rspec/rules/S5122/java/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

Java servlet framework:

----
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setHeader("Content-Type", "text/plain; charset=utf-8");
    resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive
    resp.setHeader("Access-Control-Allow-Credentials", "true"); 
    resp.setHeader("Access-Control-Allow-Methods", "GET"); 
    resp.getWriter().write("response");
}
----

Spring MVC framework:

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]

----
@CrossOrigin // Sensitive
@RequestMapping("")
public class TestController {
    public String home(ModelMap model) {
        model.addAttribute("message", "ok ");
        return "view";
    }
}
----
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]

----
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("*"); // Sensitive
config.applyPermitDefaultValues(); // Sensitive
----
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]

----
class Insecure implements WebMvcConfigurer {
  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
      .allowedOrigins("*"); // Sensitive
  }
}
----

== Compliant Solution

Java Servlet framework:

----
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
    resp.setHeader("Content-Type", "text/plain; charset=utf-8");
    resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant
    resp.setHeader("Access-Control-Allow-Credentials", "true"); 
    resp.setHeader("Access-Control-Allow-Methods", "GET"); 
    resp.getWriter().write("response");
}
----

Spring MVC framework:

https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]

----
@CrossOrigin("trustedwebsite.com") // Compliant
@RequestMapping("")
public class TestController {
    public String home(ModelMap model) {
        model.addAttribute("message", "ok ");
        return "view";
    }
}
----
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]

----
CorsConfiguration config = new CorsConfiguration();
config.addAllowedOrigin("http://domain2.com"); // Compliant
----
https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]

----
class Safe implements WebMvcConfigurer {
  @Override
  public void addCorsMappings(CorsRegistry registry) {
    registry.addMapping("/**")
      .allowedOrigins("safe.com"); // Compliant
  }
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`Java servlet framework:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@Override`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {`
			`resp.setHeader("Content-Type", "text/plain; charset=utf-8");`
			`resp.setHeader("Access-Control-Allow-Origin", "*"); // Sensitive`
			`resp.setHeader("Access-Control-Allow-Credentials", "true");`
			`resp.setHeader("Access-Control-Allow-Methods", "GET");`
			`resp.getWriter().write("response");`
			`}`
			`----`

			`Spring MVC framework:`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@CrossOrigin // Sensitive`
			`@RequestMapping("")`
			`public class TestController {`
			`public String home(ModelMap model) {`
			`model.addAttribute("message", "ok ");`
			`return "view";`
			`}`
			`}`
			`----`
			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`CorsConfiguration config = new CorsConfiguration();`
			`config.addAllowedOrigin("*"); // Sensitive`
			`config.applyPermitDefaultValues(); // Sensitive`
			`----`
			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`class Insecure implements WebMvcConfigurer {`
			`@Override`
			`public void addCorsMappings(CorsRegistry registry) {`
			`registry.addMapping("/**")`
			`.allowedOrigins("*"); // Sensitive`
			`}`
			`}`
			`----`

			`== Compliant Solution`

			`Java Servlet framework:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@Override`
			`protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {`
			`resp.setHeader("Content-Type", "text/plain; charset=utf-8");`
			`resp.setHeader("Access-Control-Allow-Origin", "trustedwebsite.com"); // Compliant`
			`resp.setHeader("Access-Control-Allow-Credentials", "true");`
			`resp.setHeader("Access-Control-Allow-Methods", "GET");`
			`resp.getWriter().write("response");`
			`}`
			`----`

			`Spring MVC framework:`
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/bind/annotation/CrossOrigin.html[CrossOrigin]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`@CrossOrigin("trustedwebsite.com") // Compliant`
			`@RequestMapping("")`
			`public class TestController {`
			`public String home(ModelMap model) {`
			`model.addAttribute("message", "ok ");`
			`return "view";`
			`}`
			`}`
			`----`
			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/cors/CorsConfiguration.html[cors.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`CorsConfiguration config = new CorsConfiguration();`
			`config.addAllowedOrigin("http://domain2.com"); // Compliant`
			`----`
			`https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/servlet/config/annotation/CorsRegistration.html[servlet.config.annotation.CorsConfiguration]`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`class Safe implements WebMvcConfigurer {`
			`@Override`
			`public void addCorsMappings(CorsRegistry registry) {`
			`registry.addMapping("/**")`
			`.allowedOrigins("safe.com"); // Compliant`
			`}`
			`}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`