10: Add WorldAccessPermissionsPlugin
This commit is contained in:
Bartłomiej Pluta
@@ -125,4 +125,10 @@ public class PluginModule {
|
||||
public Plugin sqlInjectionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||
return new SqlInjectionPlugin(globMatcher, xmlHelper);
|
||||
}
|
||||
|
||||
@Provides
|
||||
@IntoSet
|
||||
public Plugin worldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||
return new WorldAccessPermissionsPlugin(globMatcher, xmlHelper);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,39 @@
|
||||
package com.bartek.esa.core.plugin;
|
||||
|
||||
import com.bartek.esa.core.archetype.JavaPlugin;
|
||||
import com.bartek.esa.core.model.enumeration.Severity;
|
||||
import com.bartek.esa.core.xml.XmlHelper;
|
||||
import com.bartek.esa.file.matcher.GlobMatcher;
|
||||
import com.github.javaparser.ast.CompilationUnit;
|
||||
import com.github.javaparser.ast.expr.FieldAccessExpr;
|
||||
import com.github.javaparser.ast.expr.NameExpr;
|
||||
|
||||
import javax.inject.Inject;
|
||||
import java.util.Map;
|
||||
|
||||
public class WorldAccessPermissionsPlugin extends JavaPlugin {
|
||||
|
||||
@Inject
|
||||
public WorldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||
super(globMatcher, xmlHelper);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void run(CompilationUnit compilationUnit) {
|
||||
compilationUnit.findAll(NameExpr.class).stream()
|
||||
.filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)"))
|
||||
.forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString()));
|
||||
|
||||
compilationUnit.findAll(FieldAccessExpr.class).stream()
|
||||
.filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)"))
|
||||
.forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString()));
|
||||
}
|
||||
|
||||
private Map<String, String> getModel(NameExpr expression) {
|
||||
return Map.of("exprName", expression.getName().getIdentifier());
|
||||
}
|
||||
|
||||
private Map<String, String> getModel(FieldAccessExpr expression) {
|
||||
return Map.of("exprName", expression.getName().getIdentifier());
|
||||
}
|
||||
}
|
||||
@@ -110,4 +110,9 @@ com.bartek.esa.core.plugin.IntentFilterPlugin=Implemented intent filter.\n\
|
||||
Also be aware, that intent filter is not a security tool. It can be easily omitted.
|
||||
|
||||
com.bartek.esa.core.plugin.SqlInjectionPlugin='rawQuery' method detected. Potential SQL injection attack.\n\
|
||||
'rawQuery' method should be avoided because of possibility to inject SQL code.
|
||||
'rawQuery' method should be avoided because of possibility to inject SQL code.
|
||||
|
||||
com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions detected. Potential data leakage.\n\
|
||||
The deprecated '${exprName}' constant has been found and it can be risky to use.\n\
|
||||
It grants world access permission to selected resource.\n\
|
||||
Consider using less permissive mode.a.
|
||||
Reference in New Issue
Block a user