ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6399/java/rule.adoc

63 lines
1.9 KiB
Plaintext
Raw Normal View History

Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2022-01-31 09:25:13 +01:00
include::../description.adoc[]
== Noncompliant Code Example
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2022-01-31 09:25:13 +01:00
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String xml = "<node id=\""+req.getParameter("id")+\"></node>;
FileOutputStream fos = new FileOutputStream("output.xml");
fos.write(xml.getBytes(Charset.forName("UTF-8"))); // Noncompliant
}
----
javax.xml.parsers.DocumentBuilder
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2022-01-31 09:25:13 +01:00
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String xml = "<node id=\""+req.getParameter("id")+\"></node>;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xml))); // Noncompliant
}
----
== Compliant Solution
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2022-01-31 09:25:13 +01:00
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String id = req.getParameter("id");
if(id.matches("^[A-Za-z0-9_]+$")) {
String xml = "<node id=\""+id+\"></node>;
FileOutputStream fos = new FileOutputStream("output.xml");
fos.write(xml.getBytes(Charset.forName("UTF-8")));
}
}
----
javax.xml.parsers.DocumentBuilder
RULEAPI-661: Add syntax coloring
2022-02-04 17:28:24 +01:00
[source,java]
Create rule S6399[Java]: XML operations should not be vulnerable to injection attacks (#666) * Create rule S6399 * Apply review suggestions Co-authored-by: hendrik-buchwald-sonarsource <hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com>
2022-01-31 09:25:13 +01:00
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
String xml = "<node></node>;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xml))); // Noncompliant
Element element = (Element) doc.getElementsByTagName("something").item(0);
element.setAttribute("id", req.getParameter("id"));
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue Copy Permalink