Nightly update

2021-02-16 04:11:42 +00:00 · 2021-02-16 04:11:42 +00:00 · f945d0680a
commit f945d0680a
parent c4b46ee96c
7 changed files with 14 additions and 41 deletions
--- a/rules/S1612/rule.adoc
+++ b/rules/S1612/rule.adoc
@ -38,7 +38,7 @@ class A {
    list.stream()
      .filter(B.class::isInstance)
      .map(B.class::cast)
-      .map(A::<String>getObject)
+      .map(B::<String>getObject)
      .forEach(System.out::println);
  }
 }
--- a/rules/S2053/java/rule.adoc
+++ b/rules/S2053/java/rule.adoc
@ -4,52 +4,27 @@ include::../recommended.adoc[]

 == Noncompliant Code Example

-Below, the hashed password is not salted:
+Below, the hashed password is not salted or use a predictable salt:

 ----
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant
----
-
----
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-md.update(passwordToHash.getBytes(StandardCharsets.UTF_8));
-byte[] hashedPassword = md.digest(); // Noncompliant, only one "update()" call and "digest()" without parameters
----
-
----
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Noncompliant, no "update()" call
----
-
----
-PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant, no salt as an argument
+PBEKeySpec spec = new PBEKeySpec(chars); // Noncompliant, no salt as an argument, will throw an error at the run-time
 ----

 ----
 byte[] salt = "notrandom".getBytes();
-PBEKeySpec spec = new PBEKeySpec(chars, salt); // Noncompliant, predictable salt
+PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Noncompliant, predictable salt
 ----

 == Compliant Solution

-Use ``++java.security.SecureRandom++`` to produce a unpredictable salt:
+Use ``++java.security.SecureRandom++`` to generate an unpredictable salt:

 ----
-MessageDigest md = MessageDigest.getInstance("SHA-512");
-
 SecureRandom random = new SecureRandom();
 byte[] salt = new byte[16];
 random.nextBytes(salt);

-md.update(salt);
-
-byte[] hashedPassword = md.digest(passwordToHash.getBytes(StandardCharsets.UTF_8)); // Compliant
----
-
----
-byte[] salt = this.secureSalt();
-PBEKeySpec spec = new PBEKeySpec(chars, salt); // Compliant
+PBEKeySpec spec = new PBEKeySpec(chars, salt, 10000, 256); // Compliant
 ----

 include::../see.adoc[]
--- a/rules/S2053/recommended.adoc
+++ b/rules/S2053/recommended.adoc
@ -1,6 +1,4 @@
 == Recommended Secure Coding Practices

-* Use hashing functions generating their own salt or generate a long random salt of at least 32 bytes.
-* The salt is at least as long as the resulting hash value.
-* Provide the salt to a safe hashing function such as PBKDF2.
-* Save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored hash.
+* Use hashing functions generating their own salt or generate an unpredictable value of at least 16 bytes.
+* The salt should be unique by user password.
--- a/rules/S4652/rule.adoc
+++ b/rules/S4652/rule.adoc
@ -3,7 +3,7 @@ According to the W3C specifications:
 ____
 A string cannot directly contain a newline. To include a newline in a string, use an escape representing the line feed character in ISO-10646 (U+000A), such as "\A" or "\00000a".

-\[...]
+{empty}[...]

 It is possible to break strings over several lines, for aesthetic or other reasons, but in such a case the newline itself has to be escaped with a backslash (\).

--- a/rules/S5693/vbnet/rule.adoc
+++ b/rules/S5693/vbnet/rule.adoc
@ -14,7 +14,7 @@ Public Class MyController

    <HttpPost>
    <DisableRequestSizeLimit> ' Sensitive: No size  limit
-    <RequestSizeLimit(10000000)> ' Sensitive: 10MB is more than the recommended limit of 2MB
+    <RequestSizeLimit(10000000)> ' Sensitive: 10MB is more than the recommended limit of 8MB
    Public Function PostRequest(Model model) As IActionResult
    ' ...
    End Function
@ -37,7 +37,7 @@ Public Class MyController
    Inherits Controller

    <HttpPost>
-    <RequestSizeLimit(2000000)> ' Compliant: 2MB
+    <RequestSizeLimit(8000000)> ' Compliant: 8MB
    Public Function PostRequest(Model model) As IActionResult
    ' ...
    End Function
--- a/rules/S5773/csharp/rule.adoc
+++ b/rules/S5773/csharp/rule.adoc
@ -9,7 +9,7 @@ During the deserialization process, the state of an object will be reconstructed
 To restrict the types allowed to be deserialized:

 * implement a whitelist of safe and required types that can be deserialized.
-* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC), this way only objects serialized with the correct MAC hash will be deserialized. 
+* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized. 

 == Noncompliant Code Example

--- a/rules/S5773/description.adoc
+++ b/rules/S5773/description.adoc
@ -2,7 +2,7 @@

 Failure to control types during deserialization can lead to runtime errors and vulnerabilities. There are many types, called "gadgets" which are known to be dangerous when deserializing. All languages are affected and the most in-depth studies have been carried out for:

-* PHP: https://github.com/ambionics/phpggc[phpgcc] - _library of unserialize() payloads_.
+* PHP: https://github.com/ambionics/phpggc[phpgcc] - _A library of unserialize() payloads_.
 *  Java: https://github.com/frohoff/ysoserial[ysoserial] - _A tool for generating payloads that exploit unsafe Java object deserialization_.
 * .NET: https://github.com/pwntester/ysoserial.net[ysoserial.net] - _Deserialization payload generator for a variety of .NET formatters_.

@ -15,4 +15,4 @@ For example, a well-known attack vector consists in serializing an object of typ
 To restrict the types allowed to be deserialized:

 * implement a whitelist of safe and required types that can be deserialized.
-* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC), this way only objects serialized with the correct MAC hash will be deserialized. 
+* or/and implement tamper protection, such as https://en.wikipedia.org/wiki/HMAC[message authentication codes] (MAC). This way only objects serialized with the correct MAC hash will be deserialized.