rspec/rules/S5304/java/rule.adoc

Using environment variables is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278[CVE-2014-6278]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3464[CVE-2019-3464]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000402[CVE-2018-1000402]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10530[CVE-2016-10530]

Environment variables  are sensitive to injection attacks, just like any other input.


Note also that environment variables can be exposed in multiple ways, storing sensitive information in them should be done carefully:

* on Unix systems environment variables of one process can be read by another process running with the same UID.
* environment variables https://docs.oracle.com/javase/tutorial/essential/environment/env.html[might be forwarded to child processes].
* application running in debug mode often exposes their environment variable.

This rule raises an issue when environment variables are read.


== Ask Yourself Whether

* Environment variables are used without being sanitized.
* You store sensitive information in environment variables and other processes might be able to access them.

You are at risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

Sanitize every environment variable before using its value.


If you store sensitive information in an environment variable, make sure that no other process can access them, i.e. the process runs with a separate user account and child processes don't have access to their parent's environment.


Don't run your application in debug mode if it has access to sensitive information, including environment variables.


== Sensitive Code Example

----
public class Main {
    public static void main (String[] args) {
        System.getenv();  // Sensitive
        System.getenv("myvar");  // Sensitive

        ProcessBuilder processBuilder = new ProcessBuilder();
        Map<String, String> environment = processBuilder.environment();  // Sensitive
        environment.put("VAR", "value");

        Runtime.getRuntime().exec("ping", new String[]{"env=val"});   // Sensitive
    }
}
----

== See

* CWE - https://cwe.mitre.org/data/definitions/526[CWE-526 - Information Exposure Through Environmental Variables]
* CWE - https://cwe.mitre.org/data/definitions/74[CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure that environment variables are used safely here


'''
== Comments And Links
(visible only on this page)

=== on 27 May 2020, 16:41:25 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity

endif::env-github,rspecator-view[]
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00			`Using environment variables is security-sensitive. For example, their use has led in the past to the following vulnerabilities:`

			`* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278[CVE-2014-6278]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3464[CVE-2019-3464]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000402[CVE-2018-1000402]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10530[CVE-2016-10530]`

			`Environment variables are sensitive to injection attacks, just like any other input.`


			`Note also that environment variables can be exposed in multiple ways, storing sensitive information in them should be done carefully:`

			`* on Unix systems environment variables of one process can be read by another process running with the same UID.`
			`* environment variables https://docs.oracle.com/javase/tutorial/essential/environment/env.html[might be forwarded to child processes].`
			`* application running in debug mode often exposes their environment variable.`

			`This rule raises an issue when environment variables are read.`


			`== Ask Yourself Whether`

			`* Environment variables are used without being sanitized.`
			`* You store sensitive information in environment variables and other processes might be able to access them.`

			`You are at risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`Sanitize every environment variable before using its value.`


			`If you store sensitive information in an environment variable, make sure that no other process can access them, i.e. the process runs with a separate user account and child processes don't have access to their parent's environment.`


			`Don't run your application in debug mode if it has access to sensitive information, including environment variables.`

Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Sensitive Code Example`

			`----`
			`public class Main {`
			`public static void main (String[] args) {`
			`System.getenv(); // Sensitive`
			`System.getenv("myvar"); // Sensitive`

			`ProcessBuilder processBuilder = new ProcessBuilder();`
			`Map<String, String> environment = processBuilder.environment(); // Sensitive`
			`environment.put("VAR", "value");`

			`Runtime.getRuntime().exec("ping", new String[]{"env=val"}); // Sensitive`
			`}`
			`}`
			`----`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/526[CWE-526 - Information Exposure Through Environmental Variables]`
			`* CWE - https://cwe.mitre.org/data/definitions/74[CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure that environment variables are used safely here`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 27 May 2020, 16:41:25 Eric Therond wrote:`
			`Deprecated because it overlaps with SonarSecurity`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`