rspec/rules/S2656/java/rule.adoc

== Why is this an issue?

According to the EJB specification:


____
An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.

{empty}...


* The enterprise bean must not attempt to set the socket factory used by ServerSocket, Socket, or the stream handler factory used by URL.

These networking functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container’s ability to properly manage the runtime environment.

____

Since EJB's may be passivated (temporarily serialized at the discretion of the container), using sockets in an EJB could cause resource leaks. Instead, you should work at a higher level and let the container handle such resources.


This rule raises an issue each time a socket is created or or retrieved from another class in a servlet class or EJB.


=== Noncompliant code example

[source,java]
----
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  // ...

  Socket sock = null;
  try {
    sock = new Socket(host, 3000);  // Noncompliant
    // ...
  } catch (Exception e) {
    // ...
  }
}
----


== Resources

* CWE - https://cwe.mitre.org/data/definitions/246[CWE-246 - J2EE Bad Practices: Direct Use of Sockets]
* CWE - https://cwe.mitre.org/data/definitions/577[CWE-577 - EJB Bad Practices: Use of Sockets]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this use of sockets.


'''
== Comments And Links
(visible only on this page)

=== relates to: S4818

=== on 20 Jul 2015, 07:36:58 Ann Campbell wrote:
Tagged java-top by Ann [~nicolas.peru]

endif::env-github,rspecator-view[]
-												migrate rule descriptions to new education format

											
										
										
											2023-05-03 11:06:20 +02:00
+								== Why is this an issue?
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								According to the EJB specification:
 								____
 								An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.
 								{empty}...
 								* The enterprise bean must not attempt to set the socket factory used by ServerSocket, Socket, or the stream handler factory used by URL.
 								These networking functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the container’s ability to properly manage the runtime environment.
 								____
 								Since EJB's may be passivated (temporarily serialized at the discretion of the container), using sockets in an EJB could cause resource leaks. Instead, you should work at a higher level and let the container handle such resources.
 								This rule raises an issue each time a socket is created or or retrieved from another class in a servlet class or EJB.
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												migrate rule descriptions to new education format

											
										
										
											2023-05-03 11:06:20 +02:00
+								=== Noncompliant code example
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
-												RULEAPI-661: Add syntax coloring


											
										
										
											2022-02-04 17:28:24 +01:00
+								[source,java]
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
+								----
 								public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
 								  // ...
 								  Socket sock = null;
 								  try {
 								    sock = new Socket(host, 3000);  // Noncompliant
 								    // ...
 								  } catch (Exception e) {
 								    // ...
 								  }
 								}
 								----
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												migrate rule descriptions to new education format

											
										
										
											2023-05-03 11:06:20 +02:00
+								== Resources
-												Restructure one-lang rspecs

											
										
										
											2021-04-28 16:49:39 +02:00
-												Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529)

* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
											
										
										
											2024-01-15 17:15:56 +01:00
+								* CWE - https://cwe.mitre.org/data/definitions/246[CWE-246 - J2EE Bad Practices: Direct Use of Sockets]
 								* CWE - https://cwe.mitre.org/data/definitions/577[CWE-577 - EJB Bad Practices: Use of Sockets]
-												Fix the missing default metadata fields

											
										
										
											2021-04-28 18:08:03 +02:00
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								ifdef::env-github,rspecator-view[]
-												RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346)


											
										
										
											2021-09-20 15:38:42 +02:00
 								'''
 								== Implementation Specification
 								(visible only on this page)
-												Inline adoc when include has no additional value (#1940)

Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
											
										
										
											2023-05-25 14:18:12 +02:00
+								=== Message
 								Remove this use of sockets.
-												RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346)


											
										
										
											2021-09-20 15:38:42 +02:00
-												RULEAPI-576: add a horizontal rule between rule description and comments


											
										
										
											2021-06-08 15:52:13 +02:00
+								'''
-												Export comments and rspec-to-rspec links from jira

											
										
										
											2021-06-02 20:44:38 +02:00
+								== Comments And Links
 								(visible only on this page)
-												Inline adoc when include has no additional value (#1940)

Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
											
										
										
											2023-05-25 14:18:12 +02:00
+								=== relates to: S4818
 								=== on 20 Jul 2015, 07:36:58 Ann Campbell wrote:
 								Tagged java-top by Ann [~nicolas.peru]
-												Fix the comment display: rule-id, timestamp, GH visibility, link direction

											
										
										
											2021-06-03 09:05:38 +02:00
+								endif::env-github,rspecator-view[]