diff --git a/rules/S1612/rule.adoc b/rules/S1612/rule.adoc index 326ddc5376..91efc45e5f 100644 --- a/rules/S1612/rule.adoc +++ b/rules/S1612/rule.adoc @@ -38,7 +38,7 @@ class A { list.stream() .filter(B.class::isInstance) .map(B.class::cast) - .map(A::getObject) + .map(B::getObject) .forEach(System.out::println); } } diff --git a/rules/S2053/java/rule.adoc b/rules/S2053/java/rule.adoc index 1bbf970c88..42366428e2 100644 --- a/rules/S2053/java/rule.adoc +++ b/rules/S2053/java/rule.adoc @@ -4,52 +4,27 @@ include::../recommended.adoc[] == Noncompliant Code Example -Below, the hashed password is not salted: +Below, the hashed password is not salted or use a predictable salt: ---- -MessageDigest md = MessageDigest.getInstance("SHA-512"); -byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant ----- - ----- -MessageDigest md = MessageDigest.getInstance("SHA-512"); -md.update(passwordToHash.getBytes(StandardCharsets.UTF_8)); -byte[] hashedPassword = md.digest(); // Noncompliant, only one "update()" call and "digest()" without parameters ----- - ----- -MessageDigest md = MessageDigest.getInstance("SHA-512"); -byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant, no "update()" call ----- - ----- -PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant, no salt as an argument +PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant, no salt as an argument, will throw an error at the run-time ---- ---- byte[] salt = "notrandom".getBytes(); -PBEKeySpec spec = new PBEKeySpec(chars, salt); // Noncompliant, predictable salt +PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Noncompliant, predictable salt ---- == Compliant Solution -Use ``++java.security.SecureRandom++`` to produce a unpredictable salt: +Use ``++java.security.SecureRandom++`` to generate an unpredictable salt: ---- -MessageDigest md = MessageDigest.getInstance("SHA-512"); - SecureRandom random = new SecureRandom(); byte[] salt = new byte[16]; random.nextBytes(salt); -md.update(salt); - -byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Compliant ----- - ----- -byte[] salt = this.secureSalt(); -PBEKeySpec spec = new PBEKeySpec(chars, salt); // Compliant +PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Compliant ---- include::../see.adoc[] diff --git a/rules/S2053/recommended.adoc b/rules/S2053/recommended.adoc index bdc4be3872..e1352854c7 100644 --- a/rules/S2053/recommended.adoc +++ b/rules/S2053/recommended.adoc @@ -1,6 +1,4 @@ == Recommended Secure Coding Practices -* Use hashing functions generating their own salt or generate a long random salt of at least 32 bytes. -* The salt is at least as long as the resulting hash value. -* Provide the salt to a safe hashing function such as PBKDF2. -* Save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored hash. +* Use hashing functions generating their own salt or generate an unpredictable value of at least 16 bytes. +* The salt should be unique by user password. diff --git a/rules/S4652/rule.adoc b/rules/S4652/rule.adoc index d5f241e07b..dc34b7fadf 100644 --- a/rules/S4652/rule.adoc +++ b/rules/S4652/rule.adoc @@ -3,7 +3,7 @@ According to the W3C specifications: ____ A string cannot directly contain a newline. To include a newline in a string, use an escape representing the line feed character in ISO-10646 (U+000A), such as "\A" or "\00000a". -\[...] +{empty}[...] It is possible to break strings over several lines, for aesthetic or other reasons, but in such a case the newline itself has to be escaped with a backslash (\). diff --git a/rules/S5693/vbnet/rule.adoc b/rules/S5693/vbnet/rule.adoc index 425adc3f04..f46c025e50 100644 --- a/rules/S5693/vbnet/rule.adoc +++ b/rules/S5693/vbnet/rule.adoc @@ -14,7 +14,7 @@ Public Class MyController ' Sensitive: No size limit - ' Sensitive: 10MB is more than the recommended limit of 2MB + ' Sensitive: 10MB is more than the recommended limit of 8MB Public Function PostRequest(Model model) As IActionResult ' ... End Function @@ -37,7 +37,7 @@ Public Class MyController Inherits Controller - ' Compliant: 2MB + ' Compliant: 8MB Public Function PostRequest(Model model) As IActionResult ' ... End Function diff --git a/rules/S5773/csharp/rule.adoc b/rules/S5773/csharp/rule.adoc index 0738f11a8b..4c22de1148 100644 --- a/rules/S5773/csharp/rule.adoc +++ b/rules/S5773/csharp/rule.adoc @@ -9,7 +9,7 @@ During the deserialization process, the state of an object will be reconstructed To restrict the types allowed to be deserialized: * implement a whitelist of safe and required types that can be deserialized. -* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC), this way only objects serialized with the correct MAC hash will be deserialized. +* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized. == Noncompliant Code Example diff --git a/rules/S5773/description.adoc b/rules/S5773/description.adoc index 8646aa059a..3ab08a1336 100644 --- a/rules/S5773/description.adoc +++ b/rules/S5773/description.adoc @@ -2,7 +2,7 @@ Failure to control types during deserialization can lead to runtime errors and vulnerabilities. There are many types, called "gadgets" which are known to be dangerous when deserializing. All languages ​​are affected and the most in-depth studies have been carried out for: -* PHP: https://github.com/ambionics/phpggc[phpgcc] - _library of unserialize() payloads_. +* PHP: https://github.com/ambionics/phpggc[phpgcc] - _A library of unserialize() payloads_. * Java: https://github.com/frohoff/ysoserial[ysoserial] - _A tool for generating payloads that exploit unsafe Java object deserialization_. * .NET: https://github.com/pwntester/ysoserial.net[ysoserial.net] - _Deserialization payload generator for a variety of .NET formatters_. @@ -15,4 +15,4 @@ For example, a well-known attack vector consists in serializing an object of typ To restrict the types allowed to be deserialized: * implement a whitelist of safe and required types that can be deserialized. -* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC), this way only objects serialized with the correct MAC hash will be deserialized. +* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized.