Skip to content

Commit

Permalink
fix ObfuscationRequired: add sensitivePackages property
Browse files Browse the repository at this point in the history
  • Loading branch information
Oleksii Dykov committed Feb 14, 2022
1 parent af0d835 commit 99b6713
Show file tree
Hide file tree
Showing 7 changed files with 223 additions and 6 deletions.
43 changes: 38 additions & 5 deletions src/main/java/io/github/dgroup/arch4u/pmd/ObfuscationRequired.java
Original file line number Diff line number Diff line change
Expand Up @@ -69,21 +69,31 @@ public final class ObfuscationRequired extends AbstractJavaRule {
.build();

/**
* Property descriptor with the list of the prohibited methods.
* Property descriptor with the list of the prohibited classes.
*/
private static final PropertyDescriptor<List<String>> SENSITIVE =
private static final PropertyDescriptor<List<String>> CLASSES =
PropertyFactory.stringListProperty("sensitiveClasses")
.desc("List of prohibited methods")
.emptyDefaultValue()
.build();

/**
* Property descriptor with the list of the prohibited packages.
*/
private static final PropertyDescriptor<List<String>> PACKAGES =
PropertyFactory.stringListProperty("sensitivePackages")
.desc("List of prohibited packages")
.emptyDefaultValue()
.build();

/**
* Constructor for defining property descriptor.
*/
@SuppressWarnings("PMD.ConstructorOnlyInitializesOrCallOtherConstructors")
public ObfuscationRequired() {
this.definePropertyDescriptor(LOGGERS);
this.definePropertyDescriptor(SENSITIVE);
this.definePropertyDescriptor(CLASSES);
this.definePropertyDescriptor(PACKAGES);
}

@Override
Expand All @@ -93,7 +103,7 @@ public Object visit(final ASTVariableDeclaratorId vardecl, final Object data) {
final JavaNameOccurrence occurrence = (JavaNameOccurrence) usage;
getArguments(occurrence)
.stream()
.filter(this::isSensitiveData)
.filter(this::hasSensitiveData)
.forEach(arg -> this.addViolation(data, arg));
}
}
Expand Down Expand Up @@ -126,6 +136,16 @@ private static List<ASTExpression> getArguments(final JavaNameOccurrence occurre
.orElse(Collections.emptyList());
}

/**
* Checks if the argument is a class with sensitive data
* or if it contains in the prohibited package with such classes.
* @param argument Expression node, logger argument.
* @return True if there is sensitive data.
*/
private boolean hasSensitiveData(final ASTExpression argument) {
return this.isSensitiveData(argument) || this.isInProhibitedPackage(argument);
}

/**
* Checks if the object has sensitive data. In this case it's not allowed
* to log it without applying obfuscation.
Expand All @@ -140,7 +160,7 @@ private boolean isSensitiveData(final ASTExpression argument) {
} else {
node = argument;
}
return this.getProperty(SENSITIVE)
return this.getProperty(CLASSES)
.stream()
.anyMatch(clss -> TypeIsFunction.typeIs(node, clss));
}
Expand All @@ -160,4 +180,17 @@ private static boolean hasDirectToStringInvocation(final ASTExpression expressio
.isPresent();
}

/**
* Checks if the argument contains in the prohibited package.
* @param node Expression node, logger argument.
* @return True if the argument contains in the prohibited package.
*/
private boolean isInProhibitedPackage(final net.sourceforge.pmd.lang.java.ast.TypeNode node) {
final String fulltypename = Optional.ofNullable(node.getType())
.map(Class::getTypeName)
.orElse(null);
return fulltypename != null
&& this.getProperty(PACKAGES).stream().anyMatch(fulltypename::startsWith);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@
|org.apache.log4j.Logger
|org.apache.logging.log4j.Logger"/>
<property name="sensitiveClasses" value="io.github.dgroup.arch4u.pmd.test_entity.Person"/>
<property name="sensitivePackages" value="io.github.dgroup.arch4u.pmd.test_entity.secret"/>
</properties>
<example>
<![CDATA[
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
/*
* MIT License
*
* Copyright (c) 2019-2022 Yurii Dubinka
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom
* the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
* OR OTHER DEALINGS IN THE SOFTWARE.
*/

package io.github.dgroup.arch4u.pmd.test_entity.secret;

/**
* Test entity with sensitive data.
* @see io.github.dgroup.arch4u.pmd.ObfuscationRequired
* @since 0.1.0
* @checkstyle MemberNameCheck (200 lines)
* @checkstyle DesignForExtensionCheck (200 lines)
* @checkstyle StringLiteralsConcatenationCheck (200 lines)
*/
public class Client {
/**
* Some test field.
*/
private String sensitiveData;

@Override
public String toString() {
return "Person{"
+ "sensitiveData='" + sensitiveData + '\''
+ '}';
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
/*
* MIT License
*
* Copyright (c) 2019-2022 Yurii Dubinka
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom
* the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
* OR OTHER DEALINGS IN THE SOFTWARE.
*/

package io.github.dgroup.arch4u.pmd.test_entity.secret.credentials;

/**
* Test entity with sensitive data in the subpackage.
* @see io.github.dgroup.arch4u.pmd.ObfuscationRequired
* @since 0.1.0
* @checkstyle MemberNameCheck (200 lines)
* @checkstyle DesignForExtensionCheck (200 lines)
* @checkstyle StringLiteralsConcatenationCheck (200 lines)
*/
public class Login {
/**
* Some test field.
*/
private String sensitiveData;

@Override
public String toString() {
return "Person{"
+ "sensitiveData='" + sensitiveData + '\''
+ '}';
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* MIT License
*
* Copyright (c) 2019-2022 Yurii Dubinka
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom
* the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
* OR OTHER DEALINGS IN THE SOFTWARE.
*/

/**
* Test entities for the {@link io.github.dgroup.arch4u.pmd} package.
*
* @author Oleksii Dykov ([email protected])
* @since 0.1.0
*/
package io.github.dgroup.arch4u.pmd.test_entity.secret.credentials;
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
* MIT License
*
* Copyright (c) 2019-2022 Yurii Dubinka
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"),
* to deal in the Software without restriction, including without limitation
* the rights to use, copy, modify, merge, publish, distribute, sublicense,
* and/or sell copies of the Software, and to permit persons to whom
* the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
* ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
* OR OTHER DEALINGS IN THE SOFTWARE.
*/

/**
* Test enities for the {@link io.github.dgroup.arch4u.pmd} package.
*
* @author Oleksii Dykov ([email protected])
* @since 0.1.0
*/
package io.github.dgroup.arch4u.pmd.test_entity.secret;
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,34 @@ class Foo {
Logger logger = LoggerFactory.getLogger(Foo.class);
void bar(Person user) {
log.debug("User {} not authorized for operation {} ", this.obfuscation.apply(user), operation);
logger.debug("User {} not authorized for operation {} ", this.obfuscation.apply(user), operation);
}
}
]]></code>
</test-code>

<test-code>
<description>[BAD]: prohibited package and subpackage</description>
<rule-property name="loggerClasses">org.slf4j.Logger</rule-property>
<rule-property name="sensitiveClasses">java.lang.Integer</rule-property>
<rule-property name="sensitivePackages">io.github.dgroup.arch4u.pmd.test_entity.secret</rule-property>
<expected-problems>2</expected-problems>
<expected-linenumbers>10, 14</expected-linenumbers>
<code><![CDATA[
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import io.github.dgroup.arch4u.pmd.test_entity.Person;
import io.github.dgroup.arch4u.pmd.test_entity.secret.Client;
import io.github.dgroup.arch4u.pmd.test_entity.secret.credentials.Login; // subpackage
class Foo {
Logger logger = LoggerFactory.getLogger(Foo.class);
void bar(Client user, Login login, Person allowed) {
logger.debug("User {} not authorized for operation {} ", user, operation); // violation
logger.debug("User {} not authorized for operation {} ", allowed, operation); // Person is allowed
logger.debug("Login = {} ", login); // violation
}
}
]]></code>
Expand Down

0 comments on commit 99b6713

Please sign in to comment.