parent
1952a415a6
commit
66137166f3
@ -0,0 +1,91 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import org.sonar.check.Rule; |
||||
import org.sonar.java.ast.visitors.SubscriptionVisitor; |
||||
import org.sonar.plugins.java.api.tree.*; |
||||
|
||||
import java.util.Collections; |
||||
import java.util.List; |
||||
|
||||
/** |
||||
* TODO SecurityCookieChecker |
||||
* |
||||
* @author RenFengJiang |
||||
* @date 2024/1/10 |
||||
*/ |
||||
@Rule(key = "SecurityCookieChecker") |
||||
public class SecurityCookieChecker extends SubscriptionVisitor { |
||||
|
||||
@Override |
||||
public List<Tree.Kind> nodesToVisit() { |
||||
/** |
||||
* Tree.Kind.METHOD:方法节点 |
||||
* Tree.Kind.BLOCK:方法的代码块节点 |
||||
* Tree.Kind.METHOD_INVOCATION: 方法的调用节点 |
||||
*/ |
||||
return Collections.singletonList(Tree.Kind.METHOD); |
||||
} |
||||
|
||||
|
||||
|
||||
@Override |
||||
public void visitNode(Tree tree) { |
||||
|
||||
MethodTree node = (MethodTree) tree; |
||||
List<VariableTree> parameters = node.parameters(); |
||||
// 盘带是否是文件上传类
|
||||
boolean boo = parameters.stream().anyMatch(type -> "HttpServletResponse".equals(type.type().toString())); |
||||
if(boo){ |
||||
var bodyVisitor = new MethodBOdyVisitor(this); |
||||
node.block().accept(bodyVisitor); |
||||
if(bodyVisitor.booHttp){ |
||||
if(!(bodyVisitor.booAge && bodyVisitor.booCure)){ |
||||
context.reportIssue(this,node.simpleName(),"设置HTTPS会话中cookie的安全属性"); |
||||
} |
||||
}else { |
||||
|
||||
} |
||||
} |
||||
} |
||||
|
||||
static class MethodBOdyVisitor extends BaseTreeVisitor{ |
||||
private final SecurityCookieChecker checker; |
||||
|
||||
// 判断是否是https请求
|
||||
private boolean booCure = false; |
||||
// 设置cooker时长
|
||||
private boolean booAge = false; |
||||
// 设置访问
|
||||
private boolean booHttp = false; |
||||
public MethodBOdyVisitor(SecurityCookieChecker checker ){ |
||||
this.checker = checker; |
||||
} |
||||
|
||||
@Override |
||||
public void visitMethodInvocation(MethodInvocationTree tree) { |
||||
ExpressionTree expressionTree = tree.methodSelect(); |
||||
System.out.println(expressionTree); |
||||
if(expressionTree instanceof MemberSelectExpressionTree){ |
||||
MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) expressionTree; |
||||
switch (memberSelectExpressionTree.identifier().name()){ |
||||
case "setHttpOnly": |
||||
booHttp = true; |
||||
break; |
||||
case "setSecure": |
||||
booCure = true; |
||||
break; |
||||
case "setMaxAge": |
||||
booAge = true; |
||||
break; |
||||
} |
||||
} |
||||
} |
||||
} |
||||
|
||||
} |
@ -0,0 +1,9 @@ |
||||
<p>设置HTTPS会话中cookie的安全属性</p> |
||||
<h2>设置HTTPS会话中的敏感cookie的安全属性</h2> |
||||
<pre> |
||||
|
||||
</pre> |
||||
<h2>合规解决方案</h2> |
||||
<pre> |
||||
|
||||
</pre> |
@ -0,0 +1,13 @@ |
||||
{ |
||||
"title": "设置HTTPS会话中cookie的安全属性", |
||||
"type": "CODE_SMELL", |
||||
"status": "ready", |
||||
"remediation": { |
||||
"func": "Constant\/Issue", |
||||
"constantCost": "5min" |
||||
}, |
||||
"tags": [ |
||||
"28suo" |
||||
], |
||||
"defaultSeverity": "Minor" |
||||
} |
@ -0,0 +1,20 @@ |
||||
import javax.servlet.http.HttpServletResponse; |
||||
|
||||
public class SecurityCookieRule { |
||||
public void setCookie(HttpServletResponse response) { // Noncompliant {{设置HTTPS会话中cookie的安全属性}}
|
||||
// 创建一个新的Cookie
|
||||
Cookie cookie = new Cookie("cookieName", "cookieValue"); |
||||
|
||||
// 设置HttpOnly属性(防止通过JavaScript访问)
|
||||
cookie.setHttpOnly(true); |
||||
|
||||
// 设置Secure属性(表示该Cookie只能通过HTTPS连接传输)
|
||||
cookie.setSecure(true); |
||||
|
||||
// 设置其他属性,比如过期时间等
|
||||
// cookie.setMaxAge(3600); // 有效期为1小时
|
||||
|
||||
// 将Cookie添加到HTTP响应头中
|
||||
response.addCookie(cookie); |
||||
} |
||||
} |
@ -0,0 +1,34 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:Java 信息安全性设计准则 |
||||
* 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import com.keyware.sonar.java.utils.FilesUtils; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.sonar.java.checks.verifier.CheckVerifier; |
||||
|
||||
/** |
||||
* TODO SecurityCookieCheckerTest |
||||
* |
||||
* @author RenFengJiang |
||||
* @date 2024/1/10 |
||||
*/ |
||||
public class SecurityCookieCheckerTest { |
||||
|
||||
@Test |
||||
void detected() { |
||||
SecurityCookieChecker rule = new SecurityCookieChecker(); |
||||
|
||||
// Verifies that the check will raise the adequate issues with the expected message.
|
||||
// In the test file, lines which should raise an issue have been commented out
|
||||
// by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}"
|
||||
CheckVerifier.newVerifier() |
||||
.onFile("src/test/files/SecurityCookieRule.java") |
||||
.withCheck(rule) |
||||
.withClassPath(FilesUtils.getClassPath("target/test-jars")) |
||||
.verifyIssues(); |
||||
} |
||||
} |
Loading…
Reference in new issue