rspec/rules/S3749/java/rule.adoc

Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring. That is, they should have one of these annotations: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.


Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2. 


This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

* ``++org.springframework.beans.factory.annotation.Autowired++``
* ``++org.springframework.beans.factory.annotation.Value++``
* ``++javax.annotation.Inject++``
* ``++javax.annotation.Resource++``


== Noncompliant Code Example

----
@Controller
public class HelloWorld {

  private String name = null;

  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {

    if (greetee != null) {
      this.name = greetee;
    }

    return "Hello " + this.name;  // if greetee is null, you see the previous user's data
  }
}
----


== See

* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure


ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring. That is, they should have one of these annotations: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.


			`Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2.`


			This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

			* ``++org.springframework.beans.factory.annotation.Autowired++``
			* ``++org.springframework.beans.factory.annotation.Value++``
			* ``++javax.annotation.Inject++``
			* ``++javax.annotation.Resource++``

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== Noncompliant Code Example`

			`----`
			`@Controller`
			`public class HelloWorld {`

			`private String name = null;`

			`@RequestMapping("/greet", method = GET)`
			`public String greet(String greetee) {`

			`if (greetee != null) {`
			`this.name = greetee;`
			`}`

			`return "Hello " + this.name; // if greetee is null, you see the previous user's data`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`== See`

			`* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`