rspec/rules/S2608/rule.adoc

Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs. 


This rule logs an issue whenever form fields and cookie values are accessed.


== Noncompliant Code Example

[source,text]
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
  Cookie [] cookies = request.getCookies(); // Noncompliant
  String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
  Map<String,String[]> params = request.getParameterMap(); // Noncompliant
  String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray");  // Noncompliant
----


== See

* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A4] - Insecure Design
* https://cwe.mitre.org/data/definitions/807.html[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
Revert "RULEAPI-609 Support superseded rules" 2021-06-21 07:49:05 +02:00			`Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs.`
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`This rule logs an issue whenever form fields and cookie values are accessed.`


			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,text]`
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`----`
			`public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {`
			`Cookie [] cookies = request.getCookies(); // Noncompliant`
			`String hiddenValue = request.getParameter("hiddenField"); // Noncompliant`
			`Map<String,String[]> params = request.getParameterMap(); // Noncompliant`
			`String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray"); // Noncompliant`
			`----`


			`== See`

RULEAPI-709: Security rules are mapped to the OWASP Top 10 2021 security-standard (#545) 2021-11-01 15:00:32 +01:00			`* https://owasp.org/Top10/A03_2021-Injection/[OWASP Top 10 2021 Category A4] - Insecure Design`
Update CWE mapping (#534) 2021-10-28 10:07:16 +02:00			`* https://cwe.mitre.org/data/definitions/807.html[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision`
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses`