优化:优化误报问题

wuhaoyang
RenFengJiang 10 months ago
parent 99060ade51
commit 10ac3cc724
  1. 7
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UserStatusVerifyChecker.java
  2. 40
      sonar-keyware-plugins-java/src/test/files/UserStatusVerifyChecker.java

@ -48,14 +48,12 @@ public class UserStatusVerifyChecker extends IssuableSubscriptionVisitor {
context.reportIssue(this, methodTree.simpleName(), "对用户进行身份鉴别并建立一个新的会话时让原来的会话失效"); context.reportIssue(this, methodTree.simpleName(), "对用户进行身份鉴别并建立一个新的会话时让原来的会话失效");
} }
}else {
context.reportIssue(this, methodTree.simpleName(), "对用户进行身份鉴别并建立一个新的会话时让原来的会话失效");
} }
} }
public static boolean verifyMethod(MethodTree methodTree) { public static boolean verifyMethod(MethodTree methodTree) {
//判断是否是doFilter或doFilter方法 //preHandle
if ("doFilter".equals(methodTree.simpleName().name()) || "doFilter".equals(methodTree.simpleName().name())) { if ("doFilter".equals(methodTree.simpleName().name()) || "preHandle".equals(methodTree.simpleName().name())) {
//获取参数 //获取参数
List<VariableTree> parameters = methodTree.parameters(); List<VariableTree> parameters = methodTree.parameters();
for (VariableTree variable : parameters) { for (VariableTree variable : parameters) {
@ -119,6 +117,5 @@ public class UserStatusVerifyChecker extends IssuableSubscriptionVisitor {
} }
} }
} }
} }
} }

@ -1,29 +1,32 @@
/* import com.fasterxml.classmate.Filter;
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter; import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.*; import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.io.IOException; import java.io.IOException;
public class ExampleServlet { public class UserStatusVerifyChecker {
private static final long serialVersionUID = 1391640560504378168L; private static final long serialVersionUID = 1391640560504378168L;
static class UserService {
public static boolean validate(String username, String password) {
return true;
}
}
public class AuthenticationFilter implements Filter { public class AuthenticationFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}} public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}}
// HttpServletRequest request = (HttpServletRequest) req; HttpServletRequest request = (HttpServletRequest) req;
// boolean isValidUser = false; boolean isValidUser = false;
// String username = request.getParameter("username"); // String username = request.getParameter("username");
// String password = request.getParameter("password"); // String password = request.getParameter("password");
// // 这里应通过相关业务逻辑来验证用户名和密码的准确性 // isValidUser = UserService.validate(username, password);
isValidUser = UserService.validate(username, password);
if (isValidUser) { if (isValidUser) {
HttpSession oldSession = request.getSession(false); HttpSession oldSession = request.getSession(false);
if (oldSession != null) { if (oldSession != null) {
@ -34,9 +37,14 @@ public class ExampleServlet {
newSession.setAttribute("username", username); newSession.setAttribute("username", username);
chain.doFilter(req, resp); // 继续执行下一个过滤器或请求 chain.doFilter(req, resp); // 继续执行下一个过滤器或请求
} else { } else {
request.getRequestDispatcher("/login.jsp").forward(request, resp); // 跳转到登录页面 req.getRequestDispatcher("/login.jsp").forward(req, resp); // 跳转到登录页面
} }
} }
@Override
public boolean include(Object o) {
return false;
}
} }
public class AuthenticationInterceptor extends HandlerInterceptorAdapter { public class AuthenticationInterceptor extends HandlerInterceptorAdapter {
@ -47,9 +55,9 @@ public class ExampleServlet {
String password = request.getParameter("password"); String password = request.getParameter("password");
isValidUser = UserService.validate(username, password); isValidUser = UserService.validate(username, password);
if (isValidUser) { if (isValidUser) {
HttpSession oldSession = request.getSession(false); // HttpSession oldSession = request.getSession(false);
if (oldSession != null) { if (oldSession != null) {
// oldSession.invalidate(); oldSession.invalidate();
} }
HttpSession newSession = request.getSession(true); HttpSession newSession = request.getSession(true);
newSession.setMaxInactiveInterval(30 * 60); newSession.setMaxInactiveInterval(30 * 60);

Loading…
Cancel
Save