hiifong/pmd
1
0
Fork 0
forked from phoedos/pmd
Code Pull Requests Activity

Review fixes

Browse Source
This commit is contained in:
Sergey
2017-03-03 12:46:14 -08:00
parent 799614ee8e
commit 229a4d7269
3 changed files with 31 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfCsrfRule.java
View File

@ -25,14 +25,19 @@ public class VfCsrfRule extends AbstractVfRule {
if (APEX_PAGE.equalsIgnoreCase(node.getName())) {
List<ASTAttribute> attribs = node.findChildrenOfType(ASTAttribute.class);
boolean controller = false;
boolean action = false;
boolean isEl = false;
ASTElExpression valToReport = null;
for (ASTAttribute attr : attribs) {
switch (attr.getName().toLowerCase()) {
case "action":
action = true;
ASTElExpression value = attr.getFirstDescendantOfType(ASTElExpression.class);
if (value != null) {
if (doesElContainIdentifiers(value)) {
isEl = true;
valToReport = value;
}
}
break;
case "controller":
controller = true;
@ -42,15 +47,6 @@ public class VfCsrfRule extends AbstractVfRule {
}
if (action) {
ASTElExpression value = attr.getFirstDescendantOfType(ASTElExpression.class);
if (value != null) {
if (doesElContainIdentifiers(value)) {
isEl = true;
valToReport = value;
}
}
}
}
if (controller && isEl && valToReport != null) {

6
pmd-visualforce/src/main/resources/rulesets/vf/security.xml
View File

@ -7,8 +7,8 @@
<description>Rules concerning basic VF guidelines.</description>
<rule name="VfUnescapeEl" since="3.7"
message="Avoid unescaped user controlled content in EL" class="net.sourceforge.pmd.lang.vf.rule.security.VfUnescapeElRule"
externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfUnescapeElRule">
message="Avoid unescaped user controlled content in EL" class="net.sourceforge.pmd.lang.vf.rule.security.VfUnescapeElRule"
externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfUnescapeElRule">
<description><![CDATA[Avoid unescaped user controlled content in EL as it results in XSS. ]]>
</description>
<priority>3</priority>
@ -19,7 +19,7 @@
</example>
</rule>
<rule name="VfCsrf" since="3.7" message="Avoid calling VF action upon page load"
<rule name="VfCsrf" since="5.6" message="Avoid calling VF action upon page load"
class="net.sourceforge.pmd.lang.vf.rule.security.VfCsrfRule"
externalInfoUrl="${pmd.website.baseurl}/rules/vf/security.html#VfCsrfRule">
<description><![CDATA[Avoid calling VF action upon page load as the action becomes vulnerable to CSRF. ]]>

21
pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfCsrf.xml
View File

@ -8,6 +8,27 @@ CSRF by starting a controller with an EL action
<expected-problems>1</expected-problems>
<code><![CDATA[
<apex:page controller="AcRestActionsController" action="{!csrfInitMethod}" >
]]></code>
<source-type>vf</source-type>
</test-code>
<test-code>
<description><![CDATA[
Controller without actions is perfectly safe
]]></description>
<expected-problems>0</expected-problems>
<code><![CDATA[
<apex:page controller="AcRestActionsController" >
]]></code>
<source-type>vf</source-type>
</test-code>
<test-code>
<description><![CDATA[
JS action on load is perfectly safe ]]></description>
<expected-problems>0</expected-problems>
<code><![CDATA[
<apex:page controller="AcRestActionsController" action="init()" >
]]></code>
<source-type>vf</source-type>
</test-code>