新增准则:在构建路径名前对输入数据进行验证,确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录

wuhaoyang
wuhaoyang 10 months ago
parent 34d97c1d39
commit 1e51d83973
  1. 4
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
  2. 93
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheck.java
  3. 0
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.html
  4. 0
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetectorChecker.json
  5. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.html
  6. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PathAndKeywordCheck.json
  7. 10
      sonar-keyware-plugins-java/src/test/files/PathAndKeywordCheck.java
  8. 32
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PathAndKeywordCheckTest.java

@ -8,6 +8,7 @@ package com.keyware.sonar.java.rules;
import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker;
import com.keyware.sonar.java.rules.checkers.PathAndKeywordCheck;
import org.sonar.plugins.java.api.JavaCheck;
import java.util.ArrayList;
@ -33,7 +34,8 @@ public final class RulesList {
public static List<Class<? extends JavaCheck>> getJavaChecks() {
return Collections.unmodifiableList(Arrays.asList(
ABCVarNameChecker.class,
AbsolutePathDetectorChecker.class
AbsolutePathDetectorChecker.class,
PathAndKeywordCheck.class
/*SpringControllerRequestMappingEntityRule.class,
AvoidAnnotationRule.class,
AvoidBrandInMethodNamesRule.class,

@ -0,0 +1,93 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
/**
* 在构建路径名前对输入数据进行验证确保外部输入仅包含允许构成路径名的字符或限制允许访问的目录
*
* @author WuHaoYang
* @date 2024/1/9
*/
@Rule(key = "PathAndKeywordCheck")
public class PathAndKeywordCheck extends IssuableSubscriptionVisitor {
private static final Set<String> TARGET_CLASS_NAMES = new HashSet<>(Arrays.asList("URL","URI","File"));
@Override
public List<Tree.Kind> nodesToVisit() {
return Arrays.asList(Tree.Kind.NEW_CLASS);
}
@Override
public void visitNode(Tree tree) {
if (tree.is(Tree.Kind.NEW_CLASS)) {
NewClassTree newClassTree = (NewClassTree) tree;
String className = newClassTree.symbolType().name();
if (TARGET_CLASS_NAMES.contains(className)) {
checkAndReportIssueIfRequired(newClassTree);
}
}
}
private void checkAndReportIssueIfRequired(NewClassTree newClassTree) {
Tree parent = findEnclosingMethod(newClassTree);
if (parent != null && parent.is(Tree.Kind.METHOD)) {
MethodTree methodTree = (MethodTree) parent;
methodTree.parameters().forEach(parameter -> {
if (parameter.type() != null) {
String parameterType = parameter.type().symbolType().name();
if (parameterType.equals("String")) { // 这里假设你关心的参数类型是 String
String className = newClassTree.symbolType().name();
if (TARGET_CLASS_NAMES.contains(className)) {
// 获取构造方法的参数
List<ExpressionTree> arguments = newClassTree.arguments();
if (!arguments.isEmpty()) {
ExpressionTree firstArgument = arguments.get(0);
String constructorArgument = getArgumentValue(firstArgument);
// 获取方法的入参名称
String parameterName = parameter.simpleName().name();
if (constructorArgument != null && constructorArgument.equals(parameterName)) {
System.out.println("避免在参数中使用 " + className + " 对象的构造方法的参数:" + parameterName);
reportIssue(newClassTree, "避免在参数中使用禁止的关键字");
}
}
}
}
}
});
}
}
private String getArgumentValue(ExpressionTree argument) {
if (argument.is(Tree.Kind.STRING_LITERAL)) {
return ((LiteralTree) argument).value();
} else if (argument.is(Tree.Kind.IDENTIFIER)) {
return ((IdentifierTree) argument).name();
}
return null;
}
private Tree findEnclosingMethod(Tree tree) {
while (tree != null && !tree.is(Tree.Kind.METHOD)) {
tree = tree.parent();
}
return tree;
}
}

@ -0,0 +1,9 @@
<p>避免在参数中使用禁止的关键字</p>
<h2>避免在参数中使用禁止的关键字</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "避免在参数中使用禁止的关键字",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,10 @@
class PathAndKeywordCheckRule {
public void getParameter(String arg) {
URL url = new URL(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
URI url = new URI(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
File url = new File(arg);// Noncompliant {{避免在参数中使用禁止的关键字}}
}
}

@ -0,0 +1,32 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;/*
*@title PathAndKeywordCheckTest
*@description
*@author Admin
*@version 1.0
*@create 2024/1/9 15:26
*/
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
public class PathAndKeywordCheckTest {
@Test
void detected() {
PathAndKeywordCheck rule = new PathAndKeywordCheck();
CheckVerifier.newVerifier()
.onFile("src/test/files/PathAndKeywordCheck.java")
.withCheck(rule)
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save