新增准则:通过用户名口令、数据证书等其他手段对用户身份进行验证。

wuhaoyang
wuhaoyang 10 months ago
parent f04961c259
commit 338b45a24d
  1. 109
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AuthenticationChecker.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.html
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AuthenticationChecker.json
  4. 22
      sonar-keyware-plugins-java/src/test/files/AuthenticationChecker.java
  5. 32
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AuthenticationCheckerTest.java

@ -0,0 +1,109 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.model.DefaultModuleScannerContext;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.ModuleScannerContext;
import org.sonar.plugins.java.api.internal.EndOfAnalysis;
import org.sonar.plugins.java.api.tree.*;
import java.util.*;
/**
* TODO 通过用户名口令数据证书等其他手段对用户身份进行验证
* AuthenticationChecker
*
* @author WuHaoYang
* @date 2024/1/23
*/
@Rule(key = "AuthenticationChecker")
public class AuthenticationChecker extends IssuableSubscriptionVisitor implements EndOfAnalysis {
private static final Set<String> VALID_PATHS = new HashSet<>(Arrays.asList("/login", "/auto","signin"));
private boolean isValidPathFound = false;
@Override
public List<Tree.Kind> nodesToVisit() {
return Collections.singletonList(Tree.Kind.METHOD);
}
@Override
public void visitNode(Tree tree) {
MethodTree methodTree = (MethodTree) tree;
for (AnnotationTree annotation : methodTree.modifiers().annotations()) {
if (isWebAnnotation(annotation)) {
if (checkAnnotationArguments(annotation)) {
isValidPathFound = true;
break;
}
}
}
}
private boolean isWebAnnotation(AnnotationTree annotation) {
TypeTree typeTree = annotation.annotationType();
return "PostMapping".equals(typeTree.toString()) || "RequestMapping".equals(typeTree.toString());
}
private boolean checkAnnotationArguments(AnnotationTree annotation) {
for (ExpressionTree arg : annotation.arguments()) {
if (arg.is(Tree.Kind.ASSIGNMENT)) {
AssignmentExpressionTree aet = (AssignmentExpressionTree) arg;
IdentifierTree it = (IdentifierTree) aet.variable();
if ("value".equals(it.name())) {
if (aet.expression().is(Tree.Kind.NEW_ARRAY)) {
NewArrayTree nat = (NewArrayTree) aet.expression();
for (ExpressionTree et : nat.initializers()) {
LiteralTree lt = (LiteralTree) et;
System.out.println(lt.value().toString());
if (checkUrl(lt.value().toString())) {
return true;
}
}
} else if (aet.expression().is(Tree.Kind.STRING_LITERAL)) {
LiteralTree lt = (LiteralTree) aet.expression();
System.out.println(lt.value().toString());
if (checkUrl(lt.value().toString())) {
return true;
}
}
}
} else if (arg.is(Tree.Kind.STRING_LITERAL)) {
LiteralTree lt = (LiteralTree) arg;
System.out.println(lt.value().toString());
if (checkUrl(lt.value().toString())) {
return true;
}
}
}
return false;
}
private boolean checkUrl(String url) {
for (String validPath : VALID_PATHS) {
if (url.endsWith(validPath) || url.contains(validPath)) {
return true;
}
}
return false;
}
@Override
public void endOfAnalysis(ModuleScannerContext context) {
var defaultContext = (DefaultModuleScannerContext) context;
if (!isValidPathFound) {
System.out.println("应通过用户名口令、数据证书等其他手段对用户身份进行验证");
defaultContext.addIssueOnProject(this, "应通过用户名口令、数据证书等其他手段对用户身份进行验证");
}
}
}

@ -0,0 +1,9 @@
<p>通过用户名口令、数据证书等其他手段对用户身份进行验证</p>
<h2>通过用户名口令、数据证书等其他手段对用户身份进行验证</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "通过用户名口令、数据证书等其他手段对用户身份进行验证",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,22 @@
@Controller
public class AuthController {
@PostMapping("/account/aa")
public String login() {
return "login";
}
@PostMapping(value ={"/path/bb", "/path/www", "/path/eee"})
public String signin() {
return "login";
@RequestMapping("/myapp/cc")
public String auth() {
return "login";
}
}

@ -0,0 +1,32 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称信息安全性设计准则检查插件
* 项目描述用于检查源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
* 通过用户名口令数据证书等其他手段对用户身份进行验证 单元测试类
*
* @author WuHaoYang
* @date 2024/1/23
*/
public class AuthenticationCheckerTest {
@Test
void detected() {
CheckVerifier.newVerifier()
.onFiles("src/test/files/AuthenticationChecker.java")
.withCheck(new AuthenticationChecker())
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssueOnProject("应通过用户名口令、数据证书等其他手段对用户身份进行验证");
}
}
Loading…
Cancel
Save