From 1e51d83973aea142af12bcde1041b32c3e7553e0 Mon Sep 17 00:00:00 2001
From: wuhaoyang <2507865306@qq.com>
Date: Wed, 10 Jan 2024 18:07:57 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?=
 =?UTF-8?q?=E5=9C=A8=E6=9E=84=E5=BB=BA=E8=B7=AF=E5=BE=84=E5=90=8D=E5=89=8D?=
 =?UTF-8?q?=E5=AF=B9=E8=BE=93=E5=85=A5=E6=95=B0=E6=8D=AE=E8=BF=9B=E8=A1=8C?=
 =?UTF-8?q?=E9=AA=8C=E8=AF=81=EF=BC=8C=E7=A1=AE=E4=BF=9D=E5=A4=96=E9=83=A8?=
 =?UTF-8?q?=E8=BE=93=E5=85=A5=E4=BB=85=E5=8C=85=E5=90=AB=E5=85=81=E8=AE=B8?=
 =?UTF-8?q?=E6=9E=84=E6=88=90=E8=B7=AF=E5=BE=84=E5=90=8D=E7=9A=84=E5=AD=97?=
 =?UTF-8?q?=E7=AC=A6=E6=88=96=E9=99=90=E5=88=B6=E5=85=81=E8=AE=B8=E8=AE=BF?=
 =?UTF-8?q?=E9=97=AE=E7=9A=84=E7=9B=AE=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../keyware/sonar/java/rules/RulesList.java   |  4 +-
 .../rules/checkers/PathAndKeywordCheck.java   | 93 +++++++++++++++++++
 ....html => AbsolutePathDetectorChecker.html} |  0
 ....json => AbsolutePathDetectorChecker.json} |  0
 .../java/rules/java/PathAndKeywordCheck.html  |  9 ++
 .../java/rules/java/PathAndKeywordCheck.json  | 13 +++
 .../src/test/files/PathAndKeywordCheck.java   | 10 ++
 .../checkers/PathAndKeywordCheckTest.java     | 32 +++++++
 8 files changed, 160 insertions(+), 1 deletion(-)
 create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
 rename sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/{AbsolutePathDetector.html => AbsolutePathDetectorChecker.html} (100%)
 rename sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/{AbsolutePathDetector.json => AbsolutePathDetectorChecker.json} (100%)
 create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
 create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
 create mode 100644 sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
 create mode 100644 sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java

diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
index 5d3cf71..b77dea8 100644
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
@@ -8,6 +8,7 @@ package com.keyware.sonar.java.rules;
 
 import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
 import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker;
+import com.keyware.sonar.java.rules.checkers.PathAndKeywordCheck;
 import org.sonar.plugins.java.api.JavaCheck;
 
 import java.util.ArrayList;
@@ -33,7 +34,8 @@ public final class RulesList {
     public static List<Class<? extends JavaCheck>> getJavaChecks() {
         return Collections.unmodifiableList(Arrays.asList(
                 ABCVarNameChecker.class,
-                AbsolutePathDetectorChecker.class
+                AbsolutePathDetectorChecker.class,
+                PathAndKeywordCheck.class
                 /*SpringControllerRequestMappingEntityRule.class,
                 AvoidAnnotationRule.class,
                 AvoidBrandInMethodNamesRule.class,
diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
new file mode 100644
index 0000000..31038a1
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.tree.*;
+
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * 在构建路径名前对输入数据进行验证，确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录
+ *
+ * @author WuHaoYang
+ * @date 2024/1/9
+ */
+@Rule(key = "PathAndKeywordCheck")
+public class PathAndKeywordCheck extends IssuableSubscriptionVisitor {
+
+    private static final Set<String> TARGET_CLASS_NAMES = new HashSet<>(Arrays.asList("URL","URI","File"));
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return Arrays.asList(Tree.Kind.NEW_CLASS);
+    }
+
+    @Override
+    public void visitNode(Tree tree) {
+        if (tree.is(Tree.Kind.NEW_CLASS)) {
+            NewClassTree newClassTree = (NewClassTree) tree;
+            String className = newClassTree.symbolType().name();
+
+            if (TARGET_CLASS_NAMES.contains(className)) {
+                checkAndReportIssueIfRequired(newClassTree);
+            }
+        }
+    }
+
+    private void checkAndReportIssueIfRequired(NewClassTree newClassTree) {
+        Tree parent = findEnclosingMethod(newClassTree);
+        if (parent != null && parent.is(Tree.Kind.METHOD)) {
+            MethodTree methodTree = (MethodTree) parent;
+            methodTree.parameters().forEach(parameter -> {
+                if (parameter.type() != null) {
+                    String parameterType = parameter.type().symbolType().name();
+                    if (parameterType.equals("String")) { // 这里假设你关心的参数类型是 String
+                        String className = newClassTree.symbolType().name();
+                        if (TARGET_CLASS_NAMES.contains(className)) {
+                            // 获取构造方法的参数
+                            List<ExpressionTree> arguments = newClassTree.arguments();
+                            if (!arguments.isEmpty()) {
+                                ExpressionTree firstArgument = arguments.get(0);
+                                String constructorArgument = getArgumentValue(firstArgument);
+
+                                // 获取方法的入参名称
+                                String parameterName = parameter.simpleName().name();
+
+                                if (constructorArgument != null && constructorArgument.equals(parameterName)) {
+                                    System.out.println("避免在参数中使用 " + className + " 对象的构造方法的参数：" + parameterName);
+                                    reportIssue(newClassTree, "避免在参数中使用禁止的关键字");
+                                }
+                            }
+                        }
+                    }
+                }
+            });
+        }
+    }
+
+    private String getArgumentValue(ExpressionTree argument) {
+        if (argument.is(Tree.Kind.STRING_LITERAL)) {
+            return ((LiteralTree) argument).value();
+        } else if (argument.is(Tree.Kind.IDENTIFIER)) {
+            return ((IdentifierTree) argument).name();
+        }
+        return null;
+    }
+
+    private Tree findEnclosingMethod(Tree tree) {
+        while (tree != null && !tree.is(Tree.Kind.METHOD)) {
+            tree = tree.parent();
+        }
+        return tree;
+    }
+}
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.html
similarity index 100%
rename from sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html
rename to sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.html
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.json
similarity index 100%
rename from sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json
rename to sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.json
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
new file mode 100644
index 0000000..c424107
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
@@ -0,0 +1,9 @@
+<p>避免在参数中使用禁止的关键字</p>
+<h2>避免在参数中使用禁止的关键字</h2>
+<pre>
+
+</pre>
+<h2>合规解决方案</h2>
+<pre>
+
+</pre>
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
new file mode 100644
index 0000000..d9c08e0
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
@@ -0,0 +1,13 @@
+{
+  "title": "避免在参数中使用禁止的关键字",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "28suo"
+  ],
+  "defaultSeverity": "Minor"
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java b/sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
new file mode 100644
index 0000000..3759f31
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
@@ -0,0 +1,10 @@
+
+class PathAndKeywordCheckRule {
+
+
+    public void getParameter(String arg) {
+        URL url = new URL(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
+        URI url = new URI(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
+        File url = new File(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
+    }
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java
new file mode 100644
index 0000000..189675c
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;/*
+ *@title PathAndKeywordCheckTest
+ *@description
+ *@author Admin
+ *@version 1.0
+ *@create 2024/1/9 15:26
+ */
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+public class PathAndKeywordCheckTest {
+
+    @Test
+    void detected() {
+        PathAndKeywordCheck rule = new PathAndKeywordCheck();
+
+
+        CheckVerifier.newVerifier()
+                .onFile("src/test/files/PathAndKeywordCheck.java")
+                .withCheck(rule)
+                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+                .verifyIssues();
+    }
+}