Compare commits
6 Commits
ac4eee2647
...
5ce8feea75
| Author | SHA1 | Date |
|---|---|---|
Guo XIn
|
5ce8feea75 | 10 months ago |
|
Guo XIn
|
4cd845ed64 | 10 months ago |
|
Guo XIn
|
05ced611ef | 10 months ago |
|
Guo XIn
|
bd8f3af97b | 10 months ago |
|
Guo XIn
|
4156850164 | 10 months ago |
|
Guo XIn
|
c0120595bc | 10 months ago |
@ -0,0 +1,42 @@ |
|||||||
|
/* |
||||||
|
* Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved. |
||||||
|
* 项目名称:信息安全性设计准则检查插件 |
||||||
|
* 项目描述:用于检查源代码的安全性设计准则的Sonarqube插件 |
||||||
|
* 版权说明:本软件属北京关键科技股份有限公司所有,在未获得北京关键科技股份有限公司正式授权情况下,任何企业和个人,不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。 |
||||||
|
*/ |
||||||
|
package com.keyware.sonar.java.rules.checkers; |
||||||
|
|
||||||
|
import org.sonar.check.Rule; |
||||||
|
import org.sonar.plugins.java.api.IssuableSubscriptionVisitor; |
||||||
|
import org.sonar.plugins.java.api.tree.Tree; |
||||||
|
|
||||||
|
import javax.annotation.Nonnull; |
||||||
|
import java.util.List; |
||||||
|
|
||||||
|
/** |
||||||
|
* 将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中,程序使用该数据须通过会话获取 |
||||||
|
* <p>在Java web应用开发中,隐藏域字段、Cookie、URL等关键参数应通过会话获取和传递。</p> |
||||||
|
* |
||||||
|
* @author GuoXin |
||||||
|
* @date 2024/1/24 |
||||||
|
*/ |
||||||
|
@Rule(key = "SessionCacheParamsChecker") |
||||||
|
public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor { |
||||||
|
private static final List<String> HIDED_PARAMS = List.of( |
||||||
|
"id", |
||||||
|
"token" |
||||||
|
); |
||||||
|
|
||||||
|
|
||||||
|
@Override |
||||||
|
public List<Tree.Kind> nodesToVisit() { |
||||||
|
return List.of(Tree.Kind.METHOD_INVOCATION); |
||||||
|
} |
||||||
|
|
||||||
|
@Override |
||||||
|
public void visitNode(@Nonnull Tree tree) { |
||||||
|
|
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
} |
||||||
@ -0,0 +1,22 @@ |
|||||||
|
package com.example; |
||||||
|
import javax.servlet.http.HttpServlet; |
||||||
|
import javax.servlet.http.HttpServletRequest; |
||||||
|
import javax.servlet.http.HttpServletResponse; |
||||||
|
import javax.servlet.http.HttpSession; |
||||||
|
public class ExampleServlet extends HttpServlet { |
||||||
|
public void doGet(HttpServletRequest request, HttpServletResponse response) { |
||||||
|
// 直接从request获取参数
|
||||||
|
String param = request.getParameter("userId"); // Noncompliant {{建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中,并通过会话获取}}
|
||||||
|
|
||||||
|
// 直接从request获取Cookies
|
||||||
|
Cookie[] cookies = request.getCookies(); |
||||||
|
// 将参数存储到session
|
||||||
|
HttpSession session = request.getSession(); |
||||||
|
session.setAttribute("sessionParam", param); |
||||||
|
// 其他代码...
|
||||||
|
} |
||||||
|
|
||||||
|
private void get(HttpServletRequest request, HttpServletResponse response){ |
||||||
|
|
||||||
|
} |
||||||
|
} |
||||||
@ -0,0 +1,6 @@ |
|||||||
|
<foo> |
||||||
|
<!-- Non-Compliant --> |
||||||
|
<!-- Compliant --> |
||||||
|
</foo> |
||||||
|
|
||||||
|
<input type="text" name="password" value=""> |
||||||
@ -0,0 +1,5 @@ |
|||||||
|
<foo /> |
||||||
|
<jsp:directive.taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" /> <!-- Noncompliant --> |
||||||
|
<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql" %> |
||||||
|
<%@ taglib prefix="sql" uri="http://bla.com" %> |
||||||
|
<%@ taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" > <!-- Noncompliant --> |
||||||
Loading…
Reference in new issue