新增准则:HTTP输入数据验证

wuhaoyang
RenFengJiang 10 months ago
parent 88a121b7dc
commit 987b77fea9
  1. 97
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/HttpInputDataChecker.java
  2. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HttpInputDataChecker.html
  3. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/HttpInputDataChecker.json
  4. 25
      sonar-keyware-plugins-java/src/test/files/HttpInputDataRule.java
  5. 31
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/HttpInputDataCheckerTest.java

@ -0,0 +1,97 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.parser.ArgumentListTreeImpl;
import org.sonar.java.model.expression.AssignmentExpressionTreeImpl;
import org.sonar.java.model.expression.IdentifierTreeImpl;
import org.sonar.java.model.expression.LiteralTreeImpl;
import org.sonar.java.model.expression.MemberSelectExpressionTreeImpl;
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
/**
* TODO HttpInputDataChecker
*
* @author RenFengJiang
* @date 2024/1/12
*/
@Rule(key = "HttpInputDataChecker")
public class HttpInputDataChecker extends IssuableSubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
/**
* Tree.Kind.METHOD方法节点
* Tree.Kind.BLOCK方法的代码块节点
* Tree.Kind.METHOD_INVOCATION 方法的调用节点
*/
return Collections.singletonList(Tree.Kind.BLOCK);
}
@Override
public void visitNode(Tree tree) {
BlockTree blockTree = (BlockTree) tree;
MethodBodyVisitor methodBodyVisitor = new MethodBodyVisitor(this);
blockTree.accept(methodBodyVisitor);
}
static class MethodBodyVisitor extends BaseTreeVisitor{
private final HttpInputDataChecker checker;
List<String> list = new ArrayList<>();
MethodBodyVisitor(HttpInputDataChecker checker){
this.checker = checker;
}
@Override
public void visitIfStatement(IfStatementTree tree) {
System.out.println(tree);
ExpressionTree condition = tree.condition();
System.out.println(condition.toString());
if(condition instanceof AssignmentExpressionTreeImpl){
AssignmentExpressionTreeImpl assignmentExpressionTree = (AssignmentExpressionTreeImpl) condition;
list.add(assignmentExpressionTree.variable().toString());
}
}
@Override
public void visitMethodInvocation(MethodInvocationTree tree) {
ExpressionTree expressionTree = tree.methodSelect();
if(expressionTree instanceof MemberSelectExpressionTreeImpl){
MemberSelectExpressionTreeImpl memberSelectExpressionTree = (MemberSelectExpressionTreeImpl) expressionTree;
if("setHeader".equals(memberSelectExpressionTree.identifier().name()) || "addHeader".equals(memberSelectExpressionTree.identifier().name())){
Arguments arguments = tree.arguments();
if(arguments instanceof ArgumentListTreeImpl){
for (ExpressionTree argument : (ArgumentListTreeImpl) arguments) {
if(argument instanceof LiteralTreeImpl){
LiteralTreeImpl literalTree = (LiteralTreeImpl) argument;
if("STRING_LITERAL".equals(literalTree.kind().name())){
checker.context.reportIssue(checker, literalTree, "HTTP输入数据验证");
break;
}
}else if(argument instanceof IdentifierTreeImpl){
IdentifierTreeImpl identifierTree = (IdentifierTreeImpl) argument;
if(!list.contains(identifierTree.name())){
checker.context.reportIssue(checker, identifierTree, "HTTP输入数据验证");
break;
}
}
}
}
}
}
}
}
}

@ -0,0 +1,9 @@
<p>HTTP输入数据验证</p>
<h2>在写入HTTP响应的报头前对输入数据进行验证或编码,确保输入数据不包含回车换行字符。</h2>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "HTTP输入数据验证",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,25 @@
public class HttpInputDataRule {
public static void main(String[] args) {
// 假设有一个HttpServletResponse对象
HttpServletResponse response = new HttpServletResponse();
// 设置单个报头
response.setHeader("Content-Type", "text/plain"); // Noncompliant {{HTTP输入数据验证}}
// 添加多个报头
String a = "Cache-Control";
String b = "no-cache" ;
if(a = "asds"){
}
if(b = "asds"){
}
response.addHeader(a, b);
// response.addHeader("X-Custom-Header", "Custom Value");
// 其他操作...
}
}

@ -0,0 +1,31 @@
/*
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
* 项目名称Java 信息安全性设计准则
* 项目描述用于检查Java源代码的安全性设计准则的Sonarqube插件
* 版权说明本软件属北京关键科技股份有限公司所有在未获得北京关键科技股份有限公司正式授权情况下任何企业和个人不能获取阅读安装传播本软件涉及的任何受知识产权保护的内容
*/
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
/**
* TODO HttpInputDataCheckerTest
*
* @author RenFengJiang
* @date 2024/1/12
*/
public class HttpInputDataCheckerTest {
@Test
void detected() {
HttpInputDataChecker rule = new HttpInputDataChecker();
CheckVerifier.newVerifier()
.onFile("src/test/files/HttpInputDataRule.java")
.withCheck(rule)
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save