rspec/rules/S6399/java/rule.adoc

include::../description.adoc[]


== Noncompliant Code Example

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String xml = "<node id=\""+req.getParameter("id")+\"></node>";
  FileOutputStream fos = new FileOutputStream("output.xml");
  fos.write(xml.getBytes(Charset.forName("UTF-8")));  // Noncompliant
}
----

javax.xml.parsers.DocumentBuilder
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String xml = "<node id=\""+req.getParameter("id")+\"></node>";
  
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
  DocumentBuilder builder = factory.newDocumentBuilder();
  Document doc = builder.parse(new InputSource(new StringReader(xml)));  // Noncompliant
}
----

== Compliant Solution

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String id = req.getParameter("id");
  if(id.matches("^[A-Za-z0-9_]+$")) {
    String xml = "<node id=\""+id+\"></node>";
    FileOutputStream fos = new FileOutputStream("output.xml");
    fos.write(xml.getBytes(Charset.forName("UTF-8")));
  }
}
----

javax.xml.parsers.DocumentBuilder
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
    String xml = "<node></node>;
  
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    DocumentBuilder builder = factory.newDocumentBuilder();
    Document doc = builder.parse(new InputSource(new StringReader(xml)));  // Noncompliant
    Element element = (Element) doc.getElementsByTagName("something").item(0);
    element.setAttribute("id", req.getParameter("id"));
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`include::../description.adoc[]`


			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
Modify multiple rules: fixing missing double quotes and other typos (#846) 2022-02-23 14:50:31 +01:00			`String xml = "<node id=\""+req.getParameter("id")+\"></node>";`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`FileOutputStream fos = new FileOutputStream("output.xml");`
			`fos.write(xml.getBytes(Charset.forName("UTF-8"))); // Noncompliant`
			`}`
			`----`

			`javax.xml.parsers.DocumentBuilder`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
Modify multiple rules: fixing missing double quotes and other typos (#846) 2022-02-23 14:50:31 +01:00			`String xml = "<node id=\""+req.getParameter("id")+\"></node>";`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00
			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`DocumentBuilder builder = factory.newDocumentBuilder();`
			`Document doc = builder.parse(new InputSource(new StringReader(xml))); // Noncompliant`
			`}`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String id = req.getParameter("id");`
			`if(id.matches("^[A-Za-z0-9_]+$")) {`
Modify multiple rules: fixing missing double quotes and other typos (#846) 2022-02-23 14:50:31 +01:00			`String xml = "<node id=\""+id+\"></node>";`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`FileOutputStream fos = new FileOutputStream("output.xml");`
			`fos.write(xml.getBytes(Charset.forName("UTF-8")));`
			`}`
			`}`
			`----`

			`javax.xml.parsers.DocumentBuilder`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:25:13 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String xml = "<node></node>;`

			`DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();`
			`DocumentBuilder builder = factory.newDocumentBuilder();`
			`Document doc = builder.parse(new InputSource(new StringReader(xml))); // Noncompliant`
			`Element element = (Element) doc.getElementsByTagName("something").item(0);`
			`element.setAttribute("id", req.getParameter("id"));`
			`}`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Modify multiple rules: fixing missing double quotes and other typos (#846) 2022-02-23 14:50:31 +01:00			`endif::env-github,rspecator-view[]`