From 4cd845ed64d23333a415fc29b405538fb49d7b0f Mon Sep 17 00:00:00 2001
From: Guo XIn <371864209@qq.com>
Date: Wed, 24 Jan 2024 16:40:39 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?=
 =?UTF-8?q?=E5=BB=BA=E8=AE=AE=E5=B0=86=E9=A1=B5=E9=9D=A2=E9=9A=90=E8=97=8F?=
 =?UTF-8?q?=E5=9F=9F=E5=AD=97=E6=AE=B5=E3=80=81Cookie=E3=80=81URL=E7=AD=89?=
 =?UTF-8?q?=E5=85=B3=E9=94=AE=E5=8F=82=E6=95=B0=E7=BC=93=E5=AD=98=E5=88=B0?=
 =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E5=99=A8=E7=AB=AF=E7=9A=84=E4=BC=9A=E8=AF=9D?=
 =?UTF-8?q?=E4=B8=AD=EF=BC=8C=E5=B9=B6=E9=80=9A=E8=BF=87=E4=BC=9A=E8=AF=9D?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96(=E6=9C=AA=E5=AE=8C=E6=88=90=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../checkers/SessionCacheParamsChecker.java   | 42 +++++++++++++++++++
 .../test/files/SessionCacheParamsChecker.java | 22 ++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
 create mode 100644 sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java

diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
new file mode 100644
index 0000000..136ee9d
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：信息安全性设计准则检查插件
+ * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.tree.Tree;
+
+import javax.annotation.Nonnull;
+import java.util.List;
+
+/**
+ * 将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，程序使用该数据须通过会话获取
+ * <p>在Java web应用开发中，隐藏域字段、Cookie、URL等关键参数应通过会话获取和传递。</p>
+ *
+ * @author GuoXin
+ * @date 2024/1/24
+ */
+@Rule(key = "SessionCacheParamsChecker")
+public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor {
+    private static final List<String> HIDED_PARAMS = List.of(
+            "id",
+            "token"
+    );
+
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return List.of(Tree.Kind.METHOD_INVOCATION);
+    }
+
+    @Override
+    public void visitNode(@Nonnull Tree tree) {
+
+    }
+
+
+}
diff --git a/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java b/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
new file mode 100644
index 0000000..34f4d6a
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
@@ -0,0 +1,22 @@
+package com.example;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+public class ExampleServlet extends HttpServlet {
+    public void doGet(HttpServletRequest request, HttpServletResponse response) {
+        // 直接从request获取参数
+        String param = request.getParameter("userId"); // Noncompliant {{建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，并通过会话获取}}
+
+        // 直接从request获取Cookies
+        Cookie[] cookies = request.getCookies();
+        // 将参数存储到session
+        HttpSession session = request.getSession();
+        session.setAttribute("sessionParam", param);
+        // 其他代码...
+    }
+
+    private void get(HttpServletRequest request, HttpServletResponse response){
+
+    }
+}
\ No newline at end of file