新增“程序设计时禁止动态构建代码进行功能实现”准则

wuhaoyang
renfengshan 11 months ago
parent b1987b0b02
commit be630738d5
  1. 4
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java
  2. 58
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/DynamicCodeChecker.java
  3. 9
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/DynamicCodeChecker.html
  4. 13
      sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/DynamicCodeChecker.json
  5. 22
      sonar-keyware-plugins-java/src/test/files/DynamicCodeCheckerRule.java
  6. 29
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/DynamicCodeCheckerTest.java

@ -8,6 +8,7 @@ package com.keyware.sonar.java.rules;
import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker; import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker;
import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker; import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker;
import com.keyware.sonar.java.rules.checkers.DynamicCodeChecker;
import com.keyware.sonar.java.rules.checkers.PathAndKeywordCheck; import com.keyware.sonar.java.rules.checkers.PathAndKeywordCheck;
import org.sonar.plugins.java.api.JavaCheck; import org.sonar.plugins.java.api.JavaCheck;
@ -35,7 +36,8 @@ public final class RulesList {
return Collections.unmodifiableList(Arrays.asList( return Collections.unmodifiableList(Arrays.asList(
ABCVarNameChecker.class, ABCVarNameChecker.class,
AbsolutePathDetectorChecker.class, AbsolutePathDetectorChecker.class,
PathAndKeywordCheck.class PathAndKeywordCheck.class,
DynamicCodeChecker.class
/*SpringControllerRequestMappingEntityRule.class, /*SpringControllerRequestMappingEntityRule.class,
AvoidAnnotationRule.class, AvoidAnnotationRule.class,
AvoidBrandInMethodNamesRule.class, AvoidBrandInMethodNamesRule.class,

@ -0,0 +1,58 @@
package com.keyware.sonar.java.rules.checkers;
import org.sonar.check.Rule;
import org.sonar.java.ast.visitors.SubscriptionVisitor;
import org.sonar.plugins.java.api.tree.*;
import org.springframework.expression.EvaluationException;
import java.lang.reflect.Method;
import java.sql.ClientInfoStatus;
import java.util.Collections;
import java.util.List;
@Rule(key = "SessionExpirationDateChecker")
//检测代码中包含动态代码执行操作时,工具进行提示
public class DynamicCodeChecker extends SubscriptionVisitor {
@Override
public List<Tree.Kind> nodesToVisit() {
/**
* Tree.Kind.METHOD方法节点
* Tree.Kind.BLOCK方法的代码块节点
* Tree.Kind.METHOD_INVOCATION 方法的调用节点
*/
return Collections.singletonList(
Tree.Kind.METHOD_INVOCATION
);
}
@Override
public void visitNode(Tree tree) {
MethodInvocationTree node = (MethodInvocationTree) tree;
System.out.println(node);
var expressionTree = node.methodSelect();
if (expressionTree instanceof MemberSelectExpressionTree) {
var exprTree = (MemberSelectExpressionTree) expressionTree;
var name = exprTree.identifier();
if ("eval".equals(name.toString())) {
var varNameNode = exprTree.expression();
if (varNameNode instanceof IdentifierTree) {
var varName = (IdentifierTree) varNameNode;
var symbol = varName.symbol();
var varDecler = symbol.declaration();
if (varDecler != null) {
var variableTree = (VariableTree) varDecler;
var typeName = variableTree.type().toString();
if ("ScriptEngine".equals(typeName)) {
context.reportIssue(this, tree, "程序设计时禁止动态构建代码进行功能实现");
}
}
}
}
}
}
}

@ -0,0 +1,9 @@
<h2>程序设计时禁止动态构建代码进行功能实现</h2>
<p>程序设计时禁止动态构建代码进行功能实现,如必须动态构建,应在动态构建代码语句前对输入数据进行验证,确保仅能用于构建允许执行的代码</p>
<pre>
</pre>
<h2>合规解决方案</h2>
<pre>
</pre>

@ -0,0 +1,13 @@
{
"title": "程序设计时禁止动态构建代码进行功能实现",
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
"28suo"
],
"defaultSeverity": "Minor"
}

@ -0,0 +1,22 @@
class DynamicCode {
public void dyan() {
String regular = "function regular(args1,args2,args3){................}";
ScriptEngine engine = new ScriptEngineManager().getEngineByName("javascript");
try {
engine.eval(regular); // Noncompliant {{程序设计时禁止动态构建代码进行功能实现}}
if (engine instanceof Invocable) {
Invocable invoke = (Invocable) engine;
String result = (String) invoke.invokeFunction(
"regular",
args1,
args2,
args3);
System.out.println(result);
} else {
System.out.println("error");
}
} catch (ScriptException e) {
System.out.println("表达式runtime错误:" + e.getMessage());
}
}
}

@ -0,0 +1,29 @@
package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier;
public class DynamicCodeCheckerTest {
@Test
void detected() {
DynamicCodeChecker rule = new DynamicCodeChecker();
// Verifies that the check will raise the adequate issues with the expected message.
// In the test file, lines which should raise an issue have been commented out
// by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}"
CheckVerifier.newVerifier()
.onFile("src/test/files/DynamicCodeCheckerRule.java")
.withCheck(rule)
.withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues();
}
}
Loading…
Cancel
Save