phoedos/pmd
1
1
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Json.parse is a safe evaluation

Browse Source
This commit is contained in:
Sergey
2017-04-12 15:32:42 -07:00
parent e7bcf6fdfa
commit e6966c7ca4
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
pmd-visualforce/src/main/java/net/sourceforge/pmd/lang/vf/rule/security/VfUnescapeElRule.java
View File

@ -75,8 +75,10 @@ public class VfUnescapeElRule extends AbstractVfRule {
private void processElInScriptContext(ASTElExpression elExpression, ASTText prevText, Object data) { private void processElInScriptContext(ASTElExpression elExpression, ASTText prevText, Object data) {
boolean quoted = false; boolean quoted = false;
boolean jsonParse = false;
if (prevText != null) { if (prevText != null) {
jsonParse = isJsonParse(prevText);
if (isUnbalanced(prevText.getImage(), '\'') || isUnbalanced(prevText.getImage(), '\"')) { if (isUnbalanced(prevText.getImage(), '\'') || isUnbalanced(prevText.getImage(), '\"')) {
quoted = true; quoted = true;
} }
@ -90,12 +92,21 @@ public class VfUnescapeElRule extends AbstractVfRule {
} }
} }
} else { } else {
if (!(startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) { if (!(jsonParse || startsWithSafeResource(elExpression) || containsSafeFields(elExpression))) {
addViolation(data, elExpression); addViolation(data, elExpression);
} }
} }
} }
private boolean isJsonParse(ASTText prevText) {
if (prevText.getImage().endsWith("JSON.parse(") || prevText.getImage().endsWith("jQuery.parseJSON(")
|| prevText.getImage().endsWith("$.parseJSON(")) {
return true;
}
return false;
}
private boolean isUnbalanced(String image, char pattern) { private boolean isUnbalanced(String image, char pattern) {
char[] array = image.toCharArray(); char[] array = image.toCharArray();

17
pmd-visualforce/src/test/resources/net/sourceforge/pmd/lang/vf/rule/security/xml/VfUnescapeEl.xml
View File

@ -557,6 +557,7 @@ Safe unquoted followed by safe quoted
]]></code> ]]></code>
<source-type>vf</source-type> <source-type>vf</source-type>
</test-code> </test-code>
<test-code> <test-code>
<description><![CDATA[ <description><![CDATA[
NOT method evaluates to safe boolean NOT method evaluates to safe boolean
@ -572,5 +573,21 @@ NOT method evaluates to safe boolean
<source-type>vf</source-type> <source-type>vf</source-type>
</test-code> </test-code>
<test-code>
<description><![CDATA[
JSON.parse method evaluates to safe JSON
]]></description>
<expected-problems>0</expected-problems>
<code><![CDATA[
<apex:page>
<script>
var x = JSON.parse({!yes});
jQuery.parseJSON({!yes});
$.parseJSON({!yes});
</script>
</apex:page>
]]></code>
<source-type>vf</source-type>
</test-code>
</test-data> </test-data>