rspec/rules/S5122/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Java servlet framework:

[source,java]
----
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setHeader("Content-Type", "text/plain; charset=utf-8");
    resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive
    resp.setHeader("Access-Control-Allow-Credentials", "true"); 
    resp.setHeader("Access-Control-Allow-Methods", "GET"); 
    resp.getWriter().write("response");
}
----

Spring MVC framework:

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]

[source,java]
----
@CrossOrigin // Sensitive
@RequestMapping("")
public class TestController {
    public String home(ModelMap model) {
        model.addAttribute("message", "ok ");
        return "view";
    }
}
----

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]

[source,java]
----
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*"); // Sensitive
config.applyPermitDefaultValues(); // Sensitive
----

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]

[source,java]
----
class Insecure implements WebMvcConfigurer {
  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
      .allowedOrigins("*"); // Sensitive
  }
}
----

User-controlled origin:

[source,java]
----
public ResponseEntity<String> userControlledOrigin(@RequestHeader("Origin") String origin) {
  HttpHeaders responseHeaders = new HttpHeaders();
  responseHeaders.add("Access-Control-Allow-Origin", origin); // Sensitive

  return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED);
}
----

== Compliant Solution

Java Servlet framework:

[source,java]
----
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setHeader("Content-Type", "text/plain; charset=utf-8");
    resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant
    resp.setHeader("Access-Control-Allow-Credentials", "true"); 
    resp.setHeader("Access-Control-Allow-Methods", "GET"); 
    resp.getWriter().write("response");
}
----

Spring MVC framework:

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]

[source,java]
----
@CrossOrigin("trustedwebsite.com") // Compliant
@RequestMapping("")
public class TestController {
    public String home(ModelMap model) {
        model.addAttribute("message", "ok ");
        return "view";
    }
}
----

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]

[source,java]
----
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("http://domain2.com"); // Compliant
----

* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]

[source,java]
----
class Safe implements WebMvcConfigurer {
  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
      .allowedOrigins("safe.com"); // Compliant
  }
}
----

User-controlled origin validated with an allow-list:

[source,java]
----
public ResponseEntity<String> userControlledOrigin(@RequestHeader("Origin") String origin) {
  HttpHeaders responseHeaders = new HttpHeaders();
  if (trustedOrigins.contains(origin)) {
    responseHeaders.add("Access-Control-Allow-Origin", origin);
  }

  return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED);
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

=== on 13 Jan 2019, 22:57:44 Lars Svensson wrote:
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

https://spring.io/blog/2015/06/08/cors-support-in-spring-framework

https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/cors.html


include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`Java servlet framework:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@Override`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {`
			`resp.setHeader("Content-Type", "text/plain; charset=utf-8");`
			`resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive`
			`resp.setHeader("Access-Control-Allow-Credentials", "true");`
			`resp.setHeader("Access-Control-Allow-Methods", "GET");`
			`resp.getWriter().write("response");`
			`}`
			`----`

			`Spring MVC framework:`
Force linebreaks 2021-02-02 15:02:10 +01:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@CrossOrigin // Sensitive`
			`@RequestMapping("")`
			`public class TestController {`
			`public String home(ModelMap model) {`
			`model.addAttribute("message", "ok ");`
			`return "view";`
			`}`
			`}`
			`----`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]`

			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`CorsConfiguration config = new CorsConfiguration();`
			`config.addAllowedOrigin("*"); // Sensitive`
			`config.applyPermitDefaultValues(); // Sensitive`
			`----`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]`

			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`class Insecure implements WebMvcConfigurer {`
			`@Override`
			`public void addCorsMappings(CorsRegistry registry) {`
			`registry.addMapping("/**")`
			`.allowedOrigins("*"); // Sensitive`
			`}`
			`}`
			`----`

Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`User-controlled origin:`

			`[source,java]`
			`----`
			`public ResponseEntity<String> userControlledOrigin(@RequestHeader("Origin") String origin) {`
			`HttpHeaders responseHeaders = new HttpHeaders();`
			`responseHeaders.add("Access-Control-Allow-Origin", origin); // Sensitive`

			`return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED);`
			`}`
			`----`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`== Compliant Solution`

			`Java Servlet framework:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@Override`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {`
			`resp.setHeader("Content-Type", "text/plain; charset=utf-8");`
			`resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant`
			`resp.setHeader("Access-Control-Allow-Credentials", "true");`
			`resp.setHeader("Access-Control-Allow-Methods", "GET");`
			`resp.getWriter().write("response");`
			`}`
			`----`

			`Spring MVC framework:`
Force linebreaks 2021-02-02 15:02:10 +01:00
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@CrossOrigin("trustedwebsite.com") // Compliant`
			`@RequestMapping("")`
			`public class TestController {`
			`public String home(ModelMap model) {`
			`model.addAttribute("message", "ok ");`
			`return "view";`
			`}`
			`}`
			`----`
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00
			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`CorsConfiguration config = new CorsConfiguration();`
			`config.addAllowedOrigin("http://domain2.com"); // Compliant`
			`----`
Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00
			`* https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`class Safe implements WebMvcConfigurer {`
			`@Override`
			`public void addCorsMappings(CorsRegistry registry) {`
			`registry.addMapping("/**")`
			`.allowedOrigins("safe.com"); // Compliant`
			`}`
			`}`
			`----`

Update rule S5122 [java/js] taint/user-controlled code examples (#291) 2022-04-05 14:46:33 +02:00			`User-controlled origin validated with an allow-list:`

			`[source,java]`
			`----`
			`public ResponseEntity<String> userControlledOrigin(@RequestHeader("Origin") String origin) {`
			`HttpHeaders responseHeaders = new HttpHeaders();`
			`if (trustedOrigins.contains(origin)) {`
			`responseHeaders.add("Access-Control-Allow-Origin", origin);`
			`}`

			`return new ResponseEntity<>("content", responseHeaders, HttpStatus.CREATED);`
			`}`
			`----`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 13 Jan 2019, 22:57:44 Lars Svensson wrote:`
			`https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter`

			`https://spring.io/blog/2015/06/08/cors-support-in-spring-framework`

			`https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/cors.html`



			`include::../comments-and-links.adoc[]`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`