Skip to content

Commit 111bdb5

Browse files
springkillspringkill
authored
Merge pull request #35 from SpringKill-team/feature/mergesink
Feature/mergesink
2 parents 34ff8de + ef8fa50 commit 111bdb5

10 files changed

Lines changed: 10 additions & 262 deletions

File tree

src/main/kotlin/org/skgroup/securityinspector/analysis/ast/nodes/CallExpressionNode.kt

Lines changed: 0 additions & 23 deletions
This file was deleted.

src/main/kotlin/org/skgroup/securityinspector/analysis/ast/nodes/ClassNode.kt

Lines changed: 0 additions & 24 deletions
This file was deleted.

src/main/kotlin/org/skgroup/securityinspector/analysis/ast/nodes/NewExpressionNode.kt

Lines changed: 0 additions & 21 deletions
This file was deleted.

src/main/kotlin/org/skgroup/securityinspector/enums/VulnElemType.kt

Lines changed: 0 additions & 7 deletions
This file was deleted.

src/main/kotlin/org/skgroup/securityinspector/ui/component/IssueProblemsTab.kt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ import com.intellij.openapi.vfs.VirtualFile
1111
import com.intellij.ui.components.JBPanel
1212
import com.intellij.ui.components.JBScrollPane
1313
import com.intellij.ui.table.JBTable
14-
import org.skgroup.securityinspector.utils.GraphUtils.collectProjectIssues
14+
import org.skgroup.securityinspector.utils.SinkUtil.collectProjectIssues
1515
import java.awt.BorderLayout
1616
import java.awt.event.MouseAdapter
1717
import java.awt.event.MouseEvent

src/main/kotlin/org/skgroup/securityinspector/utils/GraphUtils.kt

Lines changed: 0 additions & 148 deletions
Original file line numberDiff line numberDiff line change
@@ -3,25 +3,16 @@ package org.skgroup.securityinspector.utils
33
import com.intellij.ide.highlighter.JavaFileType
44
import com.intellij.lang.java.JavaLanguage
55
import com.intellij.openapi.application.ApplicationManager
6-
import com.intellij.openapi.progress.EmptyProgressIndicator
7-
import com.intellij.openapi.progress.ProgressIndicator
8-
import com.intellij.openapi.progress.ProgressManager
9-
import com.intellij.openapi.progress.Task
10-
import com.intellij.openapi.project.DumbService
116
import com.intellij.openapi.project.Project
127
import com.intellij.openapi.vfs.LocalFileSystem
138
import com.intellij.openapi.vfs.VirtualFile
149
import com.intellij.psi.*
1510
import com.intellij.psi.search.FileTypeIndex
1611
import com.intellij.psi.search.GlobalSearchScope
17-
import com.intellij.psi.search.ProjectScope
18-
import com.intellij.psi.search.searches.ReferencesSearch
19-
import org.skgroup.securityinspector.analysis.ast.ProjectIssue
2012
import org.skgroup.securityinspector.analysis.ast.SourceSpan
2113
import org.skgroup.securityinspector.analysis.ast.nodes.MethodNode
2214
import org.skgroup.securityinspector.analysis.ast.nodes.ParameterNode
2315
import org.skgroup.securityinspector.analysis.graphs.callgraph.CallGraph
24-
import org.skgroup.securityinspector.enums.SinkCallMode
2516
import java.nio.file.Files
2617
import java.nio.file.Paths
2718

@@ -312,143 +303,4 @@ object GraphUtils {
312303
}
313304
}
314305

315-
/**
316-
* Collect project issues 收集项目sink点,代替原始sink注册
317-
*
318-
* @param project
319-
* @param chunkSize
320-
* @param callback
321-
* @receiver
322-
*/
323-
fun collectProjectIssues(
324-
project: Project,
325-
chunkSize: Int = 50,
326-
callback: (List<ProjectIssue>) -> Unit,
327-
) {
328-
DumbService.getInstance(project).runWhenSmart {
329-
ProgressManager.getInstance().runProcessWithProgressAsynchronously(
330-
object : Task.Backgroundable(project, "Analyzing sink methods", true) {
331-
private val issues = mutableListOf<ProjectIssue>()
332-
333-
override fun run(indicator: ProgressIndicator) {
334-
ApplicationManager.getApplication().runReadAction {
335-
val javaFiles = FileTypeIndex.getFiles(
336-
JavaFileType.INSTANCE,
337-
GlobalSearchScope.projectScope(project)
338-
).asSequence()
339-
javaFiles.chunked(chunkSize).forEachIndexed { index, chunk ->
340-
if (indicator.isCanceled) return@runReadAction
341-
342-
indicator.text = "Processing files ${index * chunkSize + 1}~${(index + 1) * chunkSize}"
343-
indicator.fraction = index.toDouble() / (javaFiles.count() / chunkSize)
344-
345-
processFileChunk(project, chunk, indicator)
346-
347-
ApplicationManager.getApplication().invokeLater {
348-
callback(issues.toList())
349-
}
350-
351-
}
352-
}
353-
354-
}
355-
356-
private fun processFileChunk(
357-
project: Project,
358-
files: List<VirtualFile>,
359-
indicator: ProgressIndicator
360-
) {
361-
ApplicationManager.getApplication().runReadAction {
362-
val manager = PsiManager.getInstance(project)
363-
files.forEach { virtualFile ->
364-
if (indicator.isCanceled) return@runReadAction
365-
if (virtualFile.path.contains("src/test")) return@forEach
366-
367-
if (!virtualFile.isValid) return@forEach
368-
369-
val psiFile = manager.findFile(virtualFile) as? PsiJavaFile ?: return@forEach
370-
psiFile.accept(object : JavaRecursiveElementWalkingVisitor() {
371-
override fun visitMethodCallExpression(call: PsiMethodCallExpression) {
372-
if (!call.isValid || indicator.isCanceled) return
373-
374-
val methodName = call.methodExpression.referenceName ?: return
375-
val className = call.resolveMethod()?.containingClass?.qualifiedName ?: return
376-
377-
val sinkMatch = SinkList.ALL_SUB_VUL_DEFINITIONS.firstOrNull { callSink ->
378-
callSink.methodSinks[className]?.contains(methodName) == true
379-
} ?: return
380-
381-
val document = PsiDocumentManager.getInstance(project).getDocument(psiFile)
382-
val line = document?.getLineNumber(call.textRange.startOffset)?.plus(1) ?: -1
383-
384-
var callMode = SinkCallMode.SINGLE_SINK
385-
val method = call.resolveMethod()
386-
val hasCall = method?.let {
387-
ReferencesSearch.search(it, ProjectScope.getProjectScope(project))
388-
.findFirst()
389-
} != null
390-
synchronized(issues) {
391-
if (hasCall) {
392-
callMode = SinkCallMode.HAS_CALL
393-
}
394-
issues.add(
395-
ProjectIssue(
396-
virtualFile,
397-
line,
398-
className,
399-
methodName,
400-
sinkMatch.subType.parent.name,
401-
sinkMatch.subType.name,
402-
callMode
403-
)
404-
)
405-
}
406-
}
407-
408-
override fun visitNewExpression(new: PsiNewExpression) {
409-
if (!new.isValid || indicator.isCanceled) return
410-
411-
412-
val methodName = "<init>"
413-
val className = new.classReference?.qualifiedName ?: return
414-
415-
val sinkMatch = SinkList.ALL_SUB_VUL_DEFINITIONS.firstOrNull { conSink ->
416-
conSink.constructorSinks.contains(className)
417-
} ?: return
418-
419-
val document = PsiDocumentManager.getInstance(project).getDocument(psiFile)
420-
val line = document?.getLineNumber(new.textRange.startOffset)?.plus(1) ?: -1
421-
422-
var callMode = SinkCallMode.SINGLE_SINK
423-
val method = new.resolveMethod()
424-
val hasCall = method?.let {
425-
ReferencesSearch.search(it, ProjectScope.getProjectScope(project))
426-
.findFirst()
427-
} != null
428-
synchronized(issues) {
429-
if (hasCall) {
430-
callMode = SinkCallMode.HAS_CALL
431-
}
432-
issues.add(
433-
ProjectIssue(
434-
virtualFile,
435-
line,
436-
className,
437-
methodName,
438-
sinkMatch.subType.parent.name,
439-
sinkMatch.subType.name,
440-
callMode
441-
)
442-
)
443-
}
444-
}
445-
})
446-
}
447-
}
448-
}
449-
}, EmptyProgressIndicator()
450-
)
451-
}
452-
}
453-
454306
}

src/main/kotlin/org/skgroup/securityinspector/visitors/SinkAnalysisJavaVisitor.kt

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ class SinkAnalysisJavaVisitor(
4747
}
4848

4949
addIssue(call, className, methodName, sinkMatch)
50+
super.visitMethodCallExpression(call)
5051
}
5152

5253
override fun visitNewExpression(new: PsiNewExpression) {
@@ -60,10 +61,10 @@ class SinkAnalysisJavaVisitor(
6061
} ?: return
6162

6263
addIssue(new, className, methodName, sinkMatch)
64+
super.visitNewExpression(new)
6365
}
6466

6567
override fun visitMethod(method: PsiMethod) {
66-
super.visitMethod(method)
6768
if (indicator.isCanceled) return
6869

6970
// 检查方法上的MyBatis注解
@@ -82,6 +83,7 @@ class SinkAnalysisJavaVisitor(
8283
}
8384
}
8485
}
86+
super.visitMethod(method)
8587
}
8688

8789
private fun containsDollarBrace(value: PsiAnnotationMemberValue): Boolean {
@@ -96,15 +98,18 @@ class SinkAnalysisJavaVisitor(
9698

9799
override fun visitLocalVariable(variable: PsiLocalVariable) {
98100
checkHardcodedCredentials(variable.name, variable.initializer)
101+
super.visitLocalVariable(variable)
99102
}
100103

101104
override fun visitAssignmentExpression(expression: PsiAssignmentExpression) {
102105
val varName = (expression.lExpression as? PsiReferenceExpression)?.qualifiedName
103106
checkHardcodedCredentials(varName, expression.rExpression)
107+
super.visitAssignmentExpression(expression)
104108
}
105109

106110
override fun visitField(field: PsiField) {
107111
checkHardcodedCredentials(field.name, field.initializer)
112+
super.visitField(field)
108113
}
109114

110115
private fun addIssue(

src/main/kotlin/org/skgroup/securityinspector/visitors/SinkAnalysisXMLVisitor.kt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,8 @@ class SinkAnalysisXMLVisitor(
100100
)
101101
}
102102
}
103-
}
104103

105-
fun SinkList.getSQLiDefinition(): SubVulnerabilityDefinition {
106-
return ALL_SUB_VUL_DEFINITIONS.first { it.subType == SubVulnerabilityType.MYBATIS_XML_SQLI }
104+
fun SinkList.getSQLiDefinition(): SubVulnerabilityDefinition {
105+
return ALL_SUB_VUL_DEFINITIONS.first { it.subType == SubVulnerabilityType.MYBATIS_XML_SQLI }
106+
}
107107
}

src/main/resources/InspectionBundle.properties

Lines changed: 0 additions & 33 deletions
This file was deleted.

src/main/resources/InspectionBundle_zh.properties

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)