private void reportIfTrue(ExpressionTree toUnderline) { if (LiteralUtils.isTrue(toUnderline)) { reportIssue(toUnderline, "Disable object deserialization."); } } }
@Override public void visitWhileStatement(WhileStatementTree tree) { if (LiteralUtils.isTrue(tree.condition())) { checkLoopWithAlwaysTrueCondition(context, tree); } }
private static boolean isTrue(ExpressionTree expressionTree) { ExpressionTree expr = ExpressionUtils.skipParentheses(expressionTree); return LiteralUtils.isTrue(expr); }
@Override public void visitWhileStatement(WhileStatementTree tree) { if (LiteralUtils.isTrue(tree.condition())) { checkLoopWithAlwaysTrueCondition(context, tree); } }
private void reportIfTrue(ExpressionTree toUnderline) { if (LiteralUtils.isTrue(toUnderline)) { reportIssue(toUnderline, "Disable object deserialization."); } } }
private static boolean isTrue(ExpressionTree expressionTree) { ExpressionTree expr = ExpressionUtils.skipParentheses(expressionTree); return LiteralUtils.isTrue(expr); }
private static boolean isCompliantConstructorCall(NewClassTree newClassTree) { if (CONSTRUCTORS_WITH_HTTP_ONLY_PARAM.stream().anyMatch(matcher -> matcher.matches(newClassTree))) { Arguments arguments = newClassTree.arguments(); ExpressionTree lastArgument = arguments.get(arguments.size() - 1); return LiteralUtils.isTrue(lastArgument); } else { return CONSTRUCTORS_WITH_GOOD_DEFAULT.stream().anyMatch(matcher -> matcher.matches(newClassTree)); } }
private static boolean isCompliantConstructorCall(NewClassTree newClassTree) { if (CONSTRUCTORS_WITH_HTTP_ONLY_PARAM.stream().anyMatch(matcher -> matcher.matches(newClassTree))) { Arguments arguments = newClassTree.arguments(); ExpressionTree lastArgument = arguments.get(arguments.size() - 1); return LiteralUtils.isTrue(lastArgument); } else { return CONSTRUCTORS_WITH_GOOD_DEFAULT.stream().anyMatch(matcher -> matcher.matches(newClassTree)); } }
private static boolean isTrueLiteral(Tree tree) { if (tree.is(Tree.Kind.PARENTHESIZED_EXPRESSION) || tree.is(Tree.Kind.BOOLEAN_LITERAL)) { ExpressionTree expression = ExpressionUtils.skipParentheses((ExpressionTree) tree); return LiteralUtils.isTrue(expression); } return false; } }
private static boolean isTrueLiteral(Tree tree) { if (tree.is(Tree.Kind.PARENTHESIZED_EXPRESSION) || tree.is(Tree.Kind.BOOLEAN_LITERAL)) { ExpressionTree expression = ExpressionUtils.skipParentheses((ExpressionTree) tree); return LiteralUtils.isTrue(expression); } return false; } }
@Override public void visitMethodInvocation(MethodInvocationTree methodInvocation) { Arguments arguments = methodInvocation.arguments(); if (SET_FEATURE.matches(methodInvocation) && XMLConstants.FEATURE_SECURE_PROCESSING.equals(resolveAsStringConstant(arguments.get(0))) && LiteralUtils.isTrue(arguments.get(1))) { hasSecureProcessingFeature = true; } if (SET_ATTRIBUTE.matches(methodInvocation)) { String attributeName = resolveAsStringConstant(arguments.get(0)); String attributeValue = resolveAsStringConstant(arguments.get(1)); if ("".equals(attributeValue)) { if (XMLConstants.ACCESS_EXTERNAL_DTD.equals(attributeName)) { hasSecuredExternalDtd = true; } else if (XMLConstants.ACCESS_EXTERNAL_STYLESHEET.equals(attributeName)) { hasSecuredExternalStylesheet = true; } } } super.visitMethodInvocation(methodInvocation); }
@Override public void visitMethodInvocation(MethodInvocationTree methodInvocation) { Arguments arguments = methodInvocation.arguments(); if (SET_FEATURE.matches(methodInvocation) && XMLConstants.FEATURE_SECURE_PROCESSING.equals(resolveAsStringConstant(arguments.get(0))) && LiteralUtils.isTrue(arguments.get(1))) { hasSecureProcessingFeature = true; } if (SET_ATTRIBUTE.matches(methodInvocation)) { String attributeName = resolveAsStringConstant(arguments.get(0)); String attributeValue = resolveAsStringConstant(arguments.get(1)); if ("".equals(attributeValue)) { if (XMLConstants.ACCESS_EXTERNAL_DTD.equals(attributeName)) { hasSecuredExternalDtd = true; } else if (XMLConstants.ACCESS_EXTERNAL_STYLESHEET.equals(attributeName)) { hasSecuredExternalStylesheet = true; } } } super.visitMethodInvocation(methodInvocation); }
@Override protected void onMethodInvocationFound(MethodInvocationTree mit) { MethodTree method = ExpressionUtils.getEnclosingMethod(mit); if (method != null) { Arguments args = mit.arguments(); if (ENABLING_SSL_METHODS.matches(mit) && LiteralUtils.isTrue(args.get(0))) { MethodBodyApacheVisitor apacheVisitor = new MethodBodyApacheVisitor(); method.accept(apacheVisitor); if (!apacheVisitor.isSecured) { reportIssue(mit, "Enable server identity validation on this SMTP SSL connection."); } } else if (HASHTABLE_PUT.matches(mit) && "mail.smtp.socketFactory.class".equals(ConstantUtils.resolveAsStringConstant(args.get(0))) && "javax.net.ssl.SSLSocketFactory".equals(ConstantUtils.resolveAsStringConstant(args.get(1)))) { MethodBodyHashtableVisitor hashVisitor = new MethodBodyHashtableVisitor(); method.accept(hashVisitor); if (!hashVisitor.isSecured) { reportIssue(mit, "Enable server identity validation, set \"mail.smtp.ssl.checkserveridentity\" to true"); } } } super.onMethodInvocationFound(mit); }
@Override protected void onMethodInvocationFound(MethodInvocationTree mit) { MethodTree method = ExpressionUtils.getEnclosingMethod(mit); if (method != null) { Arguments args = mit.arguments(); if (ENABLING_SSL_METHODS.matches(mit) && LiteralUtils.isTrue(args.get(0))) { MethodBodyApacheVisitor apacheVisitor = new MethodBodyApacheVisitor(); method.accept(apacheVisitor); if (!apacheVisitor.isSecured) { reportIssue(mit, "Enable server identity validation on this SMTP SSL connection."); } } else if (HASHTABLE_PUT.matches(mit) && "mail.smtp.socketFactory.class".equals(ConstantUtils.resolveAsStringConstant(args.get(0))) && "javax.net.ssl.SSLSocketFactory".equals(ConstantUtils.resolveAsStringConstant(args.get(1)))) { MethodBodyHashtableVisitor hashVisitor = new MethodBodyHashtableVisitor(); method.accept(hashVisitor); if (!hashVisitor.isSecured) { reportIssue(mit, "Enable server identity validation, set \"mail.smtp.ssl.checkserveridentity\" to true"); } } } super.onMethodInvocationFound(mit); }