rspec/rules/S4529/java/rule.adoc

Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]

HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).


This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.

In the case of the Spring framework, methods of a ``++@Controller++`` object annotated with ``++@RequestMapping++`` (or all its variants such as ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@PatchMapping++`` and ``++@DeleteMapping++``) are declaring HTTP endpoints.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,java]
----
@RequestMapping(path = "/profile", method = RequestMethod.GET) // Noncompliant
public UserProfile getUserProfile(String name) {
...
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

The method annotated with @RequestMapping


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]`

			`HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.`
Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			In the case of the Spring framework, methods of a ``++@Controller++`` object annotated with ``++@RequestMapping++`` (or all its variants such as ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@PatchMapping++`` and ``++@DeleteMapping++``) are declaring HTTP endpoints.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Sensitive Code Example`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`----`
			`@RequestMapping(path = "/profile", method = RequestMethod.GET) // Noncompliant`
			`public UserProfile getUserProfile(String name) {`
			`...`
			`}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Highlighting`

			`The method annotated with @RequestMapping`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`