rspec/rules/S3749/java/rule.adoc

== Why is this an issue?

Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring. That is, they should have one of these annotations: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.


Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2. 


This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

* ``++org.springframework.beans.factory.annotation.Autowired++``
* ``++org.springframework.beans.factory.annotation.Value++``
* ``++javax.annotation.Inject++``
* ``++javax.annotation.Resource++``


=== Noncompliant code example

[source,java]
----
@Controller
public class HelloWorld {

  private String name = null;

  @RequestMapping("/greet", method = GET)
  public String greet(String greetee) {

    if (greetee != null) {
      this.name = greetee;
    }

    return "Hello " + this.name;  // if greetee is null, you see the previous user's data
  }
}
----


== Resources

* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.


=== Parameters

.customInjectionAnnotations
****

----
""
----

comma-separated list of annotation fully qualified names to consider as valid
****


=== Highlighting

member declaration


'''
== Comments And Links
(visible only on this page)

=== on 17 Oct 2016, 15:23:37 Ann Campbell wrote:
Part of the idea is that constructor injection is declasse now, [~nicolas.peru]

=== on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote:
\[~ann.campbell.2]


This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group.


+1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule.


I don't know about @Inject - maybe a Guice-specific annotation.


Suggestions:

* Change the rule title into "Members of Spring components should be explicitly injected".
* Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace
"That is, they should have the @Autowired annotation"

with

"That is, they should have the @Resource (or @Autowired) annotation"


Yves

=== on 4 Apr 2017, 15:23:12 Ann Campbell wrote:
Updated [~yves.duboispelerin]

=== on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote:
Could be tagged OWASP A3:2017. This could leak sensitive data

=== on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote:
\[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017.

=== on 16 Aug 2018, 20:27:21 Ann Campbell wrote:
\[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly. 


The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default".

=== on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote:
\[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI.

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			Spring ``++@Component++``, ``++@Controller++``, ``++@Service++``, and ``++@Repository++`` classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few ``++static++`` members, such as a logger, but all non-``++static++`` members should be managed by Spring. That is, they should have one of these annotations: ``++@Resource++``, ``++@Inject++``, ``++@Autowired++`` or ``++@Value++``.


			`Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2.`


			This rule raises an issue when a singleton ``++@Component++``, ``++@Controller++``, ``++@Service++``, or ``++@Repository++``, not annotated with ``++@ConfigurationProperties++``, has non-``++static++`` members that are not annotated with one of:

			* ``++org.springframework.beans.factory.annotation.Autowired++``
			* ``++org.springframework.beans.factory.annotation.Value++``
			* ``++javax.annotation.Inject++``
			* ``++javax.annotation.Resource++``

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`@Controller`
			`public class HelloWorld {`

			`private String name = null;`

			`@RequestMapping("/greet", method = GET)`
			`public String greet(String greetee) {`

			`if (greetee != null) {`
			`this.name = greetee;`
			`}`

			`return "Hello " + this.name; // if greetee is null, you see the previous user's data`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
Modify: Fix old/broken embedded links (#1100) 2022-07-08 13:58:56 +02:00			`* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.`


			`=== Parameters`

			`.customInjectionAnnotations`
			`****`

			`----`
			`""`
			`----`

			`comma-separated list of annotation fully qualified names to consider as valid`
			`****`


			`=== Highlighting`

			`member declaration`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 17 Oct 2016, 15:23:37 Ann Campbell wrote:`
			`Part of the idea is that constructor injection is declasse now, [~nicolas.peru]`

			`=== on 31 Mar 2017, 09:40:29 Yves Dubois-Pèlerin wrote:`
			`\[~ann.campbell.2]`


			`This is about a https://groups.google.com/forum/#!topic/sonarqube/T-f83S9mvQU[question] on the Google group.`


			`+1 for adding @Resource in this rule. Although annotation @Autowired is well-known among Java developers, it is Spring specific. The newer but standard @Resource annotation is mostly equivalent to @Autowire and should be added to the rule.`


			`I don't know about @Inject - maybe a Guice-specific annotation.`


			`Suggestions:`

			`* Change the rule title into "Members of Spring components should be explicitly injected".`
			`* Give more emphasis to @Resource than to @Autowired, which is slightly outdated. For example, replace`
			`"That is, they should have the @Autowired annotation"`

			`with`

			`"That is, they should have the @Resource (or @Autowired) annotation"`


			`Yves`

			`=== on 4 Apr 2017, 15:23:12 Ann Campbell wrote:`
			`Updated [~yves.duboispelerin]`

			`=== on 19 Mar 2018, 10:01:50 Sébastien GIORIA - AppSecFR wrote:`
			`Could be tagged OWASP A3:2017. This could leak sensitive data`

			`=== on 19 Mar 2018, 10:14:30 Alexandre Gigleux wrote:`
			`\[~SPoint]: thanks for the contribution - it's already tagged OWASP A3:2017 in the RSPEC ticket - as soon as SonarJava 5.2 will be released, the OWASP tags will be updated in SonarQube UI thanks to this ticket: \https://jira.sonarsource.com/browse/SONARJAVA-2682 - we reviewed all the OWASP tags of SonarJava rules to be sure they are aligned with OWASP TOP 10 2017.`

			`=== on 16 Aug 2018, 20:27:21 Ann Campbell wrote:`
			`\[~nicolas.harraudeau] despite the fact that Jira can't properly render its own code markdown when immediately followed by non-space characters, RuleAPI handles this correctly.`


			`The current version is awkward IMO and should either get the 's'es back, or the word "classes" before "are singletons by default".`

			`=== on 17 Aug 2018, 08:41:28 Nicolas Harraudeau wrote:`
			`\[~ann.campbell.2] Thanks for the info. I'll add "classes" then so that it works in both Jira and RuleAPI.`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`