|
|
@ -22,17 +22,6 @@ import java.util.List; |
|
|
|
|
|
|
|
|
|
|
|
@Rule(key = "UploadFileVerify") |
|
|
|
@Rule(key = "UploadFileVerify") |
|
|
|
public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
|
|
|
|
|
|
|
|
// 文件全名字
|
|
|
|
|
|
|
|
private String fileName = ""; |
|
|
|
|
|
|
|
// 文件后缀名
|
|
|
|
|
|
|
|
private String fileType = ""; |
|
|
|
|
|
|
|
// 是否进行if判断
|
|
|
|
|
|
|
|
private boolean nodeOne = true; |
|
|
|
|
|
|
|
// 文件大小
|
|
|
|
|
|
|
|
private String sizeName = ""; |
|
|
|
|
|
|
|
// 判断权限
|
|
|
|
|
|
|
|
private boolean privType = true; |
|
|
|
|
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
/** |
|
|
|
/** |
|
|
@ -51,33 +40,39 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString())); |
|
|
|
boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString())); |
|
|
|
if(boo){ |
|
|
|
if(boo){ |
|
|
|
// 获取文件名称类型判断是否配置文件权限
|
|
|
|
// 获取文件名称类型判断是否配置文件权限
|
|
|
|
new InteriorInvoIf().check(tree); |
|
|
|
var interiorInvoIf = new InteriorInvoIf(); |
|
|
|
if(fileType != ""){ |
|
|
|
interiorInvoIf.check(((MethodTree) tree).block()); |
|
|
|
// 判断是否对文件后缀进行限制
|
|
|
|
if(interiorInvoIf.fileType != ""){ |
|
|
|
new NodeIf(fileType).check(tree); |
|
|
|
|
|
|
|
}else if(fileName != ""){ |
|
|
|
|
|
|
|
// 判断是否对文件后缀进行限制
|
|
|
|
// 判断是否对文件后缀进行限制
|
|
|
|
new NodeIf(fileName).check(tree); |
|
|
|
NodeIf nodeIf = new NodeIf(interiorInvoIf.fileType); |
|
|
|
|
|
|
|
nodeIf.check(((MethodTree) tree).block()); |
|
|
|
|
|
|
|
if (nodeIf.boo){ |
|
|
|
|
|
|
|
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
}else { |
|
|
|
|
|
|
|
if(interiorInvoIf.fileName != ""){ |
|
|
|
|
|
|
|
// 判断是否对文件后缀进行限制
|
|
|
|
|
|
|
|
NodeIf nodeIf = new NodeIf(interiorInvoIf.fileName); |
|
|
|
|
|
|
|
nodeIf.check(((MethodTree) tree).block()); |
|
|
|
|
|
|
|
if (nodeIf.boo){ |
|
|
|
|
|
|
|
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); |
|
|
|
} |
|
|
|
} |
|
|
|
// 判断是否获取文件名称
|
|
|
|
|
|
|
|
if(nodeOne){ |
|
|
|
|
|
|
|
// 没有抛出
|
|
|
|
|
|
|
|
context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); |
|
|
|
|
|
|
|
}else { |
|
|
|
}else { |
|
|
|
// 有的话设置位true后续还要用
|
|
|
|
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); |
|
|
|
nodeOne = true; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
if(sizeName != ""){ |
|
|
|
|
|
|
|
|
|
|
|
if(interiorInvoIf.sizeName != ""){ |
|
|
|
// 判断是否对文件大小进行限制
|
|
|
|
// 判断是否对文件大小进行限制
|
|
|
|
new NodeIf(sizeName).check(tree); |
|
|
|
NodeIf nodeIf = new NodeIf(interiorInvoIf.sizeName); |
|
|
|
|
|
|
|
nodeIf.check(((MethodTree) tree).block()); |
|
|
|
|
|
|
|
if (nodeIf.boo){ |
|
|
|
|
|
|
|
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); |
|
|
|
} |
|
|
|
} |
|
|
|
// 根据是返回结果进行判断是否抛出异常
|
|
|
|
|
|
|
|
if(nodeOne){ |
|
|
|
|
|
|
|
context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); |
|
|
|
|
|
|
|
} |
|
|
|
} |
|
|
|
// 判断是否进行权限设置
|
|
|
|
// 判断是否进行权限设置
|
|
|
|
if(privType){ |
|
|
|
if(interiorInvoIf.privType){ |
|
|
|
context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); |
|
|
|
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
@ -85,6 +80,14 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
|
|
|
|
|
|
|
|
// 內部文件名称类型获取类
|
|
|
|
// 內部文件名称类型获取类
|
|
|
|
private class InteriorInvoIf extends SubscriptionVisitor{ |
|
|
|
private class InteriorInvoIf extends SubscriptionVisitor{ |
|
|
|
|
|
|
|
// 文件全名字
|
|
|
|
|
|
|
|
public String fileName = ""; |
|
|
|
|
|
|
|
// 文件后缀名
|
|
|
|
|
|
|
|
public String fileType = ""; |
|
|
|
|
|
|
|
// 文件大小
|
|
|
|
|
|
|
|
public String sizeName = ""; |
|
|
|
|
|
|
|
// 判断权限
|
|
|
|
|
|
|
|
public boolean privType = true; |
|
|
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
@ -143,6 +146,7 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
public class NodeIf extends SubscriptionVisitor{ |
|
|
|
public class NodeIf extends SubscriptionVisitor{ |
|
|
|
|
|
|
|
|
|
|
|
private String name; |
|
|
|
private String name; |
|
|
|
|
|
|
|
public boolean boo = true; |
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
return Collections.singletonList(Tree.Kind.IF_STATEMENT); |
|
|
|
return Collections.singletonList(Tree.Kind.IF_STATEMENT); |
|
|
@ -163,9 +167,9 @@ public class UploadFileVerifyChecker extends SubscriptionVisitor { |
|
|
|
BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; |
|
|
|
BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; |
|
|
|
// 判断是否进行if判断
|
|
|
|
// 判断是否进行if判断
|
|
|
|
if(name.equals(binaryExpressionTree.leftOperand().toString())){ |
|
|
|
if(name.equals(binaryExpressionTree.leftOperand().toString())){ |
|
|
|
nodeOne = false; |
|
|
|
boo = false; |
|
|
|
}else if(name.equals(binaryExpressionTree.rightOperand().toString())){ |
|
|
|
}else if(name.equals(binaryExpressionTree.rightOperand().toString())){ |
|
|
|
nodeOne = false; |
|
|
|
boo = false; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|