From 66137166f3ca201f01616fbf782c77d6fe51dd6c Mon Sep 17 00:00:00 2001 From: RenFengJiang <1111> Date: Thu, 11 Jan 2024 11:46:50 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9Aht?= =?UTF-8?q?tp=E4=BC=9A=E8=AF=9D=E4=B8=AD=E6=95=8F=E6=84=9Fcooker=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E5=B1=9E=E6=80=A7=E6=A0=A1=E9=AA=8C=E5=87=86=E5=88=99?= =?UTF-8?q?=20=E4=BF=AE=E6=94=B9=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C=E5=87=86=E5=88=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../keyware/sonar/java/rules/RulesList.java | 3 + .../rules/checkers/RedirectUrlChecker.java | 6 ++ .../rules/checkers/SecurityCookieChecker.java | 91 +++++++++++++++++++ .../checkers/UploadFileVerifyChecker.java | 72 ++++++++------- .../rules/java/SecurityCookieChecker.html | 9 ++ .../rules/java/SecurityCookieChecker.json | 13 +++ .../rules/java/UploadFileVerifyChecker.html | 2 +- .../rules/java/UploadFileVerifyChecker.json | 2 +- .../src/test/files/SecurityCookieRule.java | 20 ++++ .../src/test/files/UploadFileVerifyRule.java | 6 +- .../checkers/RedirectUrlCheckerTest.java | 6 ++ .../checkers/SecurityCookieCheckerTest.java | 34 +++++++ 12 files changed, 226 insertions(+), 38 deletions(-) create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.html create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.json create mode 100644 sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java create mode 100644 sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SecurityCookieCheckerTest.java diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java index 86029a5..25138c9 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java @@ -35,6 +35,9 @@ public final class RulesList { PathAndKeywordCheck.class, DynamicCodeChecker.class, SystemFunctionChecker.class, + UploadFileVerifyChecker.class, + SecurityCookieChecker.class, + RedirectUrlChecker.class, DynamicLibraryLoadChecker.class ); } diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java index 17bf995..282b0c9 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/RedirectUrlChecker.java @@ -1,3 +1,9 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ package com.keyware.sonar.java.rules.checkers; import org.sonar.check.Rule; diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java new file mode 100644 index 0000000..eab05c5 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SecurityCookieChecker.java @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.check.Rule; +import org.sonar.java.ast.visitors.SubscriptionVisitor; +import org.sonar.plugins.java.api.tree.*; + +import java.util.Collections; +import java.util.List; + +/** + * TODO SecurityCookieChecker + * + * @author RenFengJiang + * @date 2024/1/10 + */ +@Rule(key = "SecurityCookieChecker") +public class SecurityCookieChecker extends SubscriptionVisitor { + + @Override + public List nodesToVisit() { + /** + * Tree.Kind.METHOD:方法节点 + * Tree.Kind.BLOCK:方法的代码块节点 + * Tree.Kind.METHOD_INVOCATION: 方法的调用节点 + */ + return Collections.singletonList(Tree.Kind.METHOD); + } + + + + @Override + public void visitNode(Tree tree) { + + MethodTree node = (MethodTree) tree; + List parameters = node.parameters(); +// 盘带是否是文件上传类 + boolean boo = parameters.stream().anyMatch(type -> "HttpServletResponse".equals(type.type().toString())); + if(boo){ + var bodyVisitor = new MethodBOdyVisitor(this); + node.block().accept(bodyVisitor); + if(bodyVisitor.booHttp){ + if(!(bodyVisitor.booAge && bodyVisitor.booCure)){ + context.reportIssue(this,node.simpleName(),"设置HTTPS会话中cookie的安全属性"); + } + }else { + + } + } + } + + static class MethodBOdyVisitor extends BaseTreeVisitor{ + private final SecurityCookieChecker checker; + + // 判断是否是https请求 + private boolean booCure = false; + // 设置cooker时长 + private boolean booAge = false; +// 设置访问 + private boolean booHttp = false; + public MethodBOdyVisitor(SecurityCookieChecker checker ){ + this.checker = checker; + } + + @Override + public void visitMethodInvocation(MethodInvocationTree tree) { + ExpressionTree expressionTree = tree.methodSelect(); + System.out.println(expressionTree); + if(expressionTree instanceof MemberSelectExpressionTree){ + MemberSelectExpressionTree memberSelectExpressionTree = (MemberSelectExpressionTree) expressionTree; + switch (memberSelectExpressionTree.identifier().name()){ + case "setHttpOnly": + booHttp = true; + break; + case "setSecure": + booCure = true; + break; + case "setMaxAge": + booAge = true; + break; + } + } + } + } + +} diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java index a6701b7..4f0da20 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java @@ -22,17 +22,6 @@ import java.util.List; @Rule(key = "UploadFileVerify") public class UploadFileVerifyChecker extends SubscriptionVisitor { - -// 文件全名字 - private String fileName = ""; -// 文件后缀名 - private String fileType = ""; -// 是否进行if判断 - private boolean nodeOne = true; -// 文件大小 - private String sizeName = ""; -// 判断权限 - private boolean privType = true; @Override public List nodesToVisit() { /** @@ -51,33 +40,39 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString())); if(boo){ // 获取文件名称类型判断是否配置文件权限 - new InteriorInvoIf().check(tree); - if(fileType != ""){ -// 判断是否对文件后缀进行限制 - new NodeIf(fileType).check(tree); - }else if(fileName != ""){ + var interiorInvoIf = new InteriorInvoIf(); + interiorInvoIf.check(((MethodTree) tree).block()); + if(interiorInvoIf.fileType != ""){ // 判断是否对文件后缀进行限制 - new NodeIf(fileName).check(tree); - } -// 判断是否获取文件名称 - if(nodeOne){ -// 没有抛出 - context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + NodeIf nodeIf = new NodeIf(interiorInvoIf.fileType); + nodeIf.check(((MethodTree) tree).block()); + if (nodeIf.boo){ + context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); + } }else { -// 有的话设置位true后续还要用 - nodeOne = true; + if(interiorInvoIf.fileName != ""){ + // 判断是否对文件后缀进行限制 + NodeIf nodeIf = new NodeIf(interiorInvoIf.fileName); + nodeIf.check(((MethodTree) tree).block()); + if (nodeIf.boo){ + context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); + } + }else { + context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); + } } - if(sizeName != ""){ + + if(interiorInvoIf.sizeName != ""){ // 判断是否对文件大小进行限制 - new NodeIf(sizeName).check(tree); - } -// 根据是返回结果进行判断是否抛出异常 - if(nodeOne){ - context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + NodeIf nodeIf = new NodeIf(interiorInvoIf.sizeName); + nodeIf.check(((MethodTree) tree).block()); + if (nodeIf.boo){ + context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); + } } // 判断是否进行权限设置 - if(privType){ - context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + if(interiorInvoIf.privType){ + context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); } } @@ -85,6 +80,14 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { // 內部文件名称类型获取类 private class InteriorInvoIf extends SubscriptionVisitor{ + // 文件全名字 + public String fileName = ""; + // 文件后缀名 + public String fileType = ""; + // 文件大小 + public String sizeName = ""; + // 判断权限 + public boolean privType = true; @Override public List nodesToVisit() { @@ -143,6 +146,7 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { public class NodeIf extends SubscriptionVisitor{ private String name; + public boolean boo = true; @Override public List nodesToVisit() { return Collections.singletonList(Tree.Kind.IF_STATEMENT); @@ -163,9 +167,9 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; // 判断是否进行if判断 if(name.equals(binaryExpressionTree.leftOperand().toString())){ - nodeOne = false; + boo = false; }else if(name.equals(binaryExpressionTree.rightOperand().toString())){ - nodeOne = false; + boo = false; } } } diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.html new file mode 100644 index 0000000..73bd590 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.html @@ -0,0 +1,9 @@ +

设置HTTPS会话中cookie的安全属性

+

设置HTTPS会话中的敏感cookie的安全属性

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.json new file mode 100644 index 0000000..29a8c31 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/SecurityCookieChecker.json @@ -0,0 +1,13 @@ +{ + "title": "设置HTTPS会话中cookie的安全属性", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html index f5f5181..4e1d8d5 100644 --- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html @@ -1,4 +1,4 @@ -

上传文件检查

+

程序设计时,应以“白名单”方式限制允许用户上传的文件的类型

程序设计时,应以“白名单”方式限制允许用户上传的文件的类型(如jpg、png、txt、doc、docx、xls、xlsx、xml等格式)并进行检查,根据业务实际需求,设定上传的文件大小,同时限制文件权限(可读、可写、可执行等)

 
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json
index 8002507..1d7daa7 100644
--- a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json
+++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json
@@ -1,5 +1,5 @@
 {
-  "title": "上传文件检查",
+  "title": "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型",
   "type": "CODE_SMELL",
   "status": "ready",
   "remediation": {
diff --git a/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java b/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java
new file mode 100644
index 0000000..e3a40c0
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/files/SecurityCookieRule.java
@@ -0,0 +1,20 @@
+import javax.servlet.http.HttpServletResponse;
+
+public class SecurityCookieRule {
+    public void setCookie(HttpServletResponse response) { // Noncompliant {{设置HTTPS会话中cookie的安全属性}}
+        // 创建一个新的Cookie
+        Cookie cookie = new Cookie("cookieName", "cookieValue");
+
+        // 设置HttpOnly属性(防止通过JavaScript访问)
+        cookie.setHttpOnly(true);
+
+        // 设置Secure属性(表示该Cookie只能通过HTTPS连接传输)
+        cookie.setSecure(true);
+
+        // 设置其他属性,比如过期时间等
+//        cookie.setMaxAge(3600); // 有效期为1小时
+
+        // 将Cookie添加到HTTP响应头中
+        response.addCookie(cookie);
+    }
+}
diff --git a/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
index 0329bc4..b54ca86 100644
--- a/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
+++ b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java
@@ -10,7 +10,7 @@ public class UploadFileVerifyRule {
     private String fileUploadPath;
 
     @PostMapping("/upload")
-    public Result upload(@RequestParam MultipartFile file) throws IOException { // Noncompliant {{没对上传文件进行判断等操作}}
+    public Result upload(@RequestParam MultipartFile file) throws IOException { // Noncompliant {{程序设计时,应以“白名单”方式限制允许用户上传的文件的类型}}
 
         file.setExecutable(true);
         file.setReadable(true);
@@ -24,7 +24,9 @@ public class UploadFileVerifyRule {
         //获取文件原始名称
         String originalFilename = file.getOriginalFilename();
         String type = FileUtil.extName(originalFilename);
-
+//        if(type == ""){
+//
+//        }
         return Result.success("");
     }
 }
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/RedirectUrlCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/RedirectUrlCheckerTest.java
index c448e5e..218af36 100644
--- a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/RedirectUrlCheckerTest.java
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/RedirectUrlCheckerTest.java
@@ -1,3 +1,9 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:Java 信息安全性设计准则
+ * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
 package com.keyware.sonar.java.rules.checkers;
 
 import com.keyware.sonar.java.utils.FilesUtils;
diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SecurityCookieCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SecurityCookieCheckerTest.java
new file mode 100644
index 0000000..c45a68a
--- /dev/null
+++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/SecurityCookieCheckerTest.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称:Java 信息安全性设计准则
+ * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件
+ * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import com.keyware.sonar.java.utils.FilesUtils;
+import org.junit.jupiter.api.Test;
+import org.sonar.java.checks.verifier.CheckVerifier;
+
+/**
+ * TODO SecurityCookieCheckerTest
+ *
+ * @author RenFengJiang
+ * @date 2024/1/10
+ */
+public class SecurityCookieCheckerTest {
+
+    @Test
+    void detected() {
+        SecurityCookieChecker rule = new SecurityCookieChecker();
+
+        // Verifies that the check will raise the adequate issues with the expected message.
+        // In the test file, lines which should raise an issue have been commented out
+        // by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}"
+        CheckVerifier.newVerifier()
+                .onFile("src/test/files/SecurityCookieRule.java")
+                .withCheck(rule)
+                .withClassPath(FilesUtils.getClassPath("target/test-jars"))
+                .verifyIssues();
+    }
+}