ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2608/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

26 lines
1004 B
Plaintext
Raw Permalink Blame History

== Why is this an issue?
Cookie values and the contents of form fields - both visible _and_ hidden - can easily be manipulated by attackers. Therefore, security decisions should not be made based on these inputs.
This rule logs an issue whenever form fields and cookie values are accessed.
=== Noncompliant code example
[source,text]
----
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
Cookie [] cookies = request.getCookies(); // Noncompliant
String hiddenValue = request.getParameter("hiddenField"); // Noncompliant
Map<String,String[]> params = request.getParameterMap(); // Noncompliant
String [] hiddenFieldValues = reqeust.getParameterValues("hiddenArray"); // Noncompliant
----
== Resources
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* CWE - https://cwe.mitre.org/data/definitions/807[CWE-807 - Reliance on Untrusted Inputs in a Security Decision]
Reference in New Issue View Git Blame Copy Permalink