momosecurity / momo-code-sec-inspector-java Goto Github PK
View Code? Open in Web Editor NEWIDEA静态代码安全审计及漏洞一键修复插件
License: Apache License 2.0
IDEA静态代码安全审计及漏洞一键修复插件
License: Apache License 2.0
src\main\java\com\immomo\momosec\lang\java\rule\momosecurity\HardcodedCredentials.java
136行,此处计算字符串熵的判断应该为小于才比较贴合实际吧,不然连测试例子中的admin_passwd都检测不出来,作用不大。反而那些又臭又长的一般就认为加密过或者不是密码。
idea版本2020.2
安装后无反应,刷新后又显示未安装
原代码
<when test="userNameList != null and userNameList != ''">
and (createdBy in ${userNameList} or projectId IN ${id})
</when>
自动修复后的代码
<when test="userNameList != null and userNameList != ''">
and (createdBy in
<foreach collection="userNameList" item="userNameListItem" open="(" separator="," close=")">
#{userNameListItem}
</foreach>
or projectId IN
</when>
可以看到 projectId IN ${id} 并未正确修复
) 也丢失了
第一种:
public class ProducerTest {
public static void main(String[] args) {
Properties properties = new Properties();
// AccessKey 阿里云身份验证,在阿里云用户信息管理控制台获取
properties.put(PropertyKeyConst.AccessKey,"L4534GH11FXqsEtyZfbchwuP");
// SecretKey 阿里云身份验证,在阿里云用户信息管理控制台获取
properties.put(PropertyKeyConst.SecretKey, "SHF8WVOF11jSIaY5OnZ3KlAARRePdk");
第二种:
public static final String FORGET_PASSWORD = "password";
上面两类都无法检测,请问有测试代码吗
问题描述
请问FeedbackAspect、FeedbackService要如何才能生效,尝试把相关代码及plugin.xml配置打开后发现在2018.3下使用runIde任务调试不成功,求指导。
项目中有不少已经开发完成的功能,希望也能用插件扫描一下是否存在安全隐患。
期望有一个主动扫描的功能,对项目中所有文件进行扫描!
谢谢momo团队提供的这么好用的插件!
描写的是fastjson漏洞,但是第三十行写的是jackson的漏洞描述如下:
如题,mp的条件构造器会在sql后面拼接${ew.customSqlSegment}
,是否可以加进白名单里?
问题描述
使用的193.15版本,testcase 里的一些mybatis的写法没有检测出问题
复现方法
使用的193.15版本插件和 Vuln.xml文件 测试
https://github.com/momosecurity/momo-code-sec-inspector-java/blob/2018.3/src/test/testData/lang/xml/rule/momosecurity/MybatisXmlSQLi/Vuln.xml
问题截图
软件版本
IDEA 社区办 2019.2
插件193.15版本
IntelliJ IDEA 2019.2 (Community Edition)
Build #IC-192.5728.98, built on July 23, 2019
Runtime version: 11.0.3+12-b304.10 x86_64
VM: OpenJDK 64-Bit Server VM by JetBrains s.r.o
macOS 10.14
GC: ParNew, ConcurrentMarkSweep
Memory: 1981M
Cores: 8
Registry: debugger.watches.in.variables=false, git.explicit.commit.renames.prohibit.multiple.calls=false
Non-Bundled Plugins: FindBugs-IDEA, Jar Tool, com.dmitz.intellij.plugin.websocket.client, com.github.gtache.lsp, Momo Code Sec Inspector (Java), me.vukas.remote-debug, mobi.hsz.idea.gitignore, MavenRunHelper, Docker, aws.toolkit, org.sonarlint.idea, ru.basecode.ide.rest.plugin
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.