From 4f738dfb936efeab1ebec5d6d1d455f9a5f47a8f Mon Sep 17 00:00:00 2001 From: sonartech Date: Wed, 5 May 2021 08:56:28 +0000 Subject: [PATCH] Nightly update --- rules/S2180/java/metadata.json | 3 ++- rules/S2577/java/rule.adoc | 4 +++- rules/S4529/recommended.adoc | 7 +++++-- rules/S5443/java/rule.adoc | 16 ++++++++++---- rules/S6241/java/metadata.json | 2 +- rules/S6241/java/rule.adoc | 1 + rules/S6242/java/metadata.json | 2 +- rules/S6242/java/rule.adoc | 1 + rules/S6244/java/metadata.json | 27 ++++++++++++++++++++++++ rules/S6244/java/rule.adoc | 38 ++++++++++++++++++++++++++++++++++ rules/S6244/metadata.json | 2 ++ rules/S6246/java/metadata.json | 22 ++++++++++++++++++++ rules/S6246/java/rule.adoc | 33 +++++++++++++++++++++++++++++ rules/S6246/metadata.json | 2 ++ 14 files changed, 150 insertions(+), 10 deletions(-) create mode 100644 rules/S6244/java/metadata.json create mode 100644 rules/S6244/java/rule.adoc create mode 100644 rules/S6244/metadata.json create mode 100644 rules/S6246/java/metadata.json create mode 100644 rules/S6246/java/rule.adoc create mode 100644 rules/S6246/metadata.json diff --git a/rules/S2180/java/metadata.json b/rules/S2180/java/metadata.json index b687e84b24..bdca9c79d1 100644 --- a/rules/S2180/java/metadata.json +++ b/rules/S2180/java/metadata.json @@ -8,7 +8,8 @@ }, "tags": [ "multi-threading", - "cert" + "cert", + "AWS" ], "extra": { "coveredLanguages": [ diff --git a/rules/S2577/java/rule.adoc b/rules/S2577/java/rule.adoc index 3234f7464e..acab3ea74e 100644 --- a/rules/S2577/java/rule.adoc +++ b/rules/S2577/java/rule.adoc @@ -34,8 +34,10 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) { ---- +:link-with-uscores1: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse + == See * https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS) -* https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.233.1_-_HTML_escape_JSON_values_in_an_HTML_context_and_read_the_data_with_JSON.parse[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1 +* {link-with-uscores1}[OWASP, XSS (Cross Site Scripting) Prevention Cheat Sheet] - Rule #3.1 diff --git a/rules/S4529/recommended.adoc b/rules/S4529/recommended.adoc index e6b21fca4b..d95bf9e855 100644 --- a/rules/S4529/recommended.adoc +++ b/rules/S4529/recommended.adoc @@ -1,9 +1,12 @@ +:link-with-uscores1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet +:link-with-uscores2: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet + == Recommended Secure Coding Practices Never trust any part of the request to be safe. Make sure that the URI, header and body are properly https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[sanitized] before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them. -Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet[CSRF] tokens when possible. +Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as {link-with-uscores1}[CSRF] tokens when possible. Do not expose sensitive information in your response. If the endpoint serves files, limit the access to a dedicated directory. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies[Protect your sensitive cookies] so that client-side javascript cannot read or modify them. @@ -11,7 +14,7 @@ Do not expose sensitive information in your response. If the endpoint serves fil Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks: -* https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet[Cross-site Scripting (XSS)], which happens when an unsafe value is included in an HTML page. +* {link-with-uscores2}[Cross-site Scripting (XSS)], which happens when an unsafe value is included in an HTML page. * https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet[Unvalidated redirects] which can happen when the ``++Location++`` header is compromised. Restrict security-sensitive actions, such as file upload, to authenticated users. diff --git a/rules/S5443/java/rule.adoc b/rules/S5443/java/rule.adoc index 33449cb5ae..cc927f6622 100644 --- a/rules/S5443/java/rule.adoc +++ b/rules/S5443/java/rule.adoc @@ -22,12 +22,20 @@ env.get("TMP"); // Sensitive == Compliant Solution ---- -new File("/myDirectory/myfile.txt"); +new File("/myDirectory/myfile.txt"); // Compliant -File.createTempFile("prefix", "suffix", new File("/mySecureDirectory")); +File.createTempFile("prefix", "suffix", new File("/mySecureDirectory")); // Compliant -FileAttribute> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("w+")); -Files.createTempFile("prefix", "suffix", attr); // Compliant, created with explicit attributes. +if(SystemUtils.IS_OS_UNIX) { + FileAttribute> attr = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwx------")); + Files.createTempFile("prefix", "suffix", attr); // Compliant +} +else { + File f = Files.createTempFile("prefix", "suffix").toFile(); // Compliant + f.setReadable(true, true); + f.setWritable(true, true); + f.setExecutable(true, true); +} ---- include::../see.adoc[] diff --git a/rules/S6241/java/metadata.json b/rules/S6241/java/metadata.json index aebb55a3cc..5691fb4b80 100644 --- a/rules/S6241/java/metadata.json +++ b/rules/S6241/java/metadata.json @@ -1,5 +1,5 @@ { - "title": "Region should be set when creating a new \"AwsClient\"", + "title": "Region should be set explicitly when creating a new \"AwsClient\"", "type": "CODE_SMELL", "status": "ready", "remediation": { diff --git a/rules/S6241/java/rule.adoc b/rules/S6241/java/rule.adoc index d6ae0ccfd6..80cb2082b4 100644 --- a/rules/S6241/java/rule.adoc +++ b/rules/S6241/java/rule.adoc @@ -34,4 +34,5 @@ S3Client.builder() * https://aws.amazon.com/fr/blogs/developer/tuning-the-aws-java-sdk-2-x-to-reduce-startup-time/[Tuning the AWS Java SDK 2.x to reduce startup time] * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/lambda-optimize-starttime.html[Optimizing cold start performance for AWS Lambda] * https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html[Environment variable configuration] +* https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/java-dg-region-selection.html#automatically-determine-the-aws-region-from-the-environment[Automatically Determine the AWS Region] diff --git a/rules/S6242/java/metadata.json b/rules/S6242/java/metadata.json index 603ab8506f..ef931cda02 100644 --- a/rules/S6242/java/metadata.json +++ b/rules/S6242/java/metadata.json @@ -1,5 +1,5 @@ { - "title": "Credentials Provider should be set when creating a new \"AwsClient\"", + "title": "Credentials Provider should be set explicitly when creating a new \"AwsClient\"", "type": "CODE_SMELL", "status": "ready", "remediation": { diff --git a/rules/S6242/java/rule.adoc b/rules/S6242/java/rule.adoc index b8b3bacc2b..dec7eca5fd 100644 --- a/rules/S6242/java/rule.adoc +++ b/rules/S6242/java/rule.adoc @@ -34,4 +34,5 @@ S3Client.builder() * https://aws.amazon.com/fr/blogs/developer/tuning-the-aws-java-sdk-2-x-to-reduce-startup-time/[Tuning the AWS Java SDK 2.x to reduce startup time] * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/lambda-optimize-starttime.html[Optimizing cold start performance for AWS Lambda] * https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html[Environment variable configuration] +* https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html[Default Credential Provider Chain] diff --git a/rules/S6244/java/metadata.json b/rules/S6244/java/metadata.json new file mode 100644 index 0000000000..24bed8b895 --- /dev/null +++ b/rules/S6244/java/metadata.json @@ -0,0 +1,27 @@ +{ + "title": "Consumer Builders should be used", + "type": "CODE_SMELL", + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "5min" + }, + "tags": [ + "AWS" + ], + "extra": { + "coveredLanguages": [ + + ], + "replacementRules": [ + + ] + }, + "defaultSeverity": "Minor", + "ruleSpecification": "RSPEC-6244", + "sqKey": "S6244", + "scope": "Main", + "defaultQualityProfiles": [ + "Sonar way" + ] +} diff --git a/rules/S6244/java/rule.adoc b/rules/S6244/java/rule.adoc new file mode 100644 index 0000000000..175db2cd6b --- /dev/null +++ b/rules/S6244/java/rule.adoc @@ -0,0 +1,38 @@ +Some API, like the AWS SDK, heavily rely on the builder pattern to create different data structures. Despite all the benefits, this pattern can become really verbose, + +especially when dealing with nested structures. In order to reach a more concise code, "Consumer Builders", also called "Consumer Interface" are often introduced. + +The idea is to overload the methods taking others structures in a Builder with a Consumer of Builder instead. This enables the user to use a + +lambda instead of nesting another Builder, resulting in more concise and more readable code. + + +This rule reports an issue when the Consumer Builder methods could be used instead of the classical ones. + + +== Noncompliant Code Example + +---- +SendEmailRequest.builder() + .destination(Destination.builder() + .toAddresses("to-email@domain.com") + .bccAddresses("bcc-email@domain.com") + .build()) +.build(); +---- + + +== Compliant Solution + +---- +SendEmailRequest.builder() + .destination(d -> d.toAddresses("to-email@domain.com") + .bccAddresses("bcc-email@domain.com")) + .build(); +---- + + +== See + +* https://aws.amazon.com/fr/blogs/developer/consumer-builders-in-the-aws-sdk-for-java-v2/[Consumer Builders in the AWS SDK for Java v2] + diff --git a/rules/S6244/metadata.json b/rules/S6244/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6244/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6246/java/metadata.json b/rules/S6246/java/metadata.json new file mode 100644 index 0000000000..1306f48b83 --- /dev/null +++ b/rules/S6246/java/metadata.json @@ -0,0 +1,22 @@ +{ + "title": "Lambdas should not invoke other lambdas", + "type": "CODE_SMELL", + "status": "ready", + "tags": [ + "AWS" + ], + "extra": { + "coveredLanguages": [ + "Java" + ], + "replacementRules": [ + + ] + }, + "ruleSpecification": "RSPEC-6246", + "sqKey": "S6246", + "scope": "All", + "defaultQualityProfiles": [ + + ] +} diff --git a/rules/S6246/java/rule.adoc b/rules/S6246/java/rule.adoc new file mode 100644 index 0000000000..689ed47214 --- /dev/null +++ b/rules/S6246/java/rule.adoc @@ -0,0 +1,33 @@ +Invoking other lambdas from a lambda is a scalability anti-pattern. + +As the runtime of your function is bounded, waiting for another lambda to finish executing could cause a timeout. + +Consider breaking down your function into multiple ones or changing the way you generate or handle events. + +---- + String functionName = args[0]; + +InvokeRequest invokeRequest = new InvokeRequest() + .withFunctionName(functionName) + .withPayload("{\n" + + " \"Hello \": \"Paris\",\n" + + " \"countryCode\": \"FR\"\n" + + "}"); + InvokeResult invokeResult = null; +try { + AWSLambda awsLambda = AWSLambdaClientBuilder.standard() + .withCredentials(new ProfileCredentialsProvider()) + .withRegion(Regions.US_WEST_2).build(); + + invokeResult = awsLambda.invoke(invokeRequest); // Noncompliant + + String ans = new String(invokeResult.getPayload().array(), StandardCharsets.UTF_8); + + //write out the return value + System.out.println(ans); + +} catch (ServiceException e) { + System.out.println(e); +} +---- + diff --git a/rules/S6246/metadata.json b/rules/S6246/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6246/metadata.json @@ -0,0 +1,2 @@ +{ +}