From 9e87bd6efbf77fa10c25309cd052be1a2ea79fff Mon Sep 17 00:00:00 2001
From: wuhaoyang <2507865306@qq.com>
Date: Mon, 29 Jan 2024 17:00:47 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0java=E8=A2=AB=E6=B5=8B?=
=?UTF-8?q?=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../com/keyware/sonar/ABCVarNameRule.java | 14 ++
.../sonar/AbsolutePathDetectorRule.java | 18 ++
.../keyware/sonar/AuthenticationChecker.java | 24 ++
.../sonar/AvoidSensitiveInfoInLogsCheck.java | 19 ++
.../sonar/CookieSensitiveParameterCheck.java | 15 ++
.../keyware/sonar/DynamicCodeCheckerRule.java | 35 +++
.../sonar/DynamicLibraryLoadChecker.java | 10 +
.../com/keyware/sonar/ErrorMessageRule.java | 13 ++
.../java/com/keyware/sonar/FileCheck.java | 22 ++
.../keyware/sonar/HashSaltPassWordRule.java | 32 +++
.../com/keyware/sonar/HttpInputDataRule.java | 219 ++++++++++++++++++
.../com/keyware/sonar/InputSQLVerifyRule.java | 40 ++++
.../keyware/sonar/Md5PassWordVerifyRule.java | 29 +++
.../com/keyware/sonar/OptionsVerifyRule.java | 27 +++
.../sonar/PasswordInputTagChecker.html | 14 ++
.../com/keyware/sonar/PasswordRegexCheck.java | 17 ++
.../keyware/sonar/PathAndKeywordCheck.java | 14 ++
.../com/keyware/sonar/RSAEncryptionRule.java | 34 +++
.../com/keyware/sonar/RedirectUrlChecker.java | 41 ++++
.../com/keyware/sonar/SecurityCookieRule.java | 24 ++
.../keyware/sonar/SendMessageVerifyRule.java | 25 ++
.../sonar/SessionCacheParamsChecker.java | 35 +++
.../keyware/sonar/SystemFunctionChecker.java | 16 ++
.../keyware/sonar/UploadFileVerifyRule.java | 53 +++++
.../keyware/sonar/UpperCycleLimitRule.java | 17 ++
.../sonar/UserStatusVerifyChecker.java | 72 ++++++
26 files changed, 879 insertions(+)
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/InputSQLVerifyRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/Md5PassWordVerifyRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/PasswordInputTagChecker.html
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/PasswordRegexCheck.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/PathAndKeywordCheck.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/RSAEncryptionRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/RedirectUrlChecker.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/SecurityCookieRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/SendMessageVerifyRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/SessionCacheParamsChecker.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/SystemFunctionChecker.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/UploadFileVerifyRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/UpperCycleLimitRule.java
create mode 100644 uut-example/java/src/main/java/com/keyware/sonar/UserStatusVerifyChecker.java
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java b/uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
new file mode 100644
index 0000000..10e4b71
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
@@ -0,0 +1,14 @@
+public class ABCVarNameRule {
+
+ private static String ABC = "abc"; // Noncompliant {{不能使用ABC作为变量名}}
+ private static String edf = "edf";
+
+ public String getABC(){
+ return ABC;
+ }
+ public void test(){
+ System.out.println(ABC);
+ }
+
+
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java b/uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
new file mode 100644
index 0000000..0b44079
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
@@ -0,0 +1,18 @@
+
+public class AbsolutePathDetectorRule{
+ // 使用绝对路径读取配置文件,触发规则
+ String configFilePath = "/path/to/config.properties"; // Noncompliant {{读取配置文件或者服务器中文件时不可使用绝对路径}}
+
+ // 使用相对路径读取配置文件,不触发规则
+ String relativePath = "config.properties";
+
+ public String getABC(){
+ return configFilePath;
+ }
+
+ public void test(){
+ System.out.println(configFilePath);
+ }
+
+
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java b/uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
new file mode 100644
index 0000000..c341e76
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
@@ -0,0 +1,24 @@
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+@Controller
+public class AuthenticationChecker {
+
+ @PostMapping("/account/aa")
+ public String login() {
+ return "login";
+ }
+
+
+ @PostMapping(value ={"/path/bb", "/path/www", "/path/eee"})
+ public String signin() {
+ return "login";
+ }
+
+ @RequestMapping("/myapp/cc")
+ public String auth() {
+ return "login";
+ }
+
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java b/uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
new file mode 100644
index 0000000..0135c54
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
@@ -0,0 +1,19 @@
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+public class AvoidSensitiveInfoInLogsCheck {
+ private static final Logger logger = LoggerFactory.getLogger(AvoidSensitiveInfoInLogsCheck.class);
+
+ public void sensitiveOperation() {
+ String password = "password";
+ String token = "password";
+ String secret = "password";
+
+
+ logger.error(password); // Noncompliant {{日志中包含敏感信息}}
+ logger.info(token); // Noncompliant {{日志中包含敏感信息}}
+ logger.debug(secret); // Noncompliant {{日志中包含敏感信息}}
+ logger.warn(password); // Noncompliant {{日志中包含敏感信息}}
+ logger.trace(password); // Noncompliant {{日志中包含敏感信息}}
+
+ }
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java b/uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
new file mode 100644
index 0000000..08531da
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
@@ -0,0 +1,15 @@
+import javax.servlet.http.Cookie;
+
+public class CookieSensitiveParameterCheck {
+
+ public void func1(){
+
+ String password = "";
+
+ Cookie invalidCookie1 = new Cookie("password", "1321"); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+ Cookie invalidCookie2 = new Cookie(password, "1"); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+ Cookie invalidCookie3 = new Cookie("213", password); // Noncompliant {{Cookie参数设置中包含敏感字段}}
+
+ }
+
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java b/uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
new file mode 100644
index 0000000..a1a3ec8
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
@@ -0,0 +1,35 @@
+import javax.script.Invocable;
+import javax.script.ScriptEngine;
+import javax.script.ScriptEngineManager;
+import javax.script.ScriptException;
+
+public class DynamicCodeCheckerRule {
+
+ public void dyan() {
+
+ String args1 = "args1";
+ String args2 = "args2";
+ String args3 = "args3";
+
+ String regular = "function regular(args1,args2,args3){................}";
+ ScriptEngine engine = new ScriptEngineManager().getEngineByName("javascript");
+ try {
+ engine.eval(regular); // Noncompliant {{程序设计时禁止动态构建代码进行功能实现}}
+ if (engine instanceof Invocable) {
+ Invocable invoke = (Invocable) engine;
+ String result = (String) invoke.invokeFunction(
+ "regular",
+ args1,
+ args2,
+ args3);
+ System.out.println(result);
+ } else {
+ System.out.println("error");
+ }
+ } catch (ScriptException | NoSuchMethodException e) {
+ System.out.println("表达式runtime错误:" + e.getMessage());
+ }
+ }
+
+
+}
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java b/uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
new file mode 100644
index 0000000..cae1280
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
@@ -0,0 +1,10 @@
+// 在动态加载库前对输入数据进行验证,确保输入数据仅能用于加载允许加载的代码库
+public class DynamicLibraryLoadChecker {
+
+ public void loadLibrary(String libraryName, int number) {
+ String abc = "bac";
+ System.loadLibrary("/path/to/your/library");
+ System.loadLibrary(libraryName); // Noncompliant {{在动态加载库前对输入数据进行验证,确保输入数据仅能用于加载允许加载的代码库}}
+
+ }
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java b/uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
new file mode 100644
index 0000000..95dfc49
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
@@ -0,0 +1,13 @@
+public class ErrorMessageRule {
+ public static void main(String[] args) {
+ try {
+ String weapon = "A";
+ String a = "1";
+ // Try block to check for exceptions
+ throw new Exception("Java Exception"+weapon + a);// Noncompliant {{错误消息中不得包含敏感信息}}
+ } catch (Exception e) {
+ // Catch block to handle the exception
+ System.out.println("Caught Exception: " + e.getMessage());
+ }
+ }
+}
\ No newline at end of file
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java b/uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
new file mode 100644
index 0000000..47d46e5
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
@@ -0,0 +1,22 @@
+public class FileCheck{
+
+ public String FileName(){
+ String fileName = "";
+ String fileExt = "";
+ String fileSuffix = "";
+
+ if(fileName.endsWith("png") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+
+ }
+
+ if(fileExt.equals("jpg") ){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+
+ }
+
+ if(fileSuffix.equals("jpg")){// Noncompliant {{在服务器端不允许仅仅依赖文件的名称或者扩展后缀决定软件的行为,应依赖文件的内容决定软件的行为}}
+
+ }
+ return null;
+ }
+
+}
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java b/uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
new file mode 100644
index 0000000..5068c1f
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
@@ -0,0 +1,32 @@
+
+public class HashSaltPassWordRule {
+
+ public static void cs(Student student){
+
+ // 结合盐值和口令进行散列计算
+// String hashedPassword = BCrypt.hashpw(password, BCrypt.gensalt());
+
+ student.setPassWord("password");// Noncompliant {{应使用盐值计算口令}}
+
+ }
+
+ static class Student {
+ private String name;
+ private String password;
+
+ public Student(String name, String password) {
+ this.name = name;
+ this.password = password;
+ }
+
+ public void setPassWord(String password) {
+ this.password = password;
+ }
+
+ @Override
+ public String toString() {
+ return "Student{" + "name='" + name + '\'' + ", password='" + password + '\'' + '}';
+ }
+ }
+
+}
diff --git a/uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java b/uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
new file mode 100644
index 0000000..8ee9d4a
--- /dev/null
+++ b/uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
@@ -0,0 +1,219 @@
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Collection;
+import java.util.Locale;
+
+public class HttpInputDataRule {
+
+ public static void main(String[] args) {
+ // 假设有一个HttpServletResponse对象
+ HttpServletResponse response = new HttpServletResponse() {
+ @Override
+ public String getCharacterEncoding() {
+ return null;
+ }
+
+ @Override
+ public String getContentType() {
+ return null;
+ }
+
+ @Override
+ public ServletOutputStream getOutputStream() throws IOException {
+ return null;
+ }
+
+ @Override
+ public PrintWriter getWriter() throws IOException {
+ return null;
+ }
+
+ @Override
+ public void setCharacterEncoding(String s) {
+
+ }
+
+ @Override
+ public void setContentLength(int i) {
+
+ }
+
+ @Override
+ public void setContentLengthLong(long l) {
+
+ }
+
+ @Override
+ public void setContentType(String s) {
+
+ }
+
+ @Override
+ public void setBufferSize(int i) {
+
+ }
+
+ @Override
+ public int getBufferSize() {
+ return 0;
+ }
+
+ @Override
+ public void flushBuffer() throws IOException {
+
+ }
+
+ @Override
+ public void resetBuffer() {
+
+ }
+
+ @Override
+ public boolean isCommitted() {
+ return false;
+ }
+
+ @Override
+ public void reset() {
+
+ }
+
+ @Override
+ public void setLocale(Locale locale) {
+
+ }
+
+ @Override
+ public Locale getLocale() {
+ return null;
+ }
+
+ @Override
+ public void addCookie(Cookie cookie) {
+
+ }
+
+ @Override
+ public boolean containsHeader(String s) {
+ return false;
+ }
+
+ @Override
+ public String encodeURL(String s) {
+ return null;
+ }
+
+ @Override
+ public String encodeRedirectURL(String s) {
+ return null;
+ }
+
+ @Override
+ public String encodeUrl(String s) {
+ return null;
+ }
+
+ @Override
+ public String encodeRedirectUrl(String s) {
+ return null;
+ }
+
+ @Override
+ public void sendError(int i, String s) throws IOException {
+
+ }
+
+ @Override
+ public void sendError(int i) throws IOException {
+
+ }
+
+ @Override
+ public void sendRedirect(String s) throws IOException {
+
+ }
+
+ @Override
+ public void setDateHeader(String s, long l) {
+
+ }
+
+ @Override
+ public void addDateHeader(String s, long l) {
+
+ }
+
+ @Override
+ public void setHeader(String s, String s1) {
+
+ }
+
+ @Override
+ public void addHeader(String s, String s1) {
+
+ }
+
+ @Override
+ public void setIntHeader(String s, int i) {
+
+ }
+
+ @Override
+ public void addIntHeader(String s, int i) {
+
+ }
+
+ @Override
+ public void setStatus(int i) {
+
+ }
+
+ @Override
+ public void setStatus(int i, String s) {
+
+ }
+
+ @Override
+ public int getStatus() {
+ return 0;
+ }
+
+ @Override
+ public String getHeader(String s) {
+ return null;
+ }
+
+ @Override
+ public Collection
+Test for PasswordInputTagChecker
+Test 1 - FAIL
+