ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3318/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

24 lines
880 B
Plaintext
Raw Permalink Blame History

== Why is this an issue?
Data in a web session is considered inside the "trust boundary". That is, it is assumed to be trustworthy. But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead to that data being used inappropriately.
This rule raises an issue when data from ``++Cookie++``s or ``++HttpServletRequest++``s is stored in a session.
=== Noncompliant code example
[source,text]
----
login = request.getParameter("login");
session.setAttribute("login", login); // Noncompliant
----
== Resources
* OWASP - https://owasp.org/Top10/A04_2021-Insecure_Design/[Top 10 2021 Category A4 - Insecure Design]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/501[CWE-501 - Trust Boundary Violation]
Reference in New Issue View Git Blame Copy Permalink