规则:用户输入口令时应对口令域进行掩饰。用户输入的每一个字符都应该以星号形式回显。
+ * 验证逻辑:当input标签的name或者id包含password时,如果type不是password时,则报告问题 + * + * @author GuoXin + * @date 2024/1/20 + */ +@Rule(key = "PasswordInputTagChecker") +public class PasswordInputTagChecker extends AbstractPageCheck implements JavaCheck { + @Override + public void startElement(TagNode node) { + if ("input".equalsIgnoreCase(node.getNodeName())) { + var id = node.getAttribute("id"); + var name = node.getAttribute("name"); + var type = node.getAttribute("type"); + // 当name或者id包含password时,如果type不是password时,则报告问题 + if ((id != null && id.contains("password")) || (name != null && name.contains("password"))) { + if (!"password".equalsIgnoreCase(type)) { + createViolation(node, "密码输入框的type属性不为password"); + } + } + } + } +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.html new file mode 100644 index 0000000..37d128f --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.html @@ -0,0 +1,9 @@ +用户输入口令时应对口令域进行掩饰,用户输入的每一个字符都应该以星号形式回显。
++ ++
+ +diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.json new file mode 100644 index 0000000..3f08802 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/PasswordInputTagChecker.json @@ -0,0 +1,13 @@ +{ + "title": "用户输入口令时应对口令域进行掩饰。用户输入的每一个字符都应该以星号形式回显", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "15min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Major" +} diff --git a/sonar-keyware-plugins-java/src/test/files/PasswordInputTagChecker.html b/sonar-keyware-plugins-java/src/test/files/PasswordInputTagChecker.html new file mode 100644 index 0000000..35d112c --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/PasswordInputTagChecker.html @@ -0,0 +1,14 @@ + +
+
+ + + \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagCheckerTest.java new file mode 100644 index 0000000..49ecca5 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/PasswordInputTagCheckerTest.java @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:信息安全性设计准则检查插件 + * 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ + +package com.keyware.sonar.java.rules.checkers; + +import com.keyware.sonar.java.utils.HtmlCheckMessagesVerifierRule; +import com.keyware.sonar.java.utils.HtmlTestHelper; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.RegisterExtension; +import org.sonar.plugins.html.visitor.HtmlSourceCode; + +import java.io.File; + +/** + * 测试规则:用户输入口令时应对口令域进行掩饰。用户输入的每一个字符都应该以星号形式回显 + * + * @author GuoXin + * @date 2024/1/20 + */ +public class PasswordInputTagCheckerTest { + @RegisterExtension + public HtmlCheckMessagesVerifierRule checkMessagesVerifier = new HtmlCheckMessagesVerifierRule(); + + @Test + public void detected() throws Exception { + HtmlSourceCode sourceCode = HtmlTestHelper.scan(new File("src/test/files/PasswordInputTagChecker.html"), new PasswordInputTagChecker()); + + checkMessagesVerifier.verify(sourceCode.getIssues()) + .next().atLine(16); + } +}