新增准则：在构建路径名前对输入数据进行验证，确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录

10 months ago · 1e51d83973
parent 34d97c1d39
commit 1e51d83973
8 changed files with 160 additions and 1 deletions
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
@ -8,6 +8,7 @@ package com.keyware.sonar.java.rules;
 import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
 import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker;
 import com.keyware.sonar.java.rules.checkers.PathAndKeywordCheck;
 import org.sonar.plugins.java.api.JavaCheck;
 import java.util.ArrayList;
@ -33,7 +34,8 @@ public final class RulesList {
    public static List<Class<? extends JavaCheck>> getJavaChecks() {
        return Collections.unmodifiableList(Arrays.asList(
                ABCVarNameChecker.class,
-                AbsolutePathDetectorChecker.class
+                AbsolutePathDetectorChecker.class,
                PathAndKeywordCheck.class
                /*SpringControllerRequestMappingEntityRule.class,
                AvoidAnnotationRule.class,
                AvoidBrandInMethodNamesRule.class,
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
@ -0,0 +1,93 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：Java 信息安全性设计准则
 * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.java.rules.checkers;
 import org.sonar.check.Rule;
 import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
 import org.sonar.plugins.java.api.tree.*;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 /**
 * 在构建路径名前对输入数据进行验证，确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录
 *
 * @author WuHaoYang
 * @date 2024/1/9
 */
@Rule(key = "PathAndKeywordCheck")
 public class PathAndKeywordCheck extends IssuableSubscriptionVisitor {
    private static final Set<String> TARGET_CLASS_NAMES = new HashSet<>(Arrays.asList("URL","URI","File"));
    @Override
    public List<Tree.Kind> nodesToVisit() {
        return Arrays.asList(Tree.Kind.NEW_CLASS);
    }
    @Override
    public void visitNode(Tree tree) {
        if (tree.is(Tree.Kind.NEW_CLASS)) {
            NewClassTree newClassTree = (NewClassTree) tree;
            String className = newClassTree.symbolType().name();
            if (TARGET_CLASS_NAMES.contains(className)) {
                checkAndReportIssueIfRequired(newClassTree);
            }
        }
    }
    private void checkAndReportIssueIfRequired(NewClassTree newClassTree) {
        Tree parent = findEnclosingMethod(newClassTree);
        if (parent != null && parent.is(Tree.Kind.METHOD)) {
            MethodTree methodTree = (MethodTree) parent;
            methodTree.parameters().forEach(parameter -> {
                if (parameter.type() != null) {
                    String parameterType = parameter.type().symbolType().name();
                    if (parameterType.equals("String")) { // 这里假设你关心的参数类型是 String
                        String className = newClassTree.symbolType().name();
                        if (TARGET_CLASS_NAMES.contains(className)) {
                            // 获取构造方法的参数
                            List<ExpressionTree> arguments = newClassTree.arguments();
                            if (!arguments.isEmpty()) {
                                ExpressionTree firstArgument = arguments.get(0);
                                String constructorArgument = getArgumentValue(firstArgument);
                                // 获取方法的入参名称
                                String parameterName = parameter.simpleName().name();
                                if (constructorArgument != null && constructorArgument.equals(parameterName)) {
                                    System.out.println("避免在参数中使用 " + className + " 对象的构造方法的参数：" + parameterName);
                                    reportIssue(newClassTree, "避免在参数中使用禁止的关键字");
                                }
                            }
                        }
                    }
                }
            });
        }
    }
    private String getArgumentValue(ExpressionTree argument) {
        if (argument.is(Tree.Kind.STRING_LITERAL)) {
            return ((LiteralTree) argument).value();
        } else if (argument.is(Tree.Kind.IDENTIFIER)) {
            return ((IdentifierTree) argument).name();
        }
        return null;
    }
    private Tree findEnclosingMethod(Tree tree) {
        while (tree != null && !tree.is(Tree.Kind.METHOD)) {
            tree = tree.parent();
        }
        return tree;
    }
 }
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.html
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.html
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.json
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
@ -0,0 +1,9 @@
 <p>避免在参数中使用禁止的关键字</p>
 <h2>避免在参数中使用禁止的关键字</h2>
 <pre>
 </pre>
 <h2>合规解决方案</h2>
 <pre>
 </pre>
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
@ -0,0 +1,13 @@
 {
  "title": "避免在参数中使用禁止的关键字",
  "type": "CODE_SMELL",
  "status": "ready",
  "remediation": {
    "func": "Constant\/Issue",
    "constantCost": "5min"
  },
  "tags": [
    "28suo"
  ],
  "defaultSeverity": "Minor"
 }
--- a/sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
+++ b/sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
@ -0,0 +1,10 @@
 class PathAndKeywordCheckRule {
    public void getParameter(String arg) {
        URL url = new URL(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
        URI url = new URI(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
        File url = new File(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
    }
 }
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java
@ -0,0 +1,32 @@
 /*
 * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
 * 项目名称：Java 信息安全性设计准则
 * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
 * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
 */
 package com.keyware.sonar.java.rules.checkers;/*
 *@title PathAndKeywordCheckTest
 *@description
 *@author Admin
 *@version 1.0
 *@create 2024/1/9 15:26
 */
 import com.keyware.sonar.java.utils.FilesUtils;
 import org.junit.jupiter.api.Test;
 import org.sonar.java.checks.verifier.CheckVerifier;
 public class PathAndKeywordCheckTest {
    @Test
    void detected() {
        PathAndKeywordCheck rule = new PathAndKeywordCheck();
        CheckVerifier.newVerifier()
                .onFile("src/test/files/PathAndKeywordCheck.java")
                .withCheck(rule)
                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
                .verifyIssues();
    }
 }