新增准则：禁止在持久cookie中保存敏感信息，如用户名口令、历史访问记录、身份特征信息等，或进行单身散列加密处理以避免信息泄漏

10 months ago · 1fc05be08f
parent 5325a8a2ba
commit 1fc05be08f
5 changed files with 174 additions and 0 deletions
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+
+import org.sonar.plugins.java.api.semantic.Symbol;
+import org.sonar.plugins.java.api.tree.*;
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+
+
+import java.util.*;
+
+@Rule(key = "CookieSensitiveParameterCheck")
+public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor {
+
+
+
+    private static final Set<String> SENSITIVE_COOKIE_PARAMS = new HashSet<>(Arrays.asList("password", "token", "secret"));
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.VARIABLE, Tree.Kind.STRING_LITERAL);
+    }
+
+    @Override
+    public void visitNode(Tree tree) {
+        if (tree.is(Tree.Kind.METHOD_INVOCATION)) {
+            visitMethodInvocation((MethodInvocationTree) tree);
+        } else if (tree.is(Tree.Kind.VARIABLE)) {
+            visitVariable((VariableTree) tree);
+        } else if (tree.is(Tree.Kind.STRING_LITERAL)) {
+            visitStringLiteral((LiteralTree) tree);
+        }
+    }
+
+    private void visitMethodInvocation(MethodInvocationTree methodInvocation) {
+        if (isCookieConstructor(methodInvocation)) {
+            checkCookieParameters(methodInvocation);
+        }
+    }
+
+    private boolean isCookieConstructor(MethodInvocationTree methodInvocation) {
+        if (methodInvocation.methodSelect().is(Tree.Kind.MEMBER_SELECT)) {
+            MemberSelectExpressionTree memberSelect = (MemberSelectExpressionTree) methodInvocation.methodSelect();
+            return memberSelect.expression().symbolType().is("javax.servlet.http.Cookie");
+        }
+        return false;
+    }
+
+    private void visitVariable(VariableTree variableTree) {
+        ExpressionTree initializer = variableTree.initializer();
+        if (initializer != null && initializer.is(Tree.Kind.NEW_CLASS)) {
+            checkCookieParameters(variableTree, ((NewClassTree) initializer).arguments());
+        }
+    }
+
+    private void checkCookieParameters(MethodInvocationTree methodInvocation) {
+        List<? extends ExpressionTree> arguments = methodInvocation.arguments();
+        if (arguments != null && arguments.size() == 2) {
+            checkSensitiveParameter((ExpressionTree) arguments.get(0), "name", (Symbol) methodInvocation);
+            checkSensitiveParameter((ExpressionTree) arguments.get(1), "value", (Symbol) methodInvocation);
+        }
+    }
+
+    private void checkCookieParameters(VariableTree variableTree, List<? extends ExpressionTree> arguments) {
+        Symbol variableSymbol = variableTree.symbol();
+        if (arguments != null && arguments.size() == 2) {
+            checkSensitiveParameter(arguments.get(0), "name", variableSymbol);
+            checkSensitiveParameter(arguments.get(1), "value", variableSymbol);
+        }
+    }
+
+    private void checkSensitiveParameter(ExpressionTree expression, String paramName, Symbol variableSymbol) {
+        if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("name")) {
+            String variableName = ((IdentifierTree) expression).name();
+            if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) {
+                System.out.println("Cookie参数设置中的name属性与局部变量一致: " + variableName);
+                reportIssue(expression, "Cookie参数设置中包含敏感字段");
+            }
+        } else if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("value")) {
+            String variableName = ((IdentifierTree) expression).name();
+            if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) {
+                System.out.println("Cookie参数设置中的value属性与局部变量一致: " + variableName);
+                reportIssue(expression, "Cookie参数设置中包含敏感字段");
+            }
+        }
+    }
+
+    private void visitStringLiteral(LiteralTree literalTree) {
+        String literalValue = literalTree.value();
+        if (containsSensitiveParam(literalValue)) {
+            System.out.println("Cookie参数设置中包含敏感字段: " + literalValue);
+            reportIssue(literalTree, "Cookie参数设置中包含敏感字段");
+        }
+    }
+
+    private boolean containsSensitiveParam(String value) {
+        String lowerCaseValue = value.toLowerCase();
+        return SENSITIVE_COOKIE_PARAMS.stream().anyMatch(lowerCaseValue::contains);
+    }
+}
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.html
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.html
@ -0,0 +1,9 @@
+<p>Cookie参数设置中包含敏感字段</p>
+<h2>Cookie参数设置中包含敏感字段</h2>
+<pre>
+
+</pre>
+<h2>合规解决方案</h2>
+<pre>
+
+</pre>
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.json
@ -0,0 +1,13 @@
+{
+  "title": "Cookie参数设置中包含敏感字段",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "28suo"
+  ],
+  "defaultSeverity": "Minor"
+}
--- a/sonar-keyware-plugins-java/src/test/files/CookieSensitiveParameterCheck.java
+++ b/sonar-keyware-plugins-java/src/test/files/CookieSensitiveParameterCheck.java
@ -0,0 +1,16 @@
+
+import javax.servlet.http.Cookie;
+
+class CookieSensitiveParameterCheck{
+
+    public void func1(){
+
+        String password = "";
+
+        Cookie invalidCookie1 = new Cookie("password", "1321"); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+        Cookie invalidCookie2 = new Cookie(password, 1); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+        Cookie invalidCookie3 = new Cookie("213", password); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+    }
+
+
+}
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheckTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheckTest.java
@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+/**
+ * TODO ABCVarNameCheckerTest
+ *
+ * @author GuoXin
+ * @date 2024/1/6
+ */
+public class CookieSensitiveParameterCheckTest {
+
+    @Test
+    void detected() {
+
+        CheckVerifier.newVerifier()
+                .onFile("src/test/files/CookieSensitiveParameterCheck.java")
+                .withCheck(new CookieSensitiveParameterCheck())
+                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+                .verifyIssues();
+    }
+}