rspec/rules/S6398/java/rule.adoc

include::../description.adoc[]


== Noncompliant Code Example

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String json = "{\"key\":\""+req.getParameter("value")+"\"}";
  FileOutputStream fos = new FileOutputStream("output.json");
  fos.write(json.getBytes(Charset.forName("UTF-8")));  // Noncompliant
}
----

https://github.com/google/gson[google/gson]
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  Gson gson = new Gson();
  String json = "{\"key\":\""+req.getParameter("value")+"\"}";
  Object object = gson.fromJson(json, Object.class); // Noncompliant
}
----

https://github.com/FasterXML/jackson[FasterXML/jackson]
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  ObjectMapper mapper = new ObjectMapper();
  JsonFactory jsonFactory = mapper.getFactory();
  JsonGenerator generator = jsonFactory.createGenerator(System.out);

  String json = "{\"key\":\""+req.getParameter("value")+"\"}";
  generator.writeRaw(json); // Noncompliant
  generator.close();
}
----

https://github.com/stleary/JSON-java[stleary/JSON-java] (org.json)
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String json = "{\"key\":\""+req.getParameter("value")+"\"}";
  JSONObject jo = new JSONObject(json); // Noncompliant
}
----

== Compliant Solution

[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  String value = req.getParameter("value");
  if(value.matches("^[A-Za-z0-9_]+$")) {
    String json = "{\"key\":\""+value+"\"}";
    FileOutputStream fos = new FileOutputStream("output.json");
    fos.write(json.getBytes(Charset.forName("UTF-8")));
  }
}
----

https://github.com/google/gson[google/gson]
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  Gson gson = new Gson();
  JsonObject json = new JsonObject();
  json.addProperty("key", req.getParameter("value"));
  Object object = gson.fromJson(json, Object.class);
}
----

https://github.com/FasterXML/jackson[FasterXML/jackson]
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  ObjectMapper mapper = new ObjectMapper();
  JsonFactory jsonFactory = mapper.getFactory();
  JsonGenerator generator = jsonFactory.createGenerator(System.out);

  generator.writeStartObject();
  enerator.writeFieldName("key");
  generator.writeString(req.getParameter("value"));
  generator.close();
}
----

https://github.com/stleary/JSON-java[stleary/JSON-java] (org.json)
[source,java]
----
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  JSONObject jo = new JSONObject();
  jo.append("key", req.getParameter("value"));
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

endif::env-github,rspecator-view[]
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`include::../description.adoc[]`


			`== Noncompliant Code Example`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String json = "{\"key\":\""+req.getParameter("value")+"\"}";`
			`FileOutputStream fos = new FileOutputStream("output.json");`
			`fos.write(json.getBytes(Charset.forName("UTF-8"))); // Noncompliant`
			`}`
			`----`

			`https://github.com/google/gson[google/gson]`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`Gson gson = new Gson();`
			`String json = "{\"key\":\""+req.getParameter("value")+"\"}";`
			`Object object = gson.fromJson(json, Object.class); // Noncompliant`
			`}`
			`----`

			`https://github.com/FasterXML/jackson[FasterXML/jackson]`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`ObjectMapper mapper = new ObjectMapper();`
			`JsonFactory jsonFactory = mapper.getFactory();`
			`JsonGenerator generator = jsonFactory.createGenerator(System.out);`

			`String json = "{\"key\":\""+req.getParameter("value")+"\"}";`
			`generator.writeRaw(json); // Noncompliant`
			`generator.close();`
			`}`
			`----`

			`https://github.com/stleary/JSON-java[stleary/JSON-java] (org.json)`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String json = "{\"key\":\""+req.getParameter("value")+"\"}";`
			`JSONObject jo = new JSONObject(json); // Noncompliant`
			`}`
			`----`

			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`String value = req.getParameter("value");`
			`if(value.matches("^[A-Za-z0-9_]+$")) {`
			`String json = "{\"key\":\""+value+"\"}";`
			`FileOutputStream fos = new FileOutputStream("output.json");`
			`fos.write(json.getBytes(Charset.forName("UTF-8")));`
			`}`
			`}`
			`----`

			`https://github.com/google/gson[google/gson]`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`Gson gson = new Gson();`
			`JsonObject json = new JsonObject();`
			`json.addProperty("key", req.getParameter("value"));`
			`Object object = gson.fromJson(json, Object.class);`
			`}`
			`----`

			`https://github.com/FasterXML/jackson[FasterXML/jackson]`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`ObjectMapper mapper = new ObjectMapper();`
			`JsonFactory jsonFactory = mapper.getFactory();`
			`JsonGenerator generator = jsonFactory.createGenerator(System.out);`

			`generator.writeStartObject();`
			`enerator.writeFieldName("key");`
			`generator.writeString(req.getParameter("value"));`
			`generator.close();`
			`}`
			`----`

			`https://github.com/stleary/JSON-java[stleary/JSON-java] (org.json)`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Create rule S6398[Java]: JSON operations should not be vulnerable to injection attacks (#656) * Create rule S6398 * Apply review suggestions Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Roberto Orlandi <71495874+roberto-orlandi-sonarsource@users.noreply.github.com> 2022-01-31 09:40:36 +01:00			`----`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {`
			`JSONObject jo = new JSONObject();`
			`jo.append("key", req.getParameter("value"));`
			`}`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`endif::env-github,rspecator-view[]`