From 7f1716b7abdc49983fa4eddf1edd1e908cd0b892 Mon Sep 17 00:00:00 2001 From: wuhaoyang <2507865306@qq.com> Date: Sat, 13 Jan 2024 11:20:19 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9E=E5=87=86=E5=88=99=EF=BC=9A?= =?UTF-8?q?=E5=9C=A8=E6=9C=8D=E5=8A=A1=E5=99=A8=E7=AB=AF=E4=B8=8D=E5=85=81?= =?UTF-8?q?=E8=AE=B8=E4=BB=85=E4=BB=85=E4=BE=9D=E8=B5=96=E6=96=87=E4=BB=B6?= =?UTF-8?q?=E7=9A=84=E5=90=8D=E7=A7=B0=E6=88=96=E8=80=85=E6=89=A9=E5=B1=95?= =?UTF-8?q?=E5=90=8E=E7=BC=80=E5=86=B3=E5=AE=9A=E8=BD=AF=E4=BB=B6=E7=9A=84?= =?UTF-8?q?=E8=A1=8C=E4=B8=BA=EF=BC=8C=E5=BA=94=E4=BE=9D=E8=B5=96=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E7=9A=84=E5=86=85=E5=AE=B9=E5=86=B3=E5=AE=9A=E8=BD=AF?= =?UTF-8?q?=E4=BB=B6=E7=9A=84=E8=A1=8C=E4=B8=BA=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../sonar/java/rules/checkers/FileCheck.java | 56 +++++++++++++++++++ .../sonar/l10n/java/rules/java/FileCheck.html | 9 +++ .../sonar/l10n/java/rules/java/FileCheck.json | 13 +++++ .../src/test/files/FileCheck.java | 22 ++++++++ .../java/rules/checkers/FileCheckTest.java | 29 ++++++++++ 5 files changed, 129 insertions(+) create mode 100644 sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/FileCheck.java create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.html create mode 100644 sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.json create mode 100644 sonar-keyware-plugins-java/src/test/files/FileCheck.java create mode 100644 sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/FileCheckTest.java diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/FileCheck.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/FileCheck.java new file mode 100644 index 0000000..7a3eebf --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/FileCheck.java @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.check.Rule; +import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; + + +import org.sonar.plugins.java.api.tree.*; + +import java.util.Arrays; +import java.util.List; + +/** + * 在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为。 + * + * @author WuHaoyang + * @date 2024/1/13 + */ +@Rule(key = "FileCheck") +public class FileCheck extends IssuableSubscriptionVisitor { + private static final List FILE_NAME_VARS = Arrays.asList("fileName", "fileExt", "fileSuffix"); + + @Override + public List nodesToVisit() { + return Arrays.asList(Tree.Kind.BLOCK, Tree.Kind.IF_STATEMENT); + } + + @Override + public void visitNode(Tree tree) { + if (tree.is(Tree.Kind.IF_STATEMENT)) { + IfStatementTree ifStatement = (IfStatementTree) tree; + ExpressionTree condition = ifStatement.condition(); + + // 在条件中检查文件名、文件扩展名或文件后缀的使用 + checkVariableUsage(condition); + } + } + + private void checkVariableUsage(ExpressionTree condition) { + condition.accept(new BaseTreeVisitor() { + @Override + public void visitIdentifier(IdentifierTree tree) { + if (FILE_NAME_VARS.contains(tree.name())) { + // 如果在条件中发现了文件名、文件扩展名或文件后缀的使用,报告问题 + System.out.println("依赖文件的名称或者扩展后缀:"+tree.name()); + reportIssue(tree, "在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为"); + } + } + }); + } +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.html new file mode 100644 index 0000000..6eec490 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.html @@ -0,0 +1,9 @@ +

在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为

+

在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.json new file mode 100644 index 0000000..66a3c6d --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/FileCheck.json @@ -0,0 +1,13 @@ +{ + "title": "在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/FileCheck.java b/sonar-keyware-plugins-java/src/test/files/FileCheck.java new file mode 100644 index 0000000..516aef2 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/FileCheck.java @@ -0,0 +1,22 @@ +class FileCheck{ + + public String FileName(){ + String fileName = ""; + String fileExt = ""; + String fileSuffix = ""; + + if(fileName.endsWith("png") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}} + + } + + if(fileExt.equals("jpg") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}} + + } + + if(fileSuffix.equals("jpg")){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}} + + } + return null; + } + +} diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/FileCheckTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/FileCheckTest.java new file mode 100644 index 0000000..e3f88c8 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/FileCheckTest.java @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import com.keyware.sonar.java.utils.FilesUtils; +import org.junit.jupiter.api.Test; +import org.sonar.java.checks.verifier.CheckVerifier; + +/** + * + * @author WuHaoYang + * @date 2024/1/6 + */ +public class FileCheckTest { + @Test + void detected() { + + + CheckVerifier.newVerifier() + .onFile("src/test/files/FileCheck.java") + .withCheck(new FileCheck()) + .withClassPath(FilesUtils.getClassPath("target/test-jars")) + .verifyIssues(); + } +}