rspec/rules/S3318/rule.adoc

Data in a web session is considered inside the "trust boundary". That is, it is assumed to be trustworthy. But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead to that data being used inappropriately.


This rule raises an issue when data from ``++Cookie++``s or ``++HttpServletRequest++``s is stored in a session. 


== Noncompliant Code Example

----
login = request.getParameter("login");
session.setAttribute("login", login);  // Noncompliant
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* http://cwe.mitre.org/data/definitions/501[MITRE, CWE-501] - Trust Boundary Violation
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00			`Data in a web session is considered inside the "trust boundary". That is, it is assumed to be trustworthy. But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead to that data being used inappropriately.`

Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue when data from ``++Cookie++``s or ``++HttpServletRequest++``s is stored in a session.
Add rules based on targeted languages and remove the empty one 2020-06-30 16:59:06 +02:00

			`== Noncompliant Code Example`

			`----`
			`login = request.getParameter("login");`
			`session.setAttribute("login", login); // Noncompliant`
			`----`


			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
			`* http://cwe.mitre.org/data/definitions/501[MITRE, CWE-501] - Trust Boundary Violation`