rspec/rules/S4507/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

``++Throwable.printStackTrace(...)++`` prints a Throwable and its stack trace to ``++System.Err++`` (by default) which is not easily parseable and can expose sensitive information:

[source,java]
----
try {
  /* ... */
} catch(Exception e) {
  e.printStackTrace(); // Sensitive 
}
----

https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++true++`` enables debugging support:

[source,java]
----
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@Configuration
@EnableWebSecurity(debug = true) // Sensitive 
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}
----

https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support:

[source,java]
----
import android.webkit.WebView;

WebView.setWebContentsDebuggingEnabled(true); // Sensitive
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(true); // Sensitive
----

== Compliant Solution

Loggers should be used (instead of  ``++printStackTrace++``) to print throwables:

[source,java]
----
try {
  /* ... */
} catch(Exception e) {
  LOGGER.log("context", e);
}
----

https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++false++`` disables debugging support:

[source,java]
----
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

@Configuration
@EnableWebSecurity(debug = false)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
  // ...
}
----

https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support:
[source,java]
----
import android.webkit.WebView;

WebView.setWebContentsDebuggingEnabled(false);
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(false);
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

debug = true

printStackTrace


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			``++Throwable.printStackTrace(...)++`` prints a Throwable and its stack trace to ``++System.Err++`` (by default) which is not easily parseable and can expose sensitive information:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Modify multiple rules: Clean up texts of MMF-2503 (#1497) 2023-01-09 15:29:41 +01:00			`[source,java]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`try {`
			`/* ... */`
			`} catch(Exception e) {`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`e.printStackTrace(); // Sensitive`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`}`
			`----`

Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++true++`` enables debugging support:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Modify multiple rules: Clean up texts of MMF-2503 (#1497) 2023-01-09 15:29:41 +01:00			`[source,java]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`import org.springframework.context.annotation.Configuration;`
			`import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;`

			`@Configuration`
			`@EnableWebSecurity(debug = true) // Sensitive`
			`public class WebSecurityConfig extends WebSecurityConfigurerAdapter {`
			`// ...`
			`}`
			`----`

Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support:`
Modify multiple rules: Clean up texts of MMF-2503 (#1497) 2023-01-09 15:29:41 +01:00
			`[source,java]`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`----`
			`import android.webkit.WebView;`

			`WebView.setWebContentsDebuggingEnabled(true); // Sensitive`
Modify Rule S4507[java]: update sensitive code example with Statics.setWebContentsDebuggingEnabled (#480) 2021-10-12 17:12:55 +02:00			`WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(true); // Sensitive`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`----`

Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`== Compliant Solution`

make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			Loggers should be used (instead of ``++printStackTrace++``) to print throwables:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`try {`
			`/* ... */`
			`} catch(Exception e) {`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`LOGGER.log("context", e);`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`}`
			`----`

Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++false++`` disables debugging support:
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`import org.springframework.context.annotation.Configuration;`
			`import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;`

			`@Configuration`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`@EnableWebSecurity(debug = false)`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`public class WebSecurityConfig extends WebSecurityConfigurerAdapter {`
			`// ...`
			`}`
			`----`

Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support:`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`----`
			`import android.webkit.WebView;`

			`WebView.setWebContentsDebuggingEnabled(false);`
Modify Rule S4507[java]: update sensitive code example with Statics.setWebContentsDebuggingEnabled (#480) 2021-10-12 17:12:55 +02:00			`WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(false);`
Modify rule S4507: Add Java/Kotlin examples for WebView (#428) 2021-10-12 09:06:49 +02:00			`----`

Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Highlighting`

			`debug = true`

			`printStackTrace`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`