93 lines
3.1 KiB
Plaintext
93 lines
3.1 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
include::../ask-yourself.adoc[]
|
||
|
|
|
||
|
|
include::../recommended.adoc[]
|
||
|
|
|
||
|
|
== Sensitive Code Example
|
||
|
|
|
||
|
|
Java servlet framework:
|
||
|
|
----
|
||
|
|
@Override
|
||
|
|
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||
|
|
resp.setHeader("Content-Type", "text/plain; charset=utf-8");
|
||
|
|
resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive
|
||
|
|
resp.setHeader("Access-Control-Allow-Credentials", "true");
|
||
|
|
resp.setHeader("Access-Control-Allow-Methods", "GET");
|
||
|
|
resp.getWriter().write("response");
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
Spring MVC framework:
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]
|
||
|
|
----
|
||
|
|
@CrossOrigin // Sensitive
|
||
|
|
@RequestMapping("")
|
||
|
|
public class TestController {
|
||
|
|
public String home(ModelMap model) {
|
||
|
|
model.addAttribute("message", "ok ");
|
||
|
|
return "view";
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]
|
||
|
|
----
|
||
|
|
CorsConfiguration config = new CorsConfiguration();
|
||
|
|
config.addAllowedOrigin("*"); // Sensitive
|
||
|
|
config.applyPermitDefaultValues(); // Sensitive
|
||
|
|
----
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]
|
||
|
|
----
|
||
|
|
class Insecure implements WebMvcConfigurer {
|
||
|
|
@Override
|
||
|
|
public void addCorsMappings(CorsRegistry registry) {
|
||
|
|
registry.addMapping("/**")
|
||
|
|
.allowedOrigins("*"); // Sensitive
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
Java Servlet framework:
|
||
|
|
----
|
||
|
|
@Override
|
||
|
|
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
|
||
|
|
resp.setHeader("Content-Type", "text/plain; charset=utf-8");
|
||
|
|
resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant
|
||
|
|
resp.setHeader("Access-Control-Allow-Credentials", "true");
|
||
|
|
resp.setHeader("Access-Control-Allow-Methods", "GET");
|
||
|
|
resp.getWriter().write("response");
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
Spring MVC framework:
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]
|
||
|
|
----
|
||
|
|
@CrossOrigin("trustedwebsite.com") // Compliant
|
||
|
|
@RequestMapping("")
|
||
|
|
public class TestController {
|
||
|
|
public String home(ModelMap model) {
|
||
|
|
model.addAttribute("message", "ok ");
|
||
|
|
return "view";
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]
|
||
|
|
----
|
||
|
|
CorsConfiguration config = new CorsConfiguration();
|
||
|
|
config.addAllowedOrigin("http://domain2.com"); // Compliant
|
||
|
|
----
|
||
|
|
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]
|
||
|
|
----
|
||
|
|
class Safe implements WebMvcConfigurer {
|
||
|
|
@Override
|
||
|
|
public void addCorsMappings(CorsRegistry registry) {
|
||
|
|
registry.addMapping("/**")
|
||
|
|
.allowedOrigins("safe.com"); // Compliant
|
||
|
|
}
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|