Merge remote-tracking branch 'origin/master'

新增准则：建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，并通过会话获取(未完成）
4 changed files with 75 additions and 0 deletions
--- a/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
+++ b/sonar-keyware-plugins-java/src/main/java/com/keyware/sonar/java/rules/checkers/SessionCacheParamsChecker.java
@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2023 - 2024. KeyWare.Co.Ltd All rights reserved.
+ * 项目名称：信息安全性设计准则检查插件
+ * 项目描述：用于检查源代码的安全性设计准则的Sonarqube插件
+ * 版权说明：本软件属北京关键科技股份有限公司所有，在未获得北京关键科技股份有限公司正式授权情况下，任何企业和个人，不能获取、阅读、安装、传播本软件涉及的任何受知识产权保护的内容。
+ */
+package com.keyware.sonar.java.rules.checkers;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.java.api.IssuableSubscriptionVisitor;
+import org.sonar.plugins.java.api.tree.Tree;
+
+import javax.annotation.Nonnull;
+import java.util.List;
+
+/**
+ * 将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，程序使用该数据须通过会话获取
+ * <p>在Java web应用开发中，隐藏域字段、Cookie、URL等关键参数应通过会话获取和传递。</p>
+ *
+ * @author GuoXin
+ * @date 2024/1/24
+ */
+@Rule(key = "SessionCacheParamsChecker")
+public class SessionCacheParamsChecker extends IssuableSubscriptionVisitor {
+    private static final List<String> HIDED_PARAMS = List.of(
+            "id",
+            "token"
+    );
+
+
+    @Override
+    public List<Tree.Kind> nodesToVisit() {
+        return List.of(Tree.Kind.METHOD_INVOCATION);
+    }
+
+    @Override
+    public void visitNode(@Nonnull Tree tree) {
+
+    }
+
+
+}
--- a/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
+++ b/sonar-keyware-plugins-java/src/test/files/SessionCacheParamsChecker.java
@ -0,0 +1,22 @@
+package com.example;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+public class ExampleServlet extends HttpServlet {
+    public void doGet(HttpServletRequest request, HttpServletResponse response) {
+        // 直接从request获取参数
+        String param = request.getParameter("userId"); // Noncompliant {{建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，并通过会话获取}}
+
+        // 直接从request获取Cookies
+        Cookie[] cookies = request.getCookies();
+        // 将参数存储到session
+        HttpSession session = request.getSession();
+        session.setAttribute("sessionParam", param);
+        // 其他代码...
+    }
+
+    private void get(HttpServletRequest request, HttpServletResponse response){
+
+    }
+}
--- a/uut-example/java/src/main/resources/templates/IllegalTabCheck.html
+++ b/uut-example/java/src/main/resources/templates/IllegalTabCheck.html
@ -0,0 +1,6 @@
+<foo>
+	<!-- Non-Compliant -->
+    <!-- Compliant -->
+</foo>
+
+<input type="text" name="password" value="">
--- a/uut-example/java/src/main/resources/templates/illegalTagLibsCheck.jsp
+++ b/uut-example/java/src/main/resources/templates/illegalTagLibsCheck.jsp
@ -0,0 +1,5 @@
+<foo />
+<jsp:directive.taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" /> <!-- Noncompliant -->
+<%@ taglib prefix="sql" uri="http://java.sun.com/jstl/sql" %>
+<%@ taglib prefix="sql" uri="http://bla.com" %>
+<%@ taglib uri="http://java.sun.com/jstl/sql" prefix="prefixOfTag" > <!-- Noncompliant -->
Author	SHA1	Message	Date
Guo XIn	5ce8feea75	Merge remote-tracking branch 'origin/master'	8 months ago
Guo XIn	4cd845ed64	新增准则：建议将页面隐藏域字段、Cookie、URL等关键参数缓存到服务器端的会话中，并通过会话获取(未完成）	8 months ago
Guo XIn	05ced611ef	Merge remote-tracking branch 'origin/master'	8 months ago
Guo XIn	bd8f3af97b	Merge remote-tracking branch 'origin/master'	8 months ago
Guo XIn	4156850164	Merge remote-tracking branch 'origin/master'	8 months ago
Guo XIn	c0120595bc	新增被测件：html和jsp	8 months ago