|
|
@ -8,7 +8,6 @@ package com.keyware.sonar.java.rules.checkers; |
|
|
|
|
|
|
|
|
|
|
|
import org.sonar.check.Rule; |
|
|
|
import org.sonar.check.Rule; |
|
|
|
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
|
|
|
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
|
|
|
import org.sonar.plugins.java.api.semantic.Symbol; |
|
|
|
|
|
|
|
import org.sonar.plugins.java.api.semantic.Type; |
|
|
|
import org.sonar.plugins.java.api.semantic.Type; |
|
|
|
import org.sonar.plugins.java.api.tree.*; |
|
|
|
import org.sonar.plugins.java.api.tree.*; |
|
|
|
|
|
|
|
|
|
|
@ -32,7 +31,7 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { |
|
|
|
"url", |
|
|
|
"url", |
|
|
|
"userpassword" |
|
|
|
"userpassword" |
|
|
|
); |
|
|
|
); |
|
|
|
private static final String requestType = "javax.servlet.http.HttpServletRequest"; |
|
|
|
private static final String requestType = "HttpServletRequest"; |
|
|
|
|
|
|
|
|
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
|
public List<Tree.Kind> nodesToVisit() { |
|
|
@ -42,19 +41,19 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { |
|
|
|
@Override |
|
|
|
@Override |
|
|
|
public void visitNode(@Nonnull Tree tree) { |
|
|
|
public void visitNode(@Nonnull Tree tree) { |
|
|
|
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; |
|
|
|
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; |
|
|
|
Symbol.MethodSymbol methodSymbol = (Symbol.MethodSymbol) methodInvocationTree.methodSymbol(); |
|
|
|
|
|
|
|
//获取参数
|
|
|
|
//获取参数
|
|
|
|
ExpressionTree expressionTree = methodInvocationTree.methodSelect(); |
|
|
|
ExpressionTree expressionTree = methodInvocationTree.methodSelect(); |
|
|
|
if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){ |
|
|
|
if(expressionTree.is(Tree.Kind.MEMBER_SELECT)){ |
|
|
|
MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree; |
|
|
|
MemberSelectExpressionTree selectExpressionTree = (MemberSelectExpressionTree) expressionTree; |
|
|
|
//获取参数类型
|
|
|
|
//获取参数类型
|
|
|
|
Type type = selectExpressionTree.expression().symbolType(); |
|
|
|
Type type = selectExpressionTree.expression().symbolType(); |
|
|
|
|
|
|
|
String fierName = selectExpressionTree.identifier().name(); |
|
|
|
if(type != null){ |
|
|
|
if(type != null){ |
|
|
|
//判断参数类型和调用方法符不符合要求
|
|
|
|
//判断参数类型和调用方法符不符合要求
|
|
|
|
if(requestType.equals(type.fullyQualifiedName()) |
|
|
|
if(type.fullyQualifiedName().contains(requestType) |
|
|
|
&& ("getParameter".equals(methodSymbol.name()) || "getCookies".equals(methodSymbol.name()))) { |
|
|
|
&& ("getParameter".equals(fierName) || "getCookies".equals(fierName))) { |
|
|
|
//如果是getCookies方法直接抛错
|
|
|
|
//如果是getCookies方法直接抛错
|
|
|
|
if("getCookies".equals(methodSymbol.name())){ |
|
|
|
if("getCookies".equals(fierName)){ |
|
|
|
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); |
|
|
|
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); |
|
|
|
}else { |
|
|
|
}else { |
|
|
|
//获取参数
|
|
|
|
//获取参数
|
|
|
@ -65,7 +64,6 @@ public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { |
|
|
|
.replace("\"", "").toLowerCase(); |
|
|
|
.replace("\"", "").toLowerCase(); |
|
|
|
//判断是否是违规项
|
|
|
|
//判断是否是违规项
|
|
|
|
if(HIDED_PARAMS.contains(name)){ |
|
|
|
if(HIDED_PARAMS.contains(name)){ |
|
|
|
System.out.println(methodInvocationTree); |
|
|
|
|
|
|
|
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); |
|
|
|
reportIssue(methodInvocationTree, "页面隐藏域字段、Cookie、URL等关键参数不能直接获取,应缓存到服务器端的会话中并通过会话获取"); |
|
|
|
break; |
|
|
|
break; |
|
|
|
} |
|
|
|
} |
|
|
|