如何创建规则(HTTP 请求重定向不应对伪造攻击开放 - RSPEC-5146)java 插件
how to create rule (HTTP request redirections should not be open to forging attacks - RSPEC-5146) java plugin
该规则仅适用于商业用途,我想创建一个关于 HTTP 请求方向的自定义规则
下面的代码是合规的和不合规的
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String location = req.getParameter("url");
resp.sendRedirect(location); // Noncompliant {{non- compliant}}
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String location = req.getParameter("url");
if (!urlWhiteList.contains(location))
throw new IOException();
resp.sendRedirect(location);
}
这些规则使用一些更高级的静态分析算法。本文https://wiki.mozilla.org/Abstract_Interpretation provides a good high-level introduction. Then you might be interested in https://en.wikipedia.org/wiki/Pointer_analysis
一旦掌握了基础知识,就可以按照https://github.com/SonarSource/sonar-java/blob/master/docs/CUSTOM_RULES_101.md
开始实施
该规则仅适用于商业用途,我想创建一个关于 HTTP 请求方向的自定义规则
下面的代码是合规的和不合规的
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String location = req.getParameter("url");
resp.sendRedirect(location); // Noncompliant {{non- compliant}}
}
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String location = req.getParameter("url");
if (!urlWhiteList.contains(location))
throw new IOException();
resp.sendRedirect(location);
}
这些规则使用一些更高级的静态分析算法。本文https://wiki.mozilla.org/Abstract_Interpretation provides a good high-level introduction. Then you might be interested in https://en.wikipedia.org/wiki/Pointer_analysis
一旦掌握了基础知识,就可以按照https://github.com/SonarSource/sonar-java/blob/master/docs/CUSTOM_RULES_101.md
开始实施