rspec/rules/S2089/java/comments-and-links.adoc

=== on 2 Oct 2014, 19:32:47 Nicolas Peru wrote:
This is slightly different than what we discussed, in my mind, this rule should detect calls to request.getHeader("referer"). So a compliant solution should not have this call at all.

=== on 3 Oct 2014, 14:07:20 Ann Campbell wrote:
\[~nicolas.peru] I'm assuming it's the code samples, rather than the description that you take issue with. Better now?

=== on 8 Oct 2014, 07:28:53 Nicolas Peru wrote:
Ok ! :) 

=== on 12 Dec 2014, 20:51:57 Sébastien Gioria wrote:
\[~nicolas.peru]: I disagree. You could have calls to request.getHeader("referer"); but you should never use the value returned to perform an authentication or autorization.


=== on 12 Dec 2014, 20:56:02 Nicolas Peru wrote:
\[~sebastien.gioria]I agree but how would you distiguish risky calls from correct one ? Idea here is to raise all calls to this method to let the security auditor mute the acceptable ones.

=== on 12 Dec 2014, 21:07:38 Sébastien Gioria wrote:
It the job of the security auditor ;) to distinguish it. If the idea is to trigger attention of the Security auditor, this could be OK. 

=== on 17 Feb 2021, 09:03:11 Eric Therond wrote:
This rule is not in SonarWay

we can safely deprecate it because taint analysis rules do a better job (referer header is a source) than this rule.
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 2 Oct 2014, 19:32:47 Nicolas Peru wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`This is slightly different than what we discussed, in my mind, this rule should detect calls to request.getHeader("referer"). So a compliant solution should not have this call at all.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 3 Oct 2014, 14:07:20 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~nicolas.peru] I'm assuming it's the code samples, rather than the description that you take issue with. Better now?`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 8 Oct 2014, 07:28:53 Nicolas Peru wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`Ok ! :)`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 20:51:57 Sébastien Gioria wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~nicolas.peru]: I disagree. You could have calls to request.getHeader("referer"); but you should never use the value returned to perform an authentication or autorization.`



Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 20:56:02 Nicolas Peru wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~sebastien.gioria]I agree but how would you distiguish risky calls from correct one ? Idea here is to raise all calls to this method to let the security auditor mute the acceptable ones.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 12 Dec 2014, 21:07:38 Sébastien Gioria wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`It the job of the security auditor ;) to distinguish it. If the idea is to trigger attention of the Security auditor, this could be OK.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 17 Feb 2021, 09:03:11 Eric Therond wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`This rule is not in SonarWay`

			`we can safely deprecate it because taint analysis rules do a better job (referer header is a source) than this rule.`