ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5304/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

81 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

Using environment variables is security-sensitive. For example, their use has led in the past to the following vulnerabilities:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278[CVE-2014-6278]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3464[CVE-2019-3464]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000402[CVE-2018-1000402]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10530[CVE-2016-10530]
Environment variables are sensitive to injection attacks, just like any other input.
Note also that environment variables can be exposed in multiple ways, storing sensitive information in them should be done carefully:
* on Unix systems environment variables of one process can be read by another process running with the same UID.
* environment variables https://docs.oracle.com/javase/tutorial/essential/environment/env.html[might be forwarded to child processes].
* application running in debug mode often exposes their environment variable.
This rule raises an issue when environment variables are read.
== Ask Yourself Whether
* Environment variables are used without being sanitized.
* You store sensitive information in environment variables and other processes might be able to access them.
You are at risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
Sanitize every environment variable before using its value.
If you store sensitive information in an environment variable, make sure that no other process can access them, i.e. the process runs with a separate user account and child processes don't have access to their parent's environment.
Don't run your application in debug mode if it has access to sensitive information, including environment variables.
== Sensitive Code Example
----
public class Main {
public static void main (String[] args) {
System.getenv(); // Sensitive
System.getenv("myvar"); // Sensitive
ProcessBuilder processBuilder = new ProcessBuilder();
Map<String, String> environment = processBuilder.environment(); // Sensitive
environment.put("VAR", "value");
Runtime.getRuntime().exec("ping", new String[]{"env=val"}); // Sensitive
}
}
----
== See
* CWE - https://cwe.mitre.org/data/definitions/526[CWE-526 - Information Exposure Through Environmental Variables]
* CWE - https://cwe.mitre.org/data/definitions/74[CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure that environment variables are used safely here
'''
== Comments And Links
(visible only on this page)
=== on 27 May 2020, 16:41:25 Eric Therond wrote:
Deprecated because it overlaps with SonarSecurity
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink