rspec/rules/S1989/java/rule.adoc

Even though the signatures for methods in a servlet include ``++throws IOException, ServletException++``, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker. 


This rule checks all exceptions in methods named "do*" are explicitly handled in servlet classes.


== Noncompliant Code Example

[source,java]
----
public void doGet(HttpServletRequest request, HttpServletResponse response) 
  throws IOException, ServletException {
  String ip = request.getRemoteAddr();
  InetAddress addr = InetAddress.getByName(ip); // Noncompliant; getByName(String) throws UnknownHostException
  //...
}
----


== Compliant Solution

[source,java]
----
public void doGet(HttpServletRequest request, HttpServletResponse response) 
  throws IOException, ServletException {
  try {
    String ip = request.getRemoteAddr();
    InetAddress addr = InetAddress.getByName(ip);
    //...
  } 
  catch (UnknownHostException uhex) {
    //...
  }
}
----


== See

* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/600[MITRE, CWE-600] - Uncaught Exception in Servlet
* https://wiki.sei.cmu.edu/confluence/x/-zZGBQ[CERT, ERR01-J.] - Do not allow exceptions to expose sensitive information


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Even though the signatures for methods in a servlet include ``++throws IOException, ServletException++``, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker.


			`This rule checks all exceptions in methods named "do*" are explicitly handled in servlet classes.`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public void doGet(HttpServletRequest request, HttpServletResponse response)`
			`throws IOException, ServletException {`
			`String ip = request.getRemoteAddr();`
			`InetAddress addr = InetAddress.getByName(ip); // Noncompliant; getByName(String) throws UnknownHostException`
			`//...`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public void doGet(HttpServletRequest request, HttpServletResponse response)`
			`throws IOException, ServletException {`
			`try {`
			`String ip = request.getRemoteAddr();`
			`InetAddress addr = InetAddress.getByName(ip);`
			`//...`
			`}`
			`catch (UnknownHostException uhex) {`
			`//...`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) * Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files 2022-04-07 08:53:59 -05:00			`* https://cwe.mitre.org/data/definitions/600[MITRE, CWE-600] - Uncaught Exception in Servlet`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* https://wiki.sei.cmu.edu/confluence/x/-zZGBQ[CERT, ERR01-J.] - Do not allow exceptions to expose sensitive information`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00

Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`