Compare commits

..

No commits in common. '88a121b7dc25cb1313ba78cfe9a3d649c7a40268' and '63ffdf647b7726c89086f3e7397795c4269e53a0' have entirely different histories.

  1. 67
      pom.xml
  2. 3
      sonar-keyware-plugins-cxx/pom.xml
  3. 16
      sonar-keyware-plugins-java/pom.xml
  4. 115
      sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyChecker.java
  5. 3
      sonar-keyware-plugins-java/src/test/java/com/keyware/sonar/java/rules/checkers/UploadFileVerifyCheckerTest.java

@ -36,33 +36,14 @@
</scm> </scm>
<developers> <developers>
<developer> <developer><id>guoxin</id><name>GuoXin</name><organization>Keyware</organization></developer>
<id>guoxin</id> <developer><id>renfengjiang</id><name>RenFengJiang</name><organization>Keyware</organization></developer>
<name>GuoXin</name> <developer><id>renfengshan</id><name>RenFengShan</name><organization>Keyware</organization></developer>
<organization>Keyware</organization> <developer><id>wuhaoyang</id><name>WuHaoYang</name><organization>Keyware</organization></developer>
</developer> <developer><id>zhangchenbao</id><name>ZhangChenBao</name><organization>Keyware</organization></developer>
<developer>
<id>renfengjiang</id>
<name>RenFengJiang</name>
<organization>Keyware</organization>
</developer>
<developer>
<id>renfengshan</id>
<name>RenFengShan</name>
<organization>Keyware</organization>
</developer>
<developer>
<id>wuhaoyang</id>
<name>WuHaoYang</name>
<organization>Keyware</organization>
</developer>
<developer>
<id>zhangchenbao</id>
<name>ZhangChenBao</name>
<organization>Keyware</organization>
</developer>
</developers> </developers>
<properties> <properties>
<java.version>11</java.version> <java.version>11</java.version>
<jdk.min.version>11</jdk.min.version> <jdk.min.version>11</jdk.min.version>
@ -71,7 +52,6 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<sonar.java.version>7.24.0.32100</sonar.java.version> <sonar.java.version>7.24.0.32100</sonar.java.version>
<version.jacoco.plugin>0.8.10</version.jacoco.plugin> <version.jacoco.plugin>0.8.10</version.jacoco.plugin>
<junit.jupiter.version>5.9.1</junit.jupiter.version>
<aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir> <aggregate.report.dir>integration-tests/target/site/jacoco-aggregate/jacoco.xml</aggregate.report.dir>
</properties> </properties>
@ -96,41 +76,6 @@
<type>pom</type> <type>pom</type>
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-migrationsupport</artifactId>
<version>${junit.jupiter.version}</version>
<scope>test</scope>
</dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
</project> </project>

@ -44,6 +44,7 @@
<mockito-all.version>1.10.19</mockito-all.version> <mockito-all.version>1.10.19</mockito-all.version>
<mockito-core.version>5.8.0</mockito-core.version> <mockito-core.version>5.8.0</mockito-core.version>
<assertj-core.version>3.24.2</assertj-core.version> <assertj-core.version>3.24.2</assertj-core.version>
<junit-jupiter.version>5.9.1</junit-jupiter.version>
</properties> </properties>
<dependencies> <dependencies>
@ -113,11 +114,13 @@
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId> <artifactId>junit-jupiter-engine</artifactId>
<version>${junit-jupiter.version}</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId> <artifactId>junit-jupiter-api</artifactId>
<version>${junit-jupiter.version}</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
</dependencies> </dependencies>

@ -50,11 +50,6 @@
<version>${sonar.java.version}</version> <version>${sonar.java.version}</version>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
<scope>test</scope>
</dependency>
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId> <artifactId>junit-jupiter</artifactId>
@ -62,17 +57,12 @@
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-api</artifactId> <artifactId>junit-jupiter-migrationsupport</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.junit.jupiter</groupId> <groupId>org.assertj</groupId>
<artifactId>junit-jupiter-migrationsupport</artifactId> <artifactId>assertj-core</artifactId>
<scope>test</scope> <scope>test</scope>
</dependency> </dependency>
</dependencies> </dependencies>

@ -36,124 +36,139 @@ public class UploadFileVerifyChecker extends IssuableSubscriptionVisitor {
public void visitNode(Tree tree) { public void visitNode(Tree tree) {
MethodTree node = (MethodTree) tree; MethodTree node = (MethodTree) tree;
List<VariableTree> parameters = node.parameters(); List<VariableTree> parameters = node.parameters();
//盘带是否是文件上传类 // 盘带是否是文件上传类
boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString())); boolean boo = parameters.stream().anyMatch(type -> "MultipartFile".equals(type.type().toString()));
if (boo) { if(boo){
//获取文件名称类型判断是否配置文件权限 // 获取文件名称类型判断是否配置文件权限
var interiorInvoIf = new InteriorInvoIf(); var interiorInvoIf = new InteriorInvoIf();
((MethodTree) tree).block().accept(interiorInvoIf); interiorInvoIf.check(((MethodTree) tree).block());
if (interiorInvoIf.fileType != "") { if(interiorInvoIf.fileType != ""){
//判断是否对文件后缀进行限制 // 判断是否对文件后缀进行限制
NodeIf nodeIf = new NodeIf(interiorInvoIf.fileType); NodeIf nodeIf = new NodeIf(interiorInvoIf.fileType);
((MethodTree) tree).block().accept(nodeIf); nodeIf.check(((MethodTree) tree).block());
if (nodeIf.boo) { if (nodeIf.boo){
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型");
} }
} else { }else {
if (interiorInvoIf.fileName != "") { if(interiorInvoIf.fileName != ""){
// 判断是否对文件后缀进行限制 // 判断是否对文件后缀进行限制
NodeIf nodeIf = new NodeIf(interiorInvoIf.fileName); NodeIf nodeIf = new NodeIf(interiorInvoIf.fileName);
((MethodTree) tree).block().accept(nodeIf); nodeIf.check(((MethodTree) tree).block());
if (nodeIf.boo) { if (nodeIf.boo){
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型");
} }
} else { }else {
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型");
} }
} }
if (interiorInvoIf.sizeName != "") { if(interiorInvoIf.sizeName != ""){
//判断是否对文件大小进行限制 // 判断是否对文件大小进行限制
NodeIf nodeIf = new NodeIf(interiorInvoIf.sizeName); NodeIf nodeIf = new NodeIf(interiorInvoIf.sizeName);
//nodeIf.check(((MethodTree) tree).block()); nodeIf.check(((MethodTree) tree).block());
((MethodTree) tree).block().accept(nodeIf); if (nodeIf.boo){
if (nodeIf.boo) {
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型");
} }
} }
//判断是否进行权限设置 // 判断是否进行权限设置
if (interiorInvoIf.privType) { if(interiorInvoIf.privType){
context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型"); context.reportIssue(this, node.simpleName(), "程序设计时,应以“白名单”方式限制允许用户上传的文件的类型");
} }
} }
} }
//內部文件名称类型获取类 // 內部文件名称类型获取类
private class InteriorInvoIf extends BaseTreeVisitor { private class InteriorInvoIf extends IssuableSubscriptionVisitor{
//文件全名字 // 文件全名字
public String fileName = ""; public String fileName = "";
// 文件后缀名 // 文件后缀名
public String fileType = ""; public String fileType = "";
//文件大小 // 文件大小
public String sizeName = ""; public String sizeName = "";
//判断权限 // 判断权限
public boolean privType = true; public boolean privType = true;
@Override @Override
public void visitMethodInvocation(MethodInvocationTree tree) { public List<Tree.Kind> nodesToVisit() {
//获取到方法调用的参数 return Collections.singletonList(Tree.Kind.METHOD_INVOCATION);
ExpressionTree expressionTree = tree.methodSelect(); }
if (expressionTree instanceof MemberSelectExpressionTree) {
@Override
public void visitNode(Tree tree){
MethodInvocationTree methodInvocationTree = (MethodInvocationTree) tree;
// 获取到方法调用的参数
ExpressionTree expressionTree = methodInvocationTree.methodSelect();
if(expressionTree instanceof MemberSelectExpressionTree){
MemberSelectExpressionTree expressionTree1 = (MemberSelectExpressionTree) expressionTree; MemberSelectExpressionTree expressionTree1 = (MemberSelectExpressionTree) expressionTree;
//对调用方法进行判断 // 对调用方法进行判断
if ("getOriginalFilename".equals(expressionTree1.identifier().toString())) { if("getOriginalFilename".equals(expressionTree1.identifier().toString())){
Tree parent = expressionTree1.parent(); Tree parent = expressionTree1.parent();
if (parent instanceof MethodInvocationTree) { if(parent instanceof MethodInvocationTree){
MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent;
Tree parent1 = memberSelectExpressionTree.parent(); Tree parent1 = memberSelectExpressionTree.parent();
if (parent1 instanceof VariableTree) { if(parent1 instanceof VariableTree){
VariableTree variableTree = (VariableTree) parent1; VariableTree variableTree = (VariableTree) parent1;
fileName = variableTree.simpleName().toString(); fileName = variableTree.simpleName().toString();
} }
} }
} else if ("extName".equals(expressionTree1.identifier().toString())) { }else if("extName".equals(expressionTree1.identifier().toString())){
Tree parent = expressionTree1.parent(); Tree parent = expressionTree1.parent();
if (parent instanceof MethodInvocationTree) { if(parent instanceof MethodInvocationTree){
MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent;
Tree parent1 = memberSelectExpressionTree.parent(); Tree parent1 = memberSelectExpressionTree.parent();
if (parent1 instanceof VariableTree) { if(parent1 instanceof VariableTree){
VariableTree variableTree = (VariableTree) parent1; VariableTree variableTree = (VariableTree) parent1;
fileType = variableTree.simpleName().toString(); fileType = variableTree.simpleName().toString();
} }
} }
} else if ("getSize".equals(expressionTree1.identifier().toString())) { }else if("getSize".equals(expressionTree1.identifier().toString())){
Tree parent = expressionTree1.parent(); Tree parent = expressionTree1.parent();
if (parent instanceof MethodInvocationTree) { if(parent instanceof MethodInvocationTree){
MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent; MethodInvocationTree memberSelectExpressionTree = (MethodInvocationTree) parent;
Tree parent1 = memberSelectExpressionTree.parent(); Tree parent1 = memberSelectExpressionTree.parent();
if (parent1 instanceof VariableTree) { if(parent1 instanceof VariableTree){
VariableTree variableTree = (VariableTree) parent1; VariableTree variableTree = (VariableTree) parent1;
sizeName = variableTree.simpleName().toString(); sizeName = variableTree.simpleName().toString();
} }
} }
} else if ("setExecutable".equals(expressionTree1.identifier().toString()) || "setReadable".equals(expressionTree1.identifier().toString()) || "setWritable".equals(expressionTree1.identifier().toString())) { }else if("setExecutable".equals(expressionTree1.identifier().toString()) || "setReadable".equals(expressionTree1.identifier().toString()) || "setWritable".equals(expressionTree1.identifier().toString())){
privType = false; privType = false;
} }
} }
} }
public void check(Tree tree){
this.scanTree(tree);
}
} }
public class NodeIf extends BaseTreeVisitor { public class NodeIf extends IssuableSubscriptionVisitor{
private String name; private String name;
public boolean boo = true; public boolean boo = true;
@Override
public List<Tree.Kind> nodesToVisit() {
return Collections.singletonList(Tree.Kind.IF_STATEMENT);
}
public NodeIf(String name) { public NodeIf(String name) {
this.name = name; this.name = name;
} }
public void check(Tree tree){
this.scanTree(tree);
}
@Override @Override
public void visitIfStatement(IfStatementTree tree) { public void visitNode(Tree tree){
//获取到if表达式 IfStatementTree tree1 = (IfStatementTree) tree;
ExpressionTree condition = tree.condition(); // 获取到if表达式
if (condition instanceof BinaryExpressionTree) { ExpressionTree condition = tree1.condition();
if(condition instanceof BinaryExpressionTree){
BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition; BinaryExpressionTree binaryExpressionTree = (BinaryExpressionTree) condition;
//判断是否进行if判断 // 判断是否进行if判断
if (name.equals(binaryExpressionTree.leftOperand().toString())) { if(name.equals(binaryExpressionTree.leftOperand().toString())){
boo = false; boo = false;
} else if (name.equals(binaryExpressionTree.rightOperand().toString())) { }else if(name.equals(binaryExpressionTree.rightOperand().toString())){
boo = false; boo = false;
} }
} }

@ -6,6 +6,7 @@
*/ */
package com.keyware.sonar.java.rules.checkers; package com.keyware.sonar.java.rules.checkers;
import com.keyware.sonar.java.utils.FilesUtils;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.sonar.java.checks.verifier.CheckVerifier; import org.sonar.java.checks.verifier.CheckVerifier;
@ -30,7 +31,7 @@ public class UploadFileVerifyCheckerTest {
CheckVerifier.newVerifier() CheckVerifier.newVerifier()
.onFile("src/test/files/UploadFileVerifyRule.java") .onFile("src/test/files/UploadFileVerifyRule.java")
.withCheck(rule) .withCheck(rule)
// .withClassPath(FilesUtils.getClassPath("target/test-jars")) .withClassPath(FilesUtils.getClassPath("target/test-jars"))
.verifyIssues(); .verifyIssues();
} }
} }

Loading…
Cancel
Save