2021-06-04 14:50:38 +02:00
//// This rule is superseded by RSPEC-2255
//// Please consider implementing this latter instead.
Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs.
2020-06-30 16:59:06 +02:00
2021-02-02 15:02:10 +01:00
2020-06-30 16:59:06 +02:00
This rule logs an issue whenever form fields and cookie values are accessed.
== Noncompliant Code Example
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Cookie [] cookies = request.getCookies(); // Noncompliant
String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
Map<String,String[]> params = request.getParameterMap(); // Noncompliant
String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray"); // Noncompliant
----
== See
* http://cwe.mitre.org/data/definitions/807[MITRE, CWE-807] - Reliance on Untrusted Inputs in a Security Decision
* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses
