rspec/rules/S4529/description.adoc

Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]

HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).


This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]`

			`HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 4000-4999 2020-06-30 12:49:37 +02:00			`This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.`