commit
55e2e5eb77
@ -0,0 +1,106 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
|
||||
import org.sonar.plugins.java.api.semantic.Symbol; |
||||
import org.sonar.plugins.java.api.tree.*; |
||||
import org.sonar.check.Rule; |
||||
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
||||
|
||||
|
||||
import java.util.*; |
||||
|
||||
@Rule(key = "CookieSensitiveParameterCheck") |
||||
public class CookieSensitiveParameterCheck extends IssuableSubscriptionVisitor { |
||||
|
||||
|
||||
|
||||
private static final Set<String> SENSITIVE_COOKIE_PARAMS = new HashSet<>(Arrays.asList("password", "token", "secret")); |
||||
|
||||
@Override |
||||
public List<Tree.Kind> nodesToVisit() { |
||||
return Arrays.asList(Tree.Kind.METHOD_INVOCATION, Tree.Kind.VARIABLE, Tree.Kind.STRING_LITERAL); |
||||
} |
||||
|
||||
@Override |
||||
public void visitNode(Tree tree) { |
||||
if (tree.is(Tree.Kind.METHOD_INVOCATION)) { |
||||
visitMethodInvocation((MethodInvocationTree) tree); |
||||
} else if (tree.is(Tree.Kind.VARIABLE)) { |
||||
visitVariable((VariableTree) tree); |
||||
} else if (tree.is(Tree.Kind.STRING_LITERAL)) { |
||||
visitStringLiteral((LiteralTree) tree); |
||||
} |
||||
} |
||||
|
||||
private void visitMethodInvocation(MethodInvocationTree methodInvocation) { |
||||
if (isCookieConstructor(methodInvocation)) { |
||||
checkCookieParameters(methodInvocation); |
||||
} |
||||
} |
||||
|
||||
private boolean isCookieConstructor(MethodInvocationTree methodInvocation) { |
||||
if (methodInvocation.methodSelect().is(Tree.Kind.MEMBER_SELECT)) { |
||||
MemberSelectExpressionTree memberSelect = (MemberSelectExpressionTree) methodInvocation.methodSelect(); |
||||
return memberSelect.expression().symbolType().is("javax.servlet.http.Cookie"); |
||||
} |
||||
return false; |
||||
} |
||||
|
||||
private void visitVariable(VariableTree variableTree) { |
||||
ExpressionTree initializer = variableTree.initializer(); |
||||
if (initializer != null && initializer.is(Tree.Kind.NEW_CLASS)) { |
||||
checkCookieParameters(variableTree, ((NewClassTree) initializer).arguments()); |
||||
} |
||||
} |
||||
|
||||
private void checkCookieParameters(MethodInvocationTree methodInvocation) { |
||||
List<? extends ExpressionTree> arguments = methodInvocation.arguments(); |
||||
if (arguments != null && arguments.size() == 2) { |
||||
checkSensitiveParameter((ExpressionTree) arguments.get(0), "name", (Symbol) methodInvocation); |
||||
checkSensitiveParameter((ExpressionTree) arguments.get(1), "value", (Symbol) methodInvocation); |
||||
} |
||||
} |
||||
|
||||
private void checkCookieParameters(VariableTree variableTree, List<? extends ExpressionTree> arguments) { |
||||
Symbol variableSymbol = variableTree.symbol(); |
||||
if (arguments != null && arguments.size() == 2) { |
||||
checkSensitiveParameter(arguments.get(0), "name", variableSymbol); |
||||
checkSensitiveParameter(arguments.get(1), "value", variableSymbol); |
||||
} |
||||
} |
||||
|
||||
private void checkSensitiveParameter(ExpressionTree expression, String paramName, Symbol variableSymbol) { |
||||
if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("name")) { |
||||
String variableName = ((IdentifierTree) expression).name(); |
||||
if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) { |
||||
System.out.println("Cookie参数设置中的name属性与局部变量一致: " + variableName); |
||||
reportIssue(expression, "Cookie参数设置中包含敏感字段"); |
||||
} |
||||
} else if (expression.is(Tree.Kind.IDENTIFIER) && paramName.equals("value")) { |
||||
String variableName = ((IdentifierTree) expression).name(); |
||||
if (variableName.equals(variableSymbol.name()) || containsSensitiveParam(variableName)) { |
||||
System.out.println("Cookie参数设置中的value属性与局部变量一致: " + variableName); |
||||
reportIssue(expression, "Cookie参数设置中包含敏感字段"); |
||||
} |
||||
} |
||||
} |
||||
|
||||
private void visitStringLiteral(LiteralTree literalTree) { |
||||
String literalValue = literalTree.value(); |
||||
if (containsSensitiveParam(literalValue)) { |
||||
System.out.println("Cookie参数设置中包含敏感字段: " + literalValue); |
||||
reportIssue(literalTree, "Cookie参数设置中包含敏感字段"); |
||||
} |
||||
} |
||||
|
||||
private boolean containsSensitiveParam(String value) { |
||||
String lowerCaseValue = value.toLowerCase(); |
||||
return SENSITIVE_COOKIE_PARAMS.stream().anyMatch(lowerCaseValue::contains); |
||||
} |
||||
} |
@ -0,0 +1,9 @@ |
||||
<p>Cookie参数设置中包含敏感字段</p> |
||||
<h2>Cookie参数设置中包含敏感字段</h2> |
||||
<pre> |
||||
|
||||
</pre> |
||||
<h2>合规解决方案</h2> |
||||
<pre> |
||||
|
||||
</pre> |
@ -0,0 +1,13 @@ |
||||
{ |
||||
"title": "Cookie参数设置中包含敏感字段", |
||||
"type": "CODE_SMELL", |
||||
"status": "ready", |
||||
"remediation": { |
||||
"func": "Constant\/Issue", |
||||
"constantCost": "5min" |
||||
}, |
||||
"tags": [ |
||||
"28suo" |
||||
], |
||||
"defaultSeverity": "Minor" |
||||
} |
@ -0,0 +1,16 @@ |
||||
|
||||
import javax.servlet.http.Cookie; |
||||
|
||||
class CookieSensitiveParameterCheck{ |
||||
|
||||
public void func1(){ |
||||
|
||||
String password = ""; |
||||
|
||||
Cookie invalidCookie1 = new Cookie("password", "1321"); // Noncompliant {{Cookie参数设置中包含敏感字段}}
|
||||
Cookie invalidCookie2 = new Cookie(password, 1); // Noncompliant {{Cookie参数设置中包含敏感字段}}
|
||||
Cookie invalidCookie3 = new Cookie("213", password); // Noncompliant {{Cookie参数设置中包含敏感字段}}
|
||||
} |
||||
|
||||
|
||||
} |
@ -0,0 +1,30 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import com.keyware.sonar.java.utils.FilesUtils; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.sonar.java.checks.verifier.CheckVerifier; |
||||
|
||||
/** |
||||
* TODO ABCVarNameCheckerTest |
||||
* |
||||
* @author GuoXin |
||||
* @date 2024/1/6 |
||||
*/ |
||||
public class CookieSensitiveParameterCheckTest { |
||||
|
||||
@Test |
||||
void detected() { |
||||
|
||||
CheckVerifier.newVerifier() |
||||
.onFile("src/test/files/CookieSensitiveParameterCheck.java") |
||||
.withCheck(new CookieSensitiveParameterCheck()) |
||||
.withClassPath(FilesUtils.getClassPath("target/test-jars")) |
||||
.verifyIssues(); |
||||
} |
||||
} |
Loading…
Reference in new issue