From 34d97c1d3982f5d16153302e8f295e70b7d909ee Mon Sep 17 00:00:00 2001
From: wuhaoyang <2507865306@qq.com>
Date: Wed, 10 Jan 2024 14:24:35 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?=
 =?UTF-8?q?=E6=A3=80=E6=B5=8B=E4=BB=A3=E7=A0=81=E4=B8=AD=E8=AF=BB=E5=8F=96?=
 =?UTF-8?q?=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6=E6=88=96=E8=80=85=E6=9C=8D?=
 =?UTF-8?q?=E5=8A=A1=E5=99=A8=E4=B8=AD=E6=96=87=E4=BB=B6=E6=97=B6=E6=98=AF?=
 =?UTF-8?q?=E5=90=A6=E4=BD=BF=E7=94=A8=E7=BB=9D=E5=AF=B9=E8=B7=AF=E5=BE=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../keyware/sonar/java/rules/RulesList.java   |  4 +-
 .../checkers/AbsolutePathDetectorChecker.java | 78 +++++++++++++++++++
 .../java/rules/java/AbsolutePathDetector.html |  9 +++
 .../java/rules/java/AbsolutePathDetector.json | 13 ++++
 .../test/files/AbsolutePathDetectorRule.java  | 18 +++++
 .../checkers/AbsolutePathDetectorTest.java    | 33 ++++++++
 6 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
 create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html
 create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json
 create mode 100644 sonar-keyware-plugins-java/src/test/files/AbsolutePathDetectorRule.java
 create mode 100644 sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorTest.java

diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
index 57bec67..5d3cf71 100644
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
@@ -7,6 +7,7 @@
 package com.keyware.sonar.java.rules;
 
 import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
+import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker;
 import org.sonar.plugins.java.api.JavaCheck;
 
 import java.util.ArrayList;
@@ -31,7 +32,8 @@ public final class RulesList {
      */
     public static List<Class<? extends JavaCheck>> getJavaChecks() {
         return Collections.unmodifiableList(Arrays.asList(
-                ABCVarNameChecker.class
+                ABCVarNameChecker.class,
+                AbsolutePathDetectorChecker.class
                 /*SpringControllerRequestMappingEntityRule.class,
                 AvoidAnnotationRule.class,
                 AvoidBrandInMethodNamesRule.class,
diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
new file mode 100644
index 0000000..c691b9b
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorChecker.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;/*
+ *@title DetectionPath
+ *@description
+ *@author Admin
+ *@version 1.0
+ *@create 2024/1/9 9:35
+ */
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.tree.ExpressionTree;
+import org.sonar.plugins.java.api.tree.LiteralTree;
+import org.sonar.plugins.java.api.tree.Tree;
+import org.sonar.plugins.java.api.tree.VariableTree;
+
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * 检测代码中读取配置文件或者服务器中文件时是否使用绝对路径
+ *
+ * @author WuHaoyang
+ * @date 2024/1/9
+ */
+@Rule(key = "AbsolutePathDetector")
+public class AbsolutePathDetectorChecker extends IssuableSubscriptionVisitor {
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return Collections.singletonList(
+                Tree.Kind.VARIABLE
+        );
+    }
+
+    @Override
+    public void visitNode(Tree tree) {
+        VariableTree node = (VariableTree) tree;
+        checkVariableDeclaration(node);
+    }
+
+    private void checkVariableDeclaration(VariableTree variableTree) {
+        // 获取变量的信息
+        String variableName = variableTree.simpleName().name();
+        String variableType = variableTree.type().symbolType().name();
+
+        // 获取变量的初始化表达式
+        ExpressionTree initializer = variableTree.initializer();
+
+        // 检查初始化表达式是否为字符串字面量
+        if (initializer != null && initializer.is(Tree.Kind.STRING_LITERAL)) {
+            LiteralTree literalTree = (LiteralTree) initializer;
+            String literalValue = literalTree.value().replace("\"", "");
+
+            // 检查字符串字面量是否为绝对路径
+            if (isAbsolutePath(literalValue)) {
+                //打印变量信息
+                System.out.println("变量名称: " + variableName);
+                System.out.println("变量类型: " + variableType);
+                System.out.println("检测到绝对路径: " + literalValue);
+
+                //报告问题（如果检测到问题）
+                reportIssue(variableTree, "读取配置文件或者服务器中文件时不可使用绝对路径");
+            }
+        }
+    }
+
+    //检查字符串是否为绝对路径
+    private boolean isAbsolutePath(String path) {
+         return path.startsWith("/") || path.matches("^[A-Za-z]:\\\\.*");
+    }
+
+}
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html
new file mode 100644
index 0000000..d8fdab6
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.html
@@ -0,0 +1,9 @@
+<p>读取配置文件或者服务器中文件时不可使用绝对路径</p>
+<h2>读取配置文件或者服务器中文件时不可使用绝对路径</h2>
+<pre>
+
+</pre>
+<h2>合规解决方案</h2>
+<pre>
+
+</pre>
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json
new file mode 100644
index 0000000..c04886e
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/AbsolutePathDetector.json
@@ -0,0 +1,13 @@
+{
+  "title": "读取配置文件或者服务器中文件时不可使用绝对路径",
+  "type": "CODE_SMELL",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "28suo"
+  ],
+  "defaultSeverity": "Minor"
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/files/AbsolutePathDetectorRule.java b/sonar-keyware-plugins-java/src/test/files/AbsolutePathDetectorRule.java
new file mode 100644
index 0000000..a61c013
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/AbsolutePathDetectorRule.java
@@ -0,0 +1,18 @@
+
+class PathDetectorRule{
+    // 使用绝对路径读取配置文件，触发规则
+    String configFilePath = "/path/to/config.properties"; // Noncompliant {{读取配置文件或者服务器中文件时不可使用绝对路径}}
+
+    // 使用相对路径读取配置文件，不触发规则
+    String relativePath = "config.properties";
+
+    public String getABC(){
+        return configFilePath;
+    }
+
+    public void test(){
+        System.out.println(configFilePath);
+    }
+
+
+}
\ No newline at end of file
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorTest.java
new file mode 100644
index 0000000..0d537b2
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/AbsolutePathDetectorTest.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：Java 信息安全性设计准则
+ * 项目描述：用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;/*
+ *@title AbsolutePathDetectorTest
+ *@description
+ *@author Admin
+ *@version 1.0
+ *@create 2024/1/9 10:33
+ */
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+public class AbsolutePathDetectorTest {
+
+
+    @Test
+    void detected() {
+        AbsolutePathDetectorChecker rule = new AbsolutePathDetectorChecker();
+
+
+        CheckVerifier.newVerifier()
+                .onFile("src/test/files/AbsolutePathDetectorRule.java")
+                .withCheck(rule)
+                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+                .verifyIssues();
+    }
+}