rspec/rules/S1872/comments-and-links.adoc

=== on 30 Jul 2014, 21:14:24 Freddy Mallet wrote:
My feedback @Ann:

* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...
* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.
* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue: 
____
If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.

____

=== on 31 Jul 2014, 18:48:53 Ann Campbell wrote:
\[~freddy.mallet]

* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof
* The example doesn't work with Class.getName() :-)
* I've beefed up the description.

=== on 13 Feb 2015, 17:37:16 Freddy Mallet wrote:
\[~ann.campbell.2] what should be the security category associated with this rule ?

=== on 16 Feb 2015, 12:41:40 Ann Campbell wrote:
\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?

=== on 5 Apr 2015, 23:35:27 Evgeny Mandrikov wrote:
\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 30 Jul 2014, 21:14:24 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`My feedback @Ann:`

			`* I would have limited the scope of this rule to Java and Groovy because on my side I would not be able to say if this rule is relevant or not in {cpp}, C#, VB.Net, ...`
			`* In the provided example in Java, I would have used the Class.getName() method and not Class.getSimpleName() which is not so widely used.`
			`* The following extended description provided in the CWE page is for me really relevant to understand why this might be a security issue:`
			`____`
			`If the decision to trust the methods and data of an object is based on the name of a class, it is possible for malicious users to send objects of the same name as trusted classes and thereby gain the trust afforded to known classes and types.`

			`____`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 31 Jul 2014, 18:48:53 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~freddy.mallet]`

			`* I did some research at the time (& just ran through it again). All of those languages have classes and some equivalent of instanceof`
			`* The example doesn't work with Class.getName() :-)`
			`* I've beefed up the description.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 13 Feb 2015, 17:37:16 Freddy Mallet wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~ann.campbell.2] what should be the security category associated with this rule ?`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 16 Feb 2015, 12:41:40 Ann Campbell wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~freddy.mallet] are you talking about a security-related sub-tag, or are you talking about switching the SQALE mapping to Security? Or both?`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`=== on 5 Apr 2015, 23:35:27 Evgeny Mandrikov wrote:`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`\[~ann.campbell.2] I believe that this is not applicable for {cpp} and Objective-C.`