== Why is this an issue?

Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs. 


This rule logs an issue whenever form fields and cookie values are accessed.


=== Noncompliant code example

[source,text]
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
  Cookie [] cookies = request.getCookies(); // Noncompliant
  String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
  Map<String,String[]> params = request.getParameterMap(); // Noncompliant
  String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray");  // Noncompliant
----


== Resources

* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision]