rspec/rules/S2091/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

----
public boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException { 
  String user = request.getParameter("user"); 
  String pass = request.getParameter("pass");

  String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; // Unsafe

  // An attacker can bypass authentication by setting user to this special value
  user = "' or 1=1 or ''='";

  return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // Noncompliant
}
----

== Compliant Solution

----
public boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException { 
  String user = request.getParameter("user"); 
  String pass = request.getParameter("pass");

  String expression = "/users/user[@name=$user and @pass=$pass]";

  xpath.setXPathVariableResolver(v -> {
    switch (v.getLocalPart()) {
      case "user":
        return user;
      case "pass":
        return pass;
      default:
        throw new IllegalArgumentException();
    }
  });

  return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN);
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Add rules 2000-2999 2020-06-30 12:48:07 +02:00			`include::../description.adoc[]`

			`== Noncompliant Code Example`

			`----`
			`public boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException {`
			`String user = request.getParameter("user");`
			`String pass = request.getParameter("pass");`

			`String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; // Unsafe`

			`// An attacker can bypass authentication by setting user to this special value`
			`user = "' or 1=1 or ''='";`

			`return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // Noncompliant`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`public boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException {`
			`String user = request.getParameter("user");`
			`String pass = request.getParameter("pass");`

			`String expression = "/users/user[@name=$user and @pass=$pass]";`

			`xpath.setXPathVariableResolver(v -> {`
			`switch (v.getLocalPart()) {`
			`case "user":`
			`return user;`
			`case "pass":`
			`return pass;`
			`default:`
			`throw new IllegalArgumentException();`
			`}`
			`});`

			`return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN);`
			`}`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`