rspec/rules/S4508/comments-and-links.adoc

=== is duplicated by: S4066

=== on 19 Mar 2018, 11:18:13 Sébastien GIORIA - AppSecFR wrote:
Need Tag A8:2017

=== on 20 Mar 2018, 07:30:10 Freddy Mallet wrote:
Thanks [~SPoint] ! And I would even remove the A1 category [~alexandre.gigleux] to keep our referential orthogonal.

=== on 20 Mar 2018, 08:20:58 Alexandre Gigleux wrote:
\[~freddy.mallet] I agree the main problem here is the "Insecure Deserialization" that can lead to a potential "Injection". The "Injection" can't be performed easily, you need first to bypass the deserialization layer. So I removed OWASP A1. 

=== on 7 Jul 2018, 15:28:25 Tibor Blenessy wrote:
Method ``++ObjectInputStream.readArray(boolean)++``  is private, so it can't be called. Why we should detect it?

=== on 9 Jul 2018, 13:27:12 Andrei Epure wrote:
@ [~alexandre.gigleux] , [~tibor.blenessy] Should we take into consideration ``++setObjectInputFilter++`` ? 

=== on 9 Jul 2018, 15:56:04 Alexandre Gigleux wrote:
\[~andrei.epure] Hotspots rules are going to be revisited with "recommendations" that a Security Auditors should follow to be sure the code is safe. This ``++setObjectInputFilter]} will be part of them. Here we just want to raise a simple issue when the {{readObject++`` is called. Then up to the Security Auditor to look around this code and see if some sanitization of in the input is made.

=== on 23 Jul 2018, 17:14:26 Pierre-Yves Nicolas wrote:
\[~alexandre.gigleux] The current description is really specific to Java. Can it be adapted to PHP? Thanks.

=== on 27 May 2020, 16:48:46 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== is duplicated by: S4066
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 19 Mar 2018, 11:18:13 Sébastien GIORIA - AppSecFR wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								Need Tag A8:2017
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 20 Mar 2018, 07:30:10 Freddy Mallet wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								Thanks [~SPoint] ! And I would even remove the A1 category [~alexandre.gigleux] to keep our referential orthogonal.
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 20 Mar 2018, 08:20:58 Alexandre Gigleux wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								\[~freddy.mallet] I agree the main problem here is the "Insecure Deserialization" that can lead to a potential "Injection". The "Injection" can't be performed easily, you need first to bypass the deserialization layer. So I removed OWASP A1.
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 7 Jul 2018, 15:28:25 Tibor Blenessy wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								Method ``++ObjectInputStream.readArray(boolean)++``  is private, so it can't be called. Why we should detect it?
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 9 Jul 2018, 13:27:12 Andrei Epure wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								@ [~alexandre.gigleux] , [~tibor.blenessy] Should we take into consideration ``++setObjectInputFilter++`` ?
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 9 Jul 2018, 15:56:04 Alexandre Gigleux wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								\[~andrei.epure] Hotspots rules are going to be revisited with "recommendations" that a Security Auditors should follow to be sure the code is safe. This ``++setObjectInputFilter]} will be part of them. Here we just want to raise a simple issue when the {{readObject++`` is called. Then up to the Security Auditor to look around this code and see if some sanitization of in the input is made.
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 23 Jul 2018, 17:14:26 Pierre-Yves Nicolas wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								\[~alexandre.gigleux] The current description is really specific to Java. Can it be adapted to PHP? Thanks.
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								=== on 27 May 2020, 16:48:46 Eric Therond wrote:
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								Deprecated because it overlaps with SonarSecurity