标签归档:ibatis

检查Maven项目中ibatis的SQL注入的maven插件

记录下:

CheckMojo.java

package com.neeao.security.ibatis_sql_injection_check;
import java.io.File;
import java.io.IOException;
import java.util.ArrayList;

import org.apache.commons.io.FileUtils;
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;

/**
 * @author Neeao
 * @goal check
 * @phase prepare-package
 */
public class CheckMojo extends AbstractMojo {
	/**
	 * Web资源文件目录
	 * 
	 * @parameter expression="${basedir}/src/main/resources"
	 */
	private File resourcesDirectory;

	public void execute() throws MojoExecutionException {
		getLog().info("start sql injection check...");

		File resourcesDir = resourcesDirectory;
		if (resourcesDir.exists()) {
			getLog().info("Find ibatis xml file...");
			findFiles(resourcesDir);

		}
	}
	/**
	 * 查找文件
	 * @param dir
	 */
	private void findFiles(File dir) {
		File[] files = dir.listFiles();
		for (File f : files) {
			if (f.isFile()&&f.getName().toLowerCase().endsWith(".xml")) {
				getLog().info("find xml file:" + f.getAbsolutePath());
				checkFile(f.getAbsolutePath());
			} else if (f.isDirectory()) {
				findFiles(f);
			}
		}
	}
	/**
	 * 检查文件
	 * @param filename
	 */
	private void checkFile(String filename) {
		ArrayList<String> content = new ArrayList<String>();
		try {
			content = (ArrayList<String>) FileUtils.readLines(new File(filename));
			int i=1;
			for (String line : content) {
				if (line.contains("$")) {
					getLog().error(filename+",line:"+i+","+line);
				}
				i++;
			}
		} catch (IOException e) {
			e.printStackTrace();
		}
	}

	public File getResourcesDirectory() {
		return resourcesDirectory;
	}

	public void setResourcesDirectory(File resourcesDirectory) {
		this.resourcesDirectory = resourcesDirectory;
	}
}
pom.xml文件:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	<modelVersion>4.0.0</modelVersion>
	<groupId>com.neeao.security</groupId>
	<artifactId>sql--injection-check</artifactId>
	<packaging>maven-plugin</packaging>
	<version>1.0</version>
	<name>sql-injection-check Maven Mojo</name>
	<url>http://maven.apache.org</url>
	<dependencies>
		<dependency>
			<groupId>org.apache.maven</groupId>
			<artifactId>maven-plugin-api</artifactId>
			<version>2.0</version>
		</dependency>
		<dependency>
			<groupId>commons-io</groupId>
			<artifactId>commons-io</artifactId>
			<version>2.4</version>
		</dependency>
	</dependencies>
</project>

 

test方法:

 

mvn clear

mvn packape

mvn install

 

D:\workspace\ibatis-sql-injection-check>mvn com.neeao.security:sql--injection-ch
eck:1.0:check
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building sql-injection-check Maven Mojo 1.0
[INFO] ------------------------------------------------------------------------
[INFO]
[INFO] --- sql--injection-check:1.0:check (default-cli) @ sql--injection-check -
--
[INFO] start sql injection check...
[INFO] Find ibatis xml file...
[INFO] find xml file:D:\workspace\ibatis-sql-injection-check\src\main\resources\
NewFile.xml
[ERROR] D:\workspace\ibatis-sql-injection-check\src\main\resources\NewFile.xml,l
ine:3,      name like '%$name$%'
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.196s
[INFO] Finished at: Tue Nov 27 23:59:25 CST 2012
[INFO] Final Memory: 2M/15M
[INFO] ------------------------------------------------------------------------