commit
df706d522d
@ -0,0 +1,42 @@ |
||||
/* |
||||
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||
* 项目名称:信息安全性设计准则检查插件 |
||||
* 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 |
||||
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||
*/ |
||||
package com.keyware.sonar.java.rules.checkers; |
||||
|
||||
import org.sonar.check.Rule; |
||||
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
||||
import org.sonar.plugins.java.api.tree.Tree; |
||||
|
||||
import javax.annotation.Nonnull; |
||||
import java.util.List; |
||||
|
||||
/** |
||||
* 将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中,程序使用该数据须通过会话获取 |
||||
* <p>在Java web应用开发中,隐藏域字段、Cookie、URL等关键参数应通过会话获取和传递。</p> |
||||
* |
||||
* @author GuoXin |
||||
* @date 2024/1/24 |
||||
*/ |
||||
@Rule(key = "SessionCacheParamsChecker") |
||||
public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { |
||||
private static final List<String> HIDED_PARAMS = List.of( |
||||
"id", |
||||
"token" |
||||
); |
||||
|
||||
|
||||
@Override |
||||
public List<Tree.Kind> nodesToVisit() { |
||||
return List.of(Tree.Kind.METHOD_INVOCATION); |
||||
} |
||||
|
||||
@Override |
||||
public void visitNode(@Nonnull Tree tree) { |
||||
|
||||
} |
||||
|
||||
|
||||
} |
@ -0,0 +1,22 @@ |
||||
package com.example; |
||||
import javax.servlet.http.HttpServlet; |
||||
import javax.servlet.http.HttpServletRequest; |
||||
import javax.servlet.http.HttpServletResponse; |
||||
import javax.servlet.http.HttpSession; |
||||
public class ExampleServlet extends HttpServlet { |
||||
public void doGet(HttpServletRequest request, HttpServletResponse response) { |
||||
// 直接从request获取参数
|
||||
String param = request.getParameter("userId"); // Noncompliant {{建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中,并通过会话获取}}
|
||||
|
||||
// 直接从request获取Cookies
|
||||
Cookie[] cookies = request.getCookies(); |
||||
// 将参数存储到session
|
||||
HttpSession session = request.getSession(); |
||||
session.setAttribute("sessionParam", param); |
||||
// 其他代码...
|
||||
} |
||||
|
||||
private void get(HttpServletRequest request, HttpServletResponse response){ |
||||
|
||||
} |
||||
} |
@ -0,0 +1,6 @@ |
||||
<foo> |
||||
<!-- Non-Compliant --> |
||||
<!-- Compliant --> |
||||
</foo> |
||||
|
||||
<input type="text" name="password" value=""> |
@ -0,0 +1,5 @@ |
||||
<foo /> |
||||
<jsp:directive.taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" /> <!-- Noncompliant --> |
||||
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql" %> |
||||
<%@ taglib prefix="sql" uri="http://bla.com" %> |
||||
<%@ taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" > <!-- Noncompliant --> |
Loading…
Reference in new issue