diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java index 5d3cf71..e3d1200 100644 --- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/RulesList.java @@ -8,6 +8,7 @@ package com.keyware.sonar.java.rules; import com.keyware.sonar.java.rules.checkers.ABCVarNameChecker; import com.keyware.sonar.java.rules.checkers.AbsolutePathDetectorChecker; +import com.keyware.sonar.java.rules.checkers.UploadFileVerifyChecker; import org.sonar.plugins.java.api.JavaCheck; import java.util.ArrayList; @@ -33,7 +34,8 @@ public final class RulesList { public static List> getJavaChecks() { return Collections.unmodifiableList(Arrays.asList( ABCVarNameChecker.class, - AbsolutePathDetectorChecker.class + AbsolutePathDetectorChecker.class, + UploadFileVerifyChecker.class /*SpringControllerRequestMappingEntityRule.class, AvoidAnnotationRule.class, AvoidBrandInMethodNamesRule.class, diff --git a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java new file mode 100644 index 0000000..a6701b7 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java @@ -0,0 +1,173 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import org.sonar.check.Rule; +import org.sonar.java.ast.visitors.SubscriptionVisitor; +import org.sonar.plugins.java.api.tree.*; + +import java.util.Collections; +import java.util.List; + +/** + * TODO 上传文件检查规则 + * + * @author RenFengJiang + * @date 2024/1/8 + */ + +@Rule(key = "UploadFileVerify") +public class UploadFileVerifyChecker extends SubscriptionVisitor { + +// 文件全名字 + private String fileName = ""; +// 文件后缀名 + private String fileType = ""; +// 是否进行if判断 + private boolean nodeOne = true; +// 文件大小 + private String sizeName = ""; +// 判断权限 + private boolean privType = true; + @Override + public List nodesToVisit() { + /** + * Tree.Kind.METHOD:方法节点 + * Tree.Kind.BLOCK:方法的代码块节点 + * Tree.Kind.METHOD_INVOCATION: 方法的调用节点 + */ + return Collections.singletonList(Tree.Kind.METHOD); + } + + @Override + public void visitNode(Tree tree) { + MethodTree node = (MethodTree) tree; + List parameters = node.parameters(); +// 盘带是否是文件上传类 + boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString())); + if(boo){ +// 获取文件名称类型判断是否配置文件权限 + new InteriorInvoIf().check(tree); + if(fileType != ""){ +// 判断是否对文件后缀进行限制 + new NodeIf(fileType).check(tree); + }else if(fileName != ""){ +// 判断是否对文件后缀进行限制 + new NodeIf(fileName).check(tree); + } +// 判断是否获取文件名称 + if(nodeOne){ +// 没有抛出 + context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + }else { +// 有的话设置位true后续还要用 + nodeOne = true; + } + if(sizeName != ""){ +// 判断是否对文件大小进行限制 + new NodeIf(sizeName).check(tree); + } +// 根据是返回结果进行判断是否抛出异常 + if(nodeOne){ + context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + } +// 判断是否进行权限设置 + if(privType){ + context.reportIssue(this, node.simpleName(), "没对上传文件进行判断等操作"); + } + } + + } + +// 內部文件名称类型获取类 + private class InteriorInvoIf extends SubscriptionVisitor{ + + @Override + public List nodesToVisit() { + return Collections.singletonList(Tree.Kind.METHOD_INVOCATION); + } + + @Override + public void visitNode(Tree tree){ + MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree; +// 获取到方法调用的参数 + ExpressionTree expressionTree = methodInvocationTree.methodSelect(); + if(expressionTree instanceof MemberSelectExpressionTree){ + MemberSelectExpressionTree expressionTree1 = (MemberSelectExpressionTree) expressionTree; +// 对调用方法进行判断 + if("getOriginalFilename".equals(expressionTree1.identifier().toString())){ + Tree parent = expressionTree1.parent(); + if(parent instanceof MethodInvocationTree){ + MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; + Tree parent1 = memberSelectExpressionTree.parent(); + if(parent1 instanceof VariableTree){ + VariableTree variableTree = (VariableTree) parent1; + fileName = variableTree.simpleName().toString(); + } + } + }else if("extName".equals(expressionTree1.identifier().toString())){ + Tree parent = expressionTree1.parent(); + if(parent instanceof MethodInvocationTree){ + MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; + Tree parent1 = memberSelectExpressionTree.parent(); + if(parent1 instanceof VariableTree){ + VariableTree variableTree = (VariableTree) parent1; + fileType = variableTree.simpleName().toString(); + } + } + }else if("getSize".equals(expressionTree1.identifier().toString())){ + Tree parent = expressionTree1.parent(); + if(parent instanceof MethodInvocationTree){ + MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; + Tree parent1 = memberSelectExpressionTree.parent(); + if(parent1 instanceof VariableTree){ + VariableTree variableTree = (VariableTree) parent1; + sizeName = variableTree.simpleName().toString(); + } + } + }else if("setExecutable".equals(expressionTree1.identifier().toString()) || "setReadable".equals(expressionTree1.identifier().toString()) || "setWritable".equals(expressionTree1.identifier().toString())){ + privType = false; + } + } + } + public void check(Tree tree){ + this.scanTree(tree); + } + } + + + public class NodeIf extends SubscriptionVisitor{ + + private String name; + @Override + public List nodesToVisit() { + return Collections.singletonList(Tree.Kind.IF_STATEMENT); + } + + public NodeIf(String name) { + this.name = name; + } + public void check(Tree tree){ + this.scanTree(tree); + } + @Override + public void visitNode(Tree tree){ + IfStatementTree tree1 = (IfStatementTree) tree; +// 获取到if表达式 + ExpressionTree condition = tree1.condition(); + if(condition instanceof BinaryExpressionTree){ + BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; +// 判断是否进行if判断 + if(name.equals(binaryExpressionTree.leftOperand().toString())){ + nodeOne = false; + }else if(name.equals(binaryExpressionTree.rightOperand().toString())){ + nodeOne = false; + } + } + } + } +} diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html new file mode 100644 index 0000000..f5f5181 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.html @@ -0,0 +1,9 @@ +

上传文件检查

+

程序设计时,应以“白名单”方式限制允许用户上传的文件的类型(如jpg、png、txt、doc、docx、xls、xlsx、xml等格式)并进行检查,根据业务实际需求,设定上传的文件大小,同时限制文件权限(可读、可写、可执行等)

+
+
+
+

合规解决方案

+
+
+
diff --git a/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json new file mode 100644 index 0000000..8002507 --- /dev/null +++ b/sonar-keyware-plugins-java/src/main/resources/org/sonar/l10n/java/rules/java/UploadFileVerifyChecker.json @@ -0,0 +1,13 @@ +{ + "title": "上传文件检查", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "28suo" + ], + "defaultSeverity": "Minor" +} \ No newline at end of file diff --git a/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java new file mode 100644 index 0000000..0329bc4 --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/files/UploadFileVerifyRule.java @@ -0,0 +1,31 @@ +/** + * @author hj + */ +@Slf4j +@RestController +@RequestMapping("/file") +public class UploadFileVerifyRule { + //文件磁盘路径 + @Value("${files.upload.path}") + private String fileUploadPath; + + @PostMapping("/upload") + public Result upload(@RequestParam MultipartFile file) throws IOException { // Noncompliant {{没对上传文件进行判断等操作}} + + file.setExecutable(true); + file.setReadable(true); + file.setWritable(true); + + + long size = file.getSize(); + if(size > 100){ + + } + //获取文件原始名称 + String originalFilename = file.getOriginalFilename(); + String type = FileUtil.extName(originalFilename); + + return Result.success(""); + } +} + diff --git a/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyCheckerTest.java b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyCheckerTest.java new file mode 100644 index 0000000..93abfaf --- /dev/null +++ b/sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyCheckerTest.java @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. + * 项目名称:Java 信息安全性设计准则 + * 项目描述:用于检查Java源代码的安全性设计准则的Sonarqube插件 + * 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 + */ +package com.keyware.sonar.java.rules.checkers; + +import com.keyware.sonar.java.utils.FilesUtils; +import org.junit.jupiter.api.Test; +import org.sonar.java.checks.verifier.CheckVerifier; + +/** + * TODO UploadFileVerifyTest + * + * @author RenFengJiang + * @date 2024/1/8 + */ +public class UploadFileVerifyCheckerTest { + + @Test + void detected() { + + + UploadFileVerifyChecker rule = new UploadFileVerifyChecker(); + + + // Verifies that the check will raise the adequate issues with the expected message. + // In the test file, lines which should raise an issue have been commented out + // by using the following syntax: "// Noncompliant {{EXPECTED_MESSAGE}}" + CheckVerifier.newVerifier() + .onFile("src/test/files/UploadFileVerifyRule.java") + .withCheck(rule) + .withClassPath(FilesUtils.getClassPath("target/test-jars")) + .verifyIssues(); + } +}