request.getParameter("username"); // String password = request.getParameter("password"); -// // 这里应通过相关业务逻辑来验证用户名和密码的准确性 - isValidUser = UserService.validate(username, password); +// isValidUser = UserService.validate(username, password); if (isValidUser) { HttpSession oldSession = request.getSession(false); if (oldSession != null) { @@ -34,9 +37,14 @@ public class ExampleServlet { newSession.setAttribute("username", username); chain.doFilter(req, resp); // 继续执行下一个过滤器或请求 } else { - request.getRequestDispatcher("/login.jsp").forward(request, resp); // 跳转到登录页面 + req.getRequestDispatcher("/login.jsp").forward(req, resp); // 跳转到登录页面 } } + + @Override + public boolean include(Object o) { + return false; + } } public class AuthenticationInterceptor extends HandlerInterceptorAdapter { @@ -47,9 +55,9 @@ public class ExampleServlet { String password = request.getParameter("password"); isValidUser = UserService.validate(username, password); if (isValidUser) { - HttpSession oldSession = request.getSession(false); +// HttpSession oldSession = request.getSession(false); if (oldSession != null) { -// oldSession.invalidate(); + oldSession.invalidate(); } HttpSession newSession = request.getSession(true); newSession.setMaxInactiveInterval(30 * 60);