优化java配置文件被测件

wuhaoyang
wuhaoyang 12 months ago
parent c480a220c7
commit b6e02e866c
  1. 125
      uut-example/java/pom.xml
  2. 2
      uut-example/java/src/main/java/com/keyware/sonar/ABCVarNameRule.java
  3. 1
      uut-example/java/src/main/java/com/keyware/sonar/AbsolutePathDetectorRule.java
  4. 2
      uut-example/java/src/main/java/com/keyware/sonar/AuthenticationChecker.java
  5. 2
      uut-example/java/src/main/java/com/keyware/sonar/AvoidSensitiveInfoInLogsCheck.java
  6. 5
      uut-example/java/src/main/java/com/keyware/sonar/CookieSensitiveParameterCheck.java
  7. 2
      uut-example/java/src/main/java/com/keyware/sonar/DynamicCodeCheckerRule.java
  8. 2
      uut-example/java/src/main/java/com/keyware/sonar/DynamicLibraryLoadChecker.java
  9. 2
      uut-example/java/src/main/java/com/keyware/sonar/ErrorMessageRule.java
  10. 2
      uut-example/java/src/main/java/com/keyware/sonar/FileCheck.java
  11. 1
      uut-example/java/src/main/java/com/keyware/sonar/HashSaltPassWordRule.java
  12. 22
      uut-example/java/src/main/java/com/keyware/sonar/HttpInputDataRule.java
  13. 3
      uut-example/java/src/main/java/com/keyware/sonar/InputSQLVerifyRule.java
  14. 2
      uut-example/java/src/main/java/com/keyware/sonar/Md5PassWordVerifyRule.java
  15. 8
      uut-example/java/src/main/java/com/keyware/sonar/OptionsVerifyRule.java
  16. 1
      uut-example/java/src/main/java/com/keyware/sonar/PasswordRegexCheck.java
  17. 1
      uut-example/java/src/main/java/com/keyware/sonar/PathAndKeywordCheck.java
  18. 2
      uut-example/java/src/main/java/com/keyware/sonar/RSAEncryptionRule.java
  19. 1
      uut-example/java/src/main/java/com/keyware/sonar/RedirectUrlChecker.java
  20. 7
      uut-example/java/src/main/java/com/keyware/sonar/SecurityCookieRule.java
  21. 2
      uut-example/java/src/main/java/com/keyware/sonar/SendMessageVerifyRule.java
  22. 12
      uut-example/java/src/main/java/com/keyware/sonar/SessionCacheParamsChecker.java
  23. 2
      uut-example/java/src/main/java/com/keyware/sonar/SystemFunctionChecker.java
  24. 10
      uut-example/java/src/main/java/com/keyware/sonar/UploadFileVerifyRule.java
  25. 2
      uut-example/java/src/main/java/com/keyware/sonar/UpperCycleLimitRule.java
  26. 22
      uut-example/java/src/main/java/com/keyware/sonar/UserStatusVerifyChecker.java

@ -3,16 +3,129 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>com.keyware.sonar</groupId>
<artifactId>sonar-keyware</artifactId>
<version>1.0</version>
</parent>
<!--<groupId>com.keyware.sonar</groupId>-->
<groupId>com.keyware.sonar</groupId>
<artifactId>uut-example</artifactId>
<version>1.0</version>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>2.1.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>RELEASE</version>
</dependency>
<!-- 配置文件绑定提示 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<version>2.1.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>2.1.6.RELEASE</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
<version>RELEASE</version>
</dependency>
<!--引入druid数据源-->
<!-- https://mvnrepository.com/artifact/com.alibaba/druid -->
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>druid</artifactId>
<version>1.1.8</version>
</dependency>
<!-- 引入mybatis的starter-->
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>20.0</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>3.5</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.1</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.28</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.2.2</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.2.2</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3.1</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>10.1.18</version>
<scope>compile</scope>
</dependency>
</dependencies>
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>

@ -1,3 +1,5 @@
package com.keyware.sonar;
public class ABCVarNameRule {
private static String ABC = "abc"; // Noncompliant {{不能使用ABC作为变量名}}

@ -1,3 +1,4 @@
package com.keyware.sonar;
public class AbsolutePathDetectorRule{
// 使用绝对路径读取配置文件,触发规则

@ -1,3 +1,5 @@
package com.keyware.sonar;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;

@ -1,3 +1,5 @@
package com.keyware.sonar;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class AvoidSensitiveInfoInLogsCheck {

@ -1,4 +1,7 @@
import javax.servlet.http.Cookie;
package com.keyware.sonar;
import jakarta.servlet.http.Cookie;
public class CookieSensitiveParameterCheck {

@ -1,3 +1,5 @@
package com.keyware.sonar;
import javax.script.Invocable;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;

@ -1,3 +1,5 @@
package com.keyware.sonar;
// 在动态加载库前对输入数据进行验证,确保输入数据仅能用于加载允许加载的代码库
public class DynamicLibraryLoadChecker {

@ -1,3 +1,5 @@
package com.keyware.sonar;
public class ErrorMessageRule {
public static void main(String[] args) {
try {

@ -1,3 +1,5 @@
package com.keyware.sonar;
public class FileCheck{
public String FileName(){

@ -1,3 +1,4 @@
package com.keyware.sonar;
public class HashSaltPassWordRule {

@ -1,7 +1,9 @@
package com.keyware.sonar;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
import java.util.Collection;
@ -112,15 +114,6 @@ public class HttpInputDataRule {
return null;
}
@Override
public String encodeUrl(String s) {
return null;
}
@Override
public String encodeRedirectUrl(String s) {
return null;
}
@Override
public void sendError(int i, String s) throws IOException {
@ -172,11 +165,6 @@ public class HttpInputDataRule {
}
@Override
public void setStatus(int i, String s) {
}
@Override
public int getStatus() {
return 0;

@ -1,7 +1,8 @@
package com.keyware.sonar;
import java.sql.*;
public class InputSQLVerifyRile {
public class InputSQLVerifyRule {
private static final String DB_URL = "jdbc:mysql://localhost:3306/mydatabase";
private static final String USER = "username";
private static final String PASS = "password";

@ -1,3 +1,5 @@
package com.keyware.sonar;
public class Md5PassWordVerifyRule{
public static void cs(Student student){
// 结合盐值和口令进行散列计算

@ -1,7 +1,9 @@
package com.keyware.sonar;
import jakarta.servlet.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class OptionsVerifyRule implements Filter {

@ -1,3 +1,4 @@
package com.keyware.sonar;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

@ -1,3 +1,4 @@
package com.keyware.sonar;
import java.io.File;
import java.net.URI;

@ -1,4 +1,4 @@
package com.keyware.sonar;
import javax.crypto.Cipher;
import java.security.*;

@ -1,3 +1,4 @@
package com.keyware.sonar;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;

@ -1,7 +1,8 @@
import javax.servlet.http.HttpServletResponse;
package com.keyware.sonar;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletResponse;
public class SecurityCookieRule {

@ -1,3 +1,5 @@
package com.keyware.sonar;
import java.io.DataOutputStream;
import java.net.ServerSocket;
import java.net.Socket;

@ -1,11 +1,13 @@
package com.keyware.sonar;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionCacheParamsChecker {
private static final long serialVersionUID = 1391640560504378168L;

@ -1,4 +1,4 @@
package com.keyware.sonar;
import java.io.IOException;

@ -1,3 +1,5 @@
package com.keyware.sonar;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.PostMapping;
@ -29,7 +31,7 @@ public class UploadFileVerifyRule {
}
//获取文件原始名称
String originalFilename = file.getOriginalFilename();
String type = FileUtil.extName(originalFilename);
String type = extName(originalFilename);
// if(type == ""){
//
// }
@ -44,10 +46,10 @@ public class UploadFileVerifyRule {
return "上传成功";
}
class FileUtil{
public static String extName(String filename){
public String extName(String filename){
// 根据文件名获取文件后缀
return filename.substring(filename.lastIndexOf(".") + 1);
}
}
}

@ -1,3 +1,5 @@
package com.keyware.sonar;
public class UpperCycleLimitRule {
public static void Upper(int number){

@ -1,13 +1,14 @@
package com.keyware.sonar;
import com.fasterxml.classmate.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpSession;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
public class UserStatusVerifyChecker {
@ -34,7 +35,7 @@ public class UserStatusVerifyChecker {
}
HttpSession newSession = request.getSession(true);
newSession.setMaxInactiveInterval(30 * 60);
newSession.setAttribute("username", username);
newSession.setAttribute("username", "username");
chain.doFilter(req, resp); // 继续执行下一个过滤器或请求
} else {
req.getRequestDispatcher("/login.jsp").forward(req, resp); // 跳转到登录页面
@ -48,14 +49,13 @@ public class UserStatusVerifyChecker {
}
public class AuthenticationInterceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {// Noncompliant {{对用户进行身份鉴别并建立一个新的会话时让原来的会话失效}}
boolean isValidUser = false;
String username = request.getParameter("username");
String password = request.getParameter("password");
isValidUser = UserService.validate(username, password);
if (isValidUser) {
// HttpSession oldSession = request.getSession(false);
HttpSession oldSession = request.getSession(false);
if (oldSession != null) {
oldSession.invalidate();
}

Loading…
Cancel
Save