ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2656/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

69 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

== Why is this an issue?
According to the EJB specification:
____
An enterprise bean must not attempt to listen on a socket, accept connections on a socket, or use a socket for multicast.
{empty}...
* The enterprise bean must not attempt to set the socket factory used by ServerSocket, Socket, or the stream handler factory used by URL.
These networking functions are reserved for the EJB container. Allowing the enterprise bean to use these functions could compromise security and decrease the containers ability to properly manage the runtime environment.
____
Since EJB's may be passivated (temporarily serialized at the discretion of the container), using sockets in an EJB could cause resource leaks. Instead, you should work at a higher level and let the container handle such resources.
This rule raises an issue each time a socket is created or or retrieved from another class in a servlet class or EJB.
=== Noncompliant code example
[source,java]
----
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// ...
Socket sock = null;
try {
sock = new Socket(host, 3000); // Noncompliant
// ...
} catch (Exception e) {
// ...
}
}
----
== Resources
* CWE - https://cwe.mitre.org/data/definitions/246[CWE-246 - J2EE Bad Practices: Direct Use of Sockets]
* CWE - https://cwe.mitre.org/data/definitions/577[CWE-577 - EJB Bad Practices: Use of Sockets]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Remove this use of sockets.
'''
== Comments And Links
(visible only on this page)
=== relates to: S4818
=== on 20 Jul 2015, 07:36:58 Ann Campbell wrote:
Tagged java-top by Ann [~nicolas.peru]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink