Fix stack overflow error
This commit is contained in:
Andreas Dangel
@ -4,8 +4,11 @@
|
|||||||
|
|
||||||
package net.sourceforge.pmd.lang.java.rule.security;
|
package net.sourceforge.pmd.lang.java.rule.security;
|
||||||
|
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import net.sourceforge.pmd.RuleContext;
|
||||||
import net.sourceforge.pmd.lang.ast.Node;
|
import net.sourceforge.pmd.lang.ast.Node;
|
||||||
import net.sourceforge.pmd.lang.java.ast.ASTAllocationExpression;
|
import net.sourceforge.pmd.lang.java.ast.ASTAllocationExpression;
|
||||||
import net.sourceforge.pmd.lang.java.ast.ASTArgumentList;
|
import net.sourceforge.pmd.lang.java.ast.ASTArgumentList;
|
||||||
@ -33,11 +36,17 @@ import net.sourceforge.pmd.lang.symboltable.NameOccurrence;
|
|||||||
public class HardCodedCryptoKeyRule extends AbstractJavaRule {
|
public class HardCodedCryptoKeyRule extends AbstractJavaRule {
|
||||||
|
|
||||||
private static final Class<?> SECRET_KEY_SPEC = javax.crypto.spec.SecretKeySpec.class;
|
private static final Class<?> SECRET_KEY_SPEC = javax.crypto.spec.SecretKeySpec.class;
|
||||||
|
private final Set<VariableNameDeclaration> checkedVars = new HashSet<>();
|
||||||
|
|
||||||
public HardCodedCryptoKeyRule() {
|
public HardCodedCryptoKeyRule() {
|
||||||
addRuleChainVisit(ASTAllocationExpression.class);
|
addRuleChainVisit(ASTAllocationExpression.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void start(RuleContext ctx) {
|
||||||
|
checkedVars.clear();
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Object visit(ASTAllocationExpression node, Object data) {
|
public Object visit(ASTAllocationExpression node, Object data) {
|
||||||
if (TypeTestUtil.isA(SECRET_KEY_SPEC, node.getFirstChildOfType(ASTClassOrInterfaceType.class))) {
|
if (TypeTestUtil.isA(SECRET_KEY_SPEC, node.getFirstChildOfType(ASTClassOrInterfaceType.class))) {
|
||||||
@ -72,21 +81,22 @@ public class HardCodedCryptoKeyRule extends AbstractJavaRule {
|
|||||||
|
|
||||||
// named variable
|
// named variable
|
||||||
ASTName namedVar = firstArgumentExpression.getFirstDescendantOfType(ASTName.class);
|
ASTName namedVar = firstArgumentExpression.getFirstDescendantOfType(ASTName.class);
|
||||||
if (namedVar != null) {
|
// find where it's declared, if possible
|
||||||
// find where it's declared, if possible
|
if (namedVar != null && namedVar.getNameDeclaration() instanceof VariableNameDeclaration
|
||||||
if (namedVar != null && namedVar.getNameDeclaration() instanceof VariableNameDeclaration) {
|
&& !checkedVars.contains(namedVar.getNameDeclaration())) {
|
||||||
VariableNameDeclaration varDecl = (VariableNameDeclaration) namedVar.getNameDeclaration();
|
VariableNameDeclaration varDecl = (VariableNameDeclaration) namedVar.getNameDeclaration();
|
||||||
ASTVariableInitializer initializer = varDecl.getAccessNodeParent().getFirstDescendantOfType(ASTVariableInitializer.class);
|
checkedVars.add(varDecl);
|
||||||
if (initializer != null) {
|
|
||||||
validateProperKeyArgument(data, initializer.getFirstDescendantOfType(ASTPrimaryPrefix.class));
|
|
||||||
}
|
|
||||||
|
|
||||||
List<NameOccurrence> usages = varDecl.getNode().getScope().getDeclarations().get(varDecl);
|
ASTVariableInitializer initializer = varDecl.getAccessNodeParent().getFirstDescendantOfType(ASTVariableInitializer.class);
|
||||||
for (NameOccurrence occurrence : usages) {
|
if (initializer != null) {
|
||||||
ASTStatementExpression parentExpr = occurrence.getLocation().getFirstParentOfType(ASTStatementExpression.class);
|
validateProperKeyArgument(data, initializer.getFirstDescendantOfType(ASTPrimaryPrefix.class));
|
||||||
if (isAssignment(parentExpr)) {
|
}
|
||||||
validateProperKeyArgument(data, parentExpr.getChild(2).getFirstDescendantOfType(ASTPrimaryPrefix.class));
|
|
||||||
}
|
List<NameOccurrence> usages = varDecl.getNode().getScope().getDeclarations().get(varDecl);
|
||||||
|
for (NameOccurrence occurrence : usages) {
|
||||||
|
ASTStatementExpression parentExpr = occurrence.getLocation().getFirstParentOfType(ASTStatementExpression.class);
|
||||||
|
if (isAssignment(occurrence.getLocation(), parentExpr)) {
|
||||||
|
validateProperKeyArgument(data, parentExpr.getChild(2).getFirstDescendantOfType(ASTPrimaryPrefix.class));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -104,9 +114,9 @@ public class HardCodedCryptoKeyRule extends AbstractJavaRule {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean isAssignment(ASTStatementExpression statement) {
|
private boolean isAssignment(Node node, ASTStatementExpression statement) {
|
||||||
return statement != null
|
return statement != null && statement.getNumChildren() >= 3
|
||||||
&& statement.getNumChildren() >= 3
|
&& node == statement.getChild(0).getFirstDescendantOfType(ASTName.class)
|
||||||
&& statement.getChild(1) instanceof ASTAssignmentOperator;
|
&& statement.getChild(1) instanceof ASTAssignmentOperator;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -110,6 +110,12 @@ public class Foo {
|
|||||||
var0 = "hard coded key here";
|
var0 = "hard coded key here";
|
||||||
SecretKeySpec keySpec = new SecretKeySpec(var0.getBytes(), "AES");
|
SecretKeySpec keySpec = new SecretKeySpec(var0.getBytes(), "AES");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void encrypt2(String prefix, String key) {
|
||||||
|
final String var0 = prefix;
|
||||||
|
var0 = var0 + key;
|
||||||
|
SecretKeySpec keySpec = new SecretKeySpec(var0.getBytes(), "AES");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
]]></code>
|
]]></code>
|
||||||
</test-code>
|
</test-code>
|
||||||
|
|||||||
Reference in New Issue
Block a user