rspec/rules/S4512/java/rule.adoc

Setting JavaBean properties is security sensitive. Doing it with untrusted values has led in the past to the following vulnerability:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]

JavaBeans can have their properties or nested properties set by population functions. An attacker can leverage this feature to push into the JavaBean malicious data that can compromise the software integrity. A typical attack will try to manipulate the ClassLoader and finally execute malicious code.


This rule raises an issue when:

* BeanUtils.populate(...) or BeanUtilsBean.populate(...) from http://commons.apache.org/proper/commons-beanutils/[Apache Commons BeanUtils] are called
* BeanUtils.setProperty(...) or BeanUtilsBean.setProperty(...) from http://commons.apache.org/proper/commons-beanutils/[Apache Commons BeanUtils] are called
* org.springframework.beans.BeanWrapper.setPropertyValue(...) or org.springframework.beans.BeanWrapper.setPropertyValues(...) from Spring is called


== Ask Yourself Whether

* the new property values might have been tampered with or provided by an untrusted source.
* sensitive properties can be modified, for example: ``++class.classLoader++``

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Sanitize all values used as JavaBean properties.


Don't set any sensitive properties. Keep full control over which properties are set. If the property names are provided by an unstrusted source, filter them with a whitelist.


== Sensitive Code Example

----
Company bean = new Company();
HashMap map = new HashMap();
Enumeration names = request.getParameterNames();
while (names.hasMoreElements()) {
    String name = (String) names.nextElement();
    map.put(name, request.getParameterValues(name));
}
BeanUtils.populate(bean, map); // Sensitive: "map" is populated with data coming from user input, here "request.getParameterNames()"
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
* http://cwe.mitre.org/data/definitions/15.html[MITRE, CWE-15] - External Control of System or Configuration Setting
* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BEAN_PROPERTY_INJECTION[BEAN_PROPERTY_INJECTION]


ifdef::env-github,rspecator-view[]
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`Setting JavaBean properties is security sensitive. Doing it with untrusted values has led in the past to the following vulnerability:`

			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114[CVE-2014-0114]`

			`JavaBeans can have their properties or nested properties set by population functions. An attacker can leverage this feature to push into the JavaBean malicious data that can compromise the software integrity. A typical attack will try to manipulate the ClassLoader and finally execute malicious code.`


			`This rule raises an issue when:`

			`* BeanUtils.populate(...) or BeanUtilsBean.populate(...) from http://commons.apache.org/proper/commons-beanutils/[Apache Commons BeanUtils] are called`
			`* BeanUtils.setProperty(...) or BeanUtilsBean.setProperty(...) from http://commons.apache.org/proper/commons-beanutils/[Apache Commons BeanUtils] are called`
			`* org.springframework.beans.BeanWrapper.setPropertyValue(...) or org.springframework.beans.BeanWrapper.setPropertyValues(...) from Spring is called`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Ask Yourself Whether`

			`* the new property values might have been tampered with or provided by an untrusted source.`
			* sensitive properties can be modified, for example: ``++class.classLoader++``

			`There is a risk if you answered yes to any of those questions.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Recommended Secure Coding Practices`

			`Sanitize all values used as JavaBean properties.`


			`Don't set any sensitive properties. Keep full control over which properties are set. If the property names are provided by an unstrusted source, filter them with a whitelist.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Sensitive Code Example`

			`----`
			`Company bean = new Company();`
			`HashMap map = new HashMap();`
			`Enumeration names = request.getParameterNames();`
			`while (names.hasMoreElements()) {`
			`String name = (String) names.nextElement();`
			`map.put(name, request.getParameterValues(name));`
			`}`
			`BeanUtils.populate(bean, map); // Sensitive: "map" is populated with data coming from user input, here "request.getParameterNames()"`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection`
			`* http://cwe.mitre.org/data/definitions/15.html[MITRE, CWE-15] - External Control of System or Configuration Setting`
			`* https://wiki.sei.cmu.edu/confluence/x/hDdGBQ[CERT, MSC61-J.] - Do not use insecure or weak cryptographic algorithms`
			`* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#BEAN_PROPERTY_INJECTION[BEAN_PROPERTY_INJECTION]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`