Exposing HTTP endpoints is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3072[CVE-2016-3072]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3175[CVE-2015-3175]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0218[CVE-2003-0218]

HTTP endpoints are webservices' main entrypoint. Attackers will take advantage of any vulnerability by sending crafted inputs for headers (including cookies), body and URI. No input should be trusted and extreme care should be taken with all returned value (header, body and status code).


This rule flags code which creates HTTP endpoint. It guides security code reviews to security-sensitive code.

In the case of the Spring framework, methods of a ``++@Controller++`` object annotated with ``++@RequestMapping++`` (or all its variants such as ``++@GetMapping++``, ``++@PostMapping++``, ``++@PutMapping++``, ``++@PatchMapping++`` and ``++@DeleteMapping++``) are declaring HTTP endpoints.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

[source,java]
----
@RequestMapping(path = "/profile", method = RequestMethod.GET) // Noncompliant
public UserProfile getUserProfile(String name) {
...
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Highlighting

The method annotated with @RequestMapping


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]

endif::env-github,rspecator-view[]