10: Add WorldAccessPermissionsPlugin
This commit is contained in:
Bartłomiej Pluta
@@ -125,4 +125,10 @@ public class PluginModule {
|
|||||||
public Plugin sqlInjectionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
public Plugin sqlInjectionPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||||
return new SqlInjectionPlugin(globMatcher, xmlHelper);
|
return new SqlInjectionPlugin(globMatcher, xmlHelper);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Provides
|
||||||
|
@IntoSet
|
||||||
|
public Plugin worldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||||
|
return new WorldAccessPermissionsPlugin(globMatcher, xmlHelper);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,39 @@
|
|||||||
|
package com.bartek.esa.core.plugin;
|
||||||
|
|
||||||
|
import com.bartek.esa.core.archetype.JavaPlugin;
|
||||||
|
import com.bartek.esa.core.model.enumeration.Severity;
|
||||||
|
import com.bartek.esa.core.xml.XmlHelper;
|
||||||
|
import com.bartek.esa.file.matcher.GlobMatcher;
|
||||||
|
import com.github.javaparser.ast.CompilationUnit;
|
||||||
|
import com.github.javaparser.ast.expr.FieldAccessExpr;
|
||||||
|
import com.github.javaparser.ast.expr.NameExpr;
|
||||||
|
|
||||||
|
import javax.inject.Inject;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
public class WorldAccessPermissionsPlugin extends JavaPlugin {
|
||||||
|
|
||||||
|
@Inject
|
||||||
|
public WorldAccessPermissionsPlugin(GlobMatcher globMatcher, XmlHelper xmlHelper) {
|
||||||
|
super(globMatcher, xmlHelper);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void run(CompilationUnit compilationUnit) {
|
||||||
|
compilationUnit.findAll(NameExpr.class).stream()
|
||||||
|
.filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)"))
|
||||||
|
.forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString()));
|
||||||
|
|
||||||
|
compilationUnit.findAll(FieldAccessExpr.class).stream()
|
||||||
|
.filter(expr -> expr.getName().getIdentifier().matches("MODE_WORLD_(READABLE|WRITEABLE)"))
|
||||||
|
.forEach(expr -> addIssue(Severity.ERROR, getModel(expr), getLineNumberFromExpression(expr), expr.toString()));
|
||||||
|
}
|
||||||
|
|
||||||
|
private Map<String, String> getModel(NameExpr expression) {
|
||||||
|
return Map.of("exprName", expression.getName().getIdentifier());
|
||||||
|
}
|
||||||
|
|
||||||
|
private Map<String, String> getModel(FieldAccessExpr expression) {
|
||||||
|
return Map.of("exprName", expression.getName().getIdentifier());
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -111,3 +111,8 @@ com.bartek.esa.core.plugin.IntentFilterPlugin=Implemented intent filter.\n\
|
|||||||
|
|
||||||
com.bartek.esa.core.plugin.SqlInjectionPlugin='rawQuery' method detected. Potential SQL injection attack.\n\
|
com.bartek.esa.core.plugin.SqlInjectionPlugin='rawQuery' method detected. Potential SQL injection attack.\n\
|
||||||
'rawQuery' method should be avoided because of possibility to inject SQL code.
|
'rawQuery' method should be avoided because of possibility to inject SQL code.
|
||||||
|
|
||||||
|
com.bartek.esa.core.plugin.WorldAccessPermissionsPlugin=World access permissions detected. Potential data leakage.\n\
|
||||||
|
The deprecated '${exprName}' constant has been found and it can be risky to use.\n\
|
||||||
|
It grants world access permission to selected resource.\n\
|
||||||
|
Consider using less permissive mode.a.
|
||||||
Reference in New Issue
Block a user