新增准则:禁止在持久cookie中保存敏感信息,如用户名口令、历史访问记录、身份特征信息等,或进行单身散列加密处理以避免信息泄漏

wuhaoyang
wuhaoyang 10 months ago
parent 5325a8a2ba
commit 1fc05be08f
  1. 106
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheck.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.html
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/CookieSensitiveParameterCheck.json
  4. 16
      sonar-keyware-plugins-java/src/test/files/CookieSensitiveParameterCheck.java
  5. 30
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/CookieSensitiveParameterCheckTest.java

@ -0,0 +1,106 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.plugins.java.api.semantic.Symbol;
import org.sonar.plugins.java.api.tree.*;
import org.sonar.check.Rule;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import java.util.*;
@Rule(key = "CookieSensitiveParameterCheck")
public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor {
private static final Set<String> SENSITIVE_COOKIE_PARAMS = new HashSet<>(Arrays.asList("password", "token", "secret"));
@Override
public List<Tree.Kind> nodesToVisit() {
return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.VARIABLE, Tree.Kind.STRING_LITERAL);
}
@Override
public void visitNode(Tree tree) {
if (tree.is(Tree.Kind.METHOD_INVOCATION)) {
visitMethodInvocation((MethodInvocationTree) tree);
} else if (tree.is(Tree.Kind.VARIABLE)) {
visitVariable((VariableTree) tree);
} else if (tree.is(Tree.Kind.STRING_LITERAL)) {
visitStringLiteral((LiteralTree) tree);
}
}
private void visitMethodInvocation(MethodInvocationTree methodInvocation) {
if (isCookieConstructor(methodInvocation)) {
checkCookieParameters(methodInvocation);
}
}
private boolean isCookieConstructor(MethodInvocationTree methodInvocation) {
if (methodInvocation.methodSelect().is(Tree.Kind.MEMBER_SELECT)) {
MemberSelectExpressionTree memberSelect = (MemberSelectExpressionTree) methodInvocation.methodSelect();
return memberSelect.expression().symbolType().is("javax.servlet.http.Cookie");
}
return false;
}
private void visitVariable(VariableTree variableTree) {
ExpressionTree initializer = variableTree.initializer();
if (initializer != null && initializer.is(Tree.Kind.NEW_CLASS)) {
checkCookieParameters(variableTree, ((NewClassTree) initializer).arguments());
}
}
private void checkCookieParameters(MethodInvocationTree methodInvocation) {
List<? extends ExpressionTree> arguments = methodInvocation.arguments();
if (arguments != null && arguments.size() == 2) {
checkSensitiveParameter((ExpressionTree) arguments.get(0), "name", (Symbol) methodInvocation);
checkSensitiveParameter((ExpressionTree) arguments.get(1), "value", (Symbol) methodInvocation);
}
}
private void checkCookieParameters(VariableTree variableTree, List<? extends ExpressionTree> arguments) {
Symbol variableSymbol = variableTree.symbol();
if (arguments != null && arguments.size() == 2) {
checkSensitiveParameter(arguments.get(0), "name", variableSymbol);
checkSensitiveParameter(arguments.get(1), "value", variableSymbol);
}
}
private void checkSensitiveParameter(ExpressionTree expression, String paramName, Symbol variableSymbol) {
if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("name")) {
String variableName = ((IdentifierTree) expression).name();
if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) {
System.out.println("Cookie参数设置中的name属性与局部变量一致: " + variableName);
reportIssue(expression, "Cookie参数设置中包含敏感字段");
}
} else if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("value")) {
String variableName = ((IdentifierTree) expression).name();
if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) {
System.out.println("Cookie参数设置中的value属性与局部变量一致: " + variableName);
reportIssue(expression, "Cookie参数设置中包含敏感字段");
}
}
}
private void visitStringLiteral(LiteralTree literalTree) {
String literalValue = literalTree.value();
if (containsSensitiveParam(literalValue)) {
System.out.println("Cookie参数设置中包含敏感字段: " + literalValue);
reportIssue(literalTree, "Cookie参数设置中包含敏感字段");
}
}
private boolean containsSensitiveParam(String value) {
String lowerCaseValue = value.toLowerCase();
return SENSITIVE_COOKIE_PARAMS.stream().anyMatch(lowerCaseValue::contains);
}
}

@ -0,0 +1,9 @@
<p>Cookie参数设置中包含敏感字段</p>
<h2>Cookie参数设置中包含敏感字段</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "Cookie参数设置中包含敏感字段",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,16 @@
import javax.servlet.http.Cookie;
class CookieSensitiveParameterCheck{
public void func1(){
String password = "";
Cookie invalidCookie1 = new Cookie("password", "1321"); // Noncompliant {{Cookie参数设置中包含敏感字段}}
Cookie invalidCookie2 = new Cookie(password, 1); // Noncompliant {{Cookie参数设置中包含敏感字段}}
Cookie invalidCookie3 = new Cookie("213", password); // Noncompliant {{Cookie参数设置中包含敏感字段}}
}
}

@ -0,0 +1,30 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
* TODO ABCVarNameCheckerTest
*
* @author GuoXin
* @date 2024/1/6
*/
public class CookieSensitiveParameterCheckTest {
@Test
void detected() {
CheckVerifier.newVerifier()
.onFile("src/test/files/CookieSensitiveParameterCheck.java")
.withCheck(new CookieSensitiveParameterCheck())
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save