ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2255/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

119 lines
3.5 KiB
Plaintext
Raw Permalink Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
// === javax.servlet ===
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;
public class JavaxServlet {
void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
Cookie cookie = new Cookie("userAccountID", acctID); // Sensitive
response.addCookie(cookie); // Sensitive
}
}
----
----
// === javax.ws ===
import java.util.Date;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
class JavaxWs {
void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
String value, String path, String domain, int version) {
Cookie cookie= new Cookie("name", "value"); // Sensitive
new NewCookie(cookie); // Sensitive
new NewCookie(cookie, comment, maxAge, secure); // Sensitive
new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly); // Sensitive
new NewCookie(name, value); // Sensitive
new NewCookie(name, value, path, domain, version, comment, maxAge, secure); // Sensitive
new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly); // Sensitive
new NewCookie(name, value, path, domain, comment, maxAge, secure); // Sensitive
new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly); // Sensitive
}
}
----
----
// === java.net ===
import java.net.HttpCookie;
class JavaNet {
void httpCookie(HttpCookie hc) {
HttpCookie cookie = new HttpCookie("name", "value"); // Sensitive
cookie.setValue("value"); // Sensitive
}
}
----
----
// === apache.shiro ===
import org.apache.shiro.web.servlet.SimpleCookie;
class ApacheShiro {
void shiroCookie(SimpleCookie cookie) {
SimpleCookie sc = new SimpleCookie(cookie); // Sensitive
cookie.setValue("value"); // Sensitive
}
}
----
----
// === Play ===
import play.mvc.Http.Cookie;
import play.mvc.Http.CookieBuilder;
class Play {
void playCookie() {
CookieBuilder builder = Cookie.builder("name", "value"); // Sensitive
builder.withName("name")
.withValue("value") // Sensitive
.build();
}
}
----
== See
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/312[CWE-312 - Cleartext Storage of Sensitive Information]
* CWE - https://cwe.mitre.org/data/definitions/315[CWE-315 - Cleartext Storage of Sensitive Information in a Cookie]
* https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
=== Highlighting
* the ``++value++`` field, ie the second argument of the ``++new Cookie(...)++`` constructor
or
* the parameter of the ``++setValue++`` call on a Cookie object
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink