mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
32111 Commits
59 Branches
Tree: fcb80c0ade
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fcb80c0ade'
${ noResults }
sonarqube/server/sonar-server-common/src/test/java/org/sonar/server/rule/HotspotRuleDescriptionTest....

HotspotRuleDescriptionTest.java 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2022 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.rule;

  21. 

  22. import com.tngtech.java.junit.dataprovider.DataProvider;

  23. import com.tngtech.java.junit.dataprovider.DataProviderRunner;

  24. import com.tngtech.java.junit.dataprovider.UseDataProvider;

  25. import org.junit.Test;

  26. import org.junit.runner.RunWith;

  27. import org.sonar.db.rule.RuleDto;

  28. import org.sonar.db.rule.RuleTesting;

  29. 

  30. import static org.apache.commons.lang.RandomStringUtils.randomAlphabetic;

  31. import static org.assertj.core.api.Assertions.assertThat;

  32. import static org.sonar.db.rule.RuleDescriptionSectionDto.createDefaultRuleDescriptionSection;

  33. 

  34. @RunWith(DataProviderRunner.class)

  35. public class HotspotRuleDescriptionTest {

  36. 

  37.   @Test

  38.   public void parse_returns_all_empty_fields_when_no_description() {

  39.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection();

  40. 

  41.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  42. 

  43.     assertThat(result.getRisk()).isEmpty();

  44.     assertThat(result.getVulnerable()).isEmpty();

  45.     assertThat(result.getFixIt()).isEmpty();

  46.   }

  47. 

  48.   @Test

  49.   public void parse_returns_all_empty_fields_when_empty_description() {

  50.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(createDefaultRuleDescriptionSection("uuid", ""));

  51. 

  52.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  53. 

  54.     assertThat(result.getRisk()).isEmpty();

  55.     assertThat(result.getVulnerable()).isEmpty();

  56.     assertThat(result.getFixIt()).isEmpty();

  57.   }

  58. 

  59.   @Test

  60.   @UseDataProvider("descriptionsWithoutTitles")

  61.   public void parse_to_risk_description_fields_when_desc_contains_no_section(String description) {

  62.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(createDefaultRuleDescriptionSection("uuid", description));

  63. 

  64.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  65. 

  66.     assertThat(result.getRisk()).contains(description);

  67.     assertThat(result.getVulnerable()).isEmpty();

  68.     assertThat(result.getFixIt()).isEmpty();

  69.   }

  70. 

  71.   @DataProvider

  72.   public static Object[][] descriptionsWithoutTitles() {

  73.     return new Object[][] {

  74.       {randomAlphabetic(123)},

  75.       {"bar\n" +

  76.         "acme\n" +

  77.         "foo"}

  78.     };

  79.   }

  80. 

  81.   @Test

  82.   public void parse_return_null_risk_when_desc_starts_with_ask_yourself_title() {

  83.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(

  84.       createDefaultRuleDescriptionSection("uuid", (ASKATRISK + RECOMMENTEDCODINGPRACTICE)));

  85. 

  86.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  87. 

  88.     assertThat(result.getRisk()).isEmpty();

  89.     assertThat(result.getVulnerable()).contains(ASKATRISK);

  90.     assertThat(result.getFixIt()).contains(RECOMMENTEDCODINGPRACTICE);

  91.   }

  92. 

  93.   @Test

  94.   public void parse_return_null_vulnerable_when_no_ask_yourself_whether_title() {

  95.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection()

  96.       .addRuleDescriptionSectionDto(createDefaultRuleDescriptionSection("uuid", (DESCRIPTION + RECOMMENTEDCODINGPRACTICE)));

  97. 

  98.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  99. 

  100.     assertThat(result.getRisk()).contains(DESCRIPTION);

  101.     assertThat(result.getVulnerable()).isEmpty();

  102.     assertThat(result.getFixIt()).contains(RECOMMENTEDCODINGPRACTICE);

  103.   }

  104. 

  105.   @Test

  106.   public void parse_return_null_fixIt_when_desc_has_no_Recommended_Secure_Coding_Practices_title() {

  107.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection()

  108.       .addRuleDescriptionSectionDto(createDefaultRuleDescriptionSection("uuid", (DESCRIPTION + ASKATRISK)));

  109. 

  110.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  111. 

  112.     assertThat(result.getRisk()).contains(DESCRIPTION);

  113.     assertThat(result.getVulnerable()).contains(ASKATRISK);

  114.     assertThat(result.getFixIt()).isEmpty();

  115.   }

  116. 

  117.   @Test

  118.   public void parse_with_noncompliant_section_not_removed() {

  119.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(

  120.       createDefaultRuleDescriptionSection("uuid", (DESCRIPTION + NONCOMPLIANTCODE + COMPLIANTCODE)));

  121. 

  122.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  123. 

  124.     assertThat(result.getRisk()).contains(DESCRIPTION);

  125.     assertThat(result.getVulnerable()).contains(NONCOMPLIANTCODE);

  126.     assertThat(result.getFixIt()).contains(COMPLIANTCODE);

  127.   }

  128. 

  129.   @Test

  130.   public void parse_moved_noncompliant_code() {

  131.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(

  132.       createDefaultRuleDescriptionSection("uuid", (DESCRIPTION + RECOMMENTEDCODINGPRACTICE + NONCOMPLIANTCODE + SEE)));

  133. 

  134.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  135. 

  136.     assertThat(result.getRisk()).contains(DESCRIPTION);

  137. 

  138.     assertThat(result.getVulnerable()).contains(NONCOMPLIANTCODE);

  139.     assertThat(result.getFixIt()).contains(RECOMMENTEDCODINGPRACTICE + SEE);

  140. 

  141.   }

  142. 

  143.   @Test

  144.   public void parse_moved_sensitivecode_code() {

  145.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection().addRuleDescriptionSectionDto(

  146.       createDefaultRuleDescriptionSection("uuid", (DESCRIPTION + ASKATRISK + RECOMMENTEDCODINGPRACTICE + SENSITIVECODE + SEE)));

  147. 

  148.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  149. 

  150.     assertThat(result.getRisk()).contains(DESCRIPTION);

  151.     assertThat(result.getVulnerable()).contains(ASKATRISK + SENSITIVECODE);

  152.     assertThat(result.getFixIt()).contains(RECOMMENTEDCODINGPRACTICE + SEE);

  153.   }

  154. 

  155.   @Test

  156.   public void parse_custom_rule_description() {

  157.     String ruleDescription = "This is the custom rule description";

  158.     String exceptionsContent = "This the exceptions section content";

  159.     String askContent = "This is the ask section content";

  160.     String recommendedContent = "This is the recommended section content";

  161. 

  162.     RuleDto dto = RuleTesting.newRuleWithoutDescriptionSection()

  163.       .setTemplateUuid("123")

  164.       .setDescriptionFormat(RuleDto.Format.MARKDOWN)

  165.       .addRuleDescriptionSectionDto(createDefaultRuleDescriptionSection(

  166.         "uuid", ruleDescription + "\n"

  167.           + "== Exceptions" + "\n"

  168.           + exceptionsContent + "\n"

  169.           + "== Ask Yourself Whether" + "\n"

  170.           + askContent + "\n"

  171.           + "== Recommended Secure Coding Practices" + "\n"

  172.           + recommendedContent + "\n"

  173.       ));

  174. 

  175.     HotspotRuleDescription result = HotspotRuleDescription.from(dto);

  176. 

  177.     assertThat(result.getRisk().get()).hasToString(

  178.       ruleDescription + "<br/>"

  179.       + "<h2>Exceptions</h2>"

  180.       + exceptionsContent + "<br/>"

  181.     );

  182.     assertThat(result.getVulnerable().get()).hasToString(

  183.         "<h2>Ask Yourself Whether</h2>"

  184.         + askContent + "<br/>"

  185.     );

  186.     assertThat(result.getFixIt().get()).hasToString(

  187.       "<h2>Recommended Secure Coding Practices</h2>"

  188.         + recommendedContent + "<br/>"

  189.     );

  190.   }

  191. 

  192.   /*

  193.    * Bunch of static constant to create rule description.

  194.    */

  195.   private static final String DESCRIPTION = "<p>The use of operators pairs ( <code>=+</code>, <code>=-</code> or <code>=!</code> ) where the reversed, single operator was meant (<code>+=</code>,\n"

  196.     +

  197.     "<code>-=</code> or <code>!=</code>) will compile and run, but not produce the expected results.</p>\n" +

  198.     "<p>This rule raises an issue when <code>=+</code>, <code>=-</code>, or <code>=!</code> is used without any spacing between the two operators and when\n" +

  199.     "there is at least one whitespace character after.</p>\n";

  200.   private static final String NONCOMPLIANTCODE = "<h2>Noncompliant Code Example</h2>\n" +

  201.     "<pre>Integer target = -5;\n" +

  202.     "Integer num = 3;\n" +

  203.     "\n" +

  204.     "target =- num;  // Noncompliant; target = -3. Is that really what's meant?\n" +

  205.     "target =+ num; // Noncompliant; target = 3\n" +

  206.     "</pre>\n";

  207. 

  208.   private static final String COMPLIANTCODE = "<h2>Compliant Solution</h2>\n" +

  209.     "<pre>Integer target = -5;\n" +

  210.     "Integer num = 3;\n" +

  211.     "\n" +

  212.     "target = -num;  // Compliant; intent to assign inverse value of num is clear\n" +

  213.     "target += num;\n" +

  214.     "</pre>\n";

  215. 

  216.   private static final String SEE = "<h2>See</h2>\n" +

  217.     "<ul>\n" +

  218.     "  <li> <a href=\"https://cwe.mitre.org/data/definitions/352.html\">MITRE, CWE-352</a> - Cross-Site Request Forgery (CSRF) </li>\n" +

  219.     "  <li> <a href=\"https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration\">OWASP Top 10 2017 Category A6</a> - Security\n" +

  220.     "  Misconfiguration </li>\n" +

  221.     "  <li> <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">OWASP: Cross-Site Request Forgery</a> </li>\n" +

  222.     "  <li> <a href=\"https://www.sans.org/top25-software-errors/#cat1\">SANS Top 25</a> - Insecure Interaction Between Components </li>\n" +

  223.     "  <li> Derived from FindSecBugs rule <a href=\"https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED\">SPRING_CSRF_PROTECTION_DISABLED</a> </li>\n" +

  224.     "  <li> <a href=\"https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#when-to-use-csrf-protection\">Spring Security\n" +

  225.     "  Official Documentation: When to use CSRF protection</a> </li>\n" +

  226.     "</ul>\n";

  227. 

  228.   private static final String RECOMMENTEDCODINGPRACTICE = "<h2>Recommended Secure Coding Practices</h2>\n" +

  229.     "<ul>\n" +

  230.     "  <li> activate Spring Security's CSRF protection. </li>\n" +

  231.     "</ul>\n";

  232. 

  233.   private static final String ASKATRISK = "<h2>Ask Yourself Whether</h2>\n" +

  234.     "<ul>\n" +

  235.     "  <li> Any URLs responding with <code>Access-Control-Allow-Origin: *</code> include sensitive content. </li>\n" +

  236.     "  <li> Any domains specified in <code>Access-Control-Allow-Origin</code> headers are checked against a whitelist. </li>\n" +

  237.     "</ul>\n";

  238. 

  239.   private static final String SENSITIVECODE = "<h2>Sensitive Code Example</h2>\n" +

  240.     "<pre>\n" +

  241.     "// === Java Servlet ===\n" +

  242.     "@Override\n" +

  243.     "protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n" +

  244.     "  resp.setHeader(\"Content-Type\", \"text/plain; charset=utf-8\");\n" +

  245.     "  resp.setHeader(\"Access-Control-Allow-Origin\", \"http://localhost:8080\"); // Questionable\n" +

  246.     "  resp.setHeader(\"Access-Control-Allow-Credentials\", \"true\"); // Questionable\n" +

  247.     "  resp.setHeader(\"Access-Control-Allow-Methods\", \"GET\"); // Questionable\n" +

  248.     "  resp.getWriter().write(\"response\");\n" +

  249.     "}\n" +

  250.     "</pre>\n" +

  251.     "<pre>\n" +

  252.     "// === Spring MVC Controller annotation ===\n" +

  253.     "@CrossOrigin(origins = \"http://domain1.com\") // Questionable\n" +

  254.     "@RequestMapping(\"\")\n" +

  255.     "public class TestController {\n" +

  256.     "    public String home(ModelMap model) {\n" +

  257.     "        model.addAttribute(\"message\", \"ok \");\n" +

  258.     "        return \"view\";\n" +

  259.     "    }\n" +

  260.     "\n" +

  261.     "    @CrossOrigin(origins = \"http://domain2.com\") // Questionable\n" +

  262.     "    @RequestMapping(value = \"/test1\")\n" +

  263.     "    public ResponseEntity&lt;String&gt; test1() {\n" +

  264.     "        return ResponseEntity.ok().body(\"ok\");\n" +

  265.     "    }\n" +

  266.     "}\n" +

  267.     "</pre>\n";

  268. }