ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5131/java/rule.adoc
Roberto Orlandi 83eefb94b5 Education s5131 one file per language (#1002)
2023-03-02 18:07:54 +01:00

121 lines
2.9 KiB
Plaintext
Raw Blame History

include::../summary.adoc[]
== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
include::../threats.adoc[]
== How to fix it?
The following code is vulnerable to cross-site scripting because it returns an HTML response that contains user input.
Third-party data, such as user input, is not to be trusted.
If embedded in HTML code, it should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries.
[cols="a,a"]
|===
|
[source,java]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(data); // Noncompliant
}
----
|
[source,java]
----
import org.owasp.encoder.Encode;
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(Encode.forHtml(data));
}
----
|===
If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response with the content-type header.
For example, setting the content-type to `text/plain` with the `setContentType` function allows to safely reflect user input because browsers will not try to parse and execute the response.
[cols="a,a"]
|===
|
[source,java]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(data); // Noncompliant
}
----
|
[source,java]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
response.setContentType("text/plain");
writer.print(data);
}
----
|===
=== How does this work?
include::../common/fix/data_encoding.adoc[]
`org.owasp.encoder.Encode.forHtml` is the recommended method to encode HTML entities.
=== Pitfalls
include::../common/pitfalls/content-types.adoc[]
include::../common/pitfalls/validation.adoc[]
=== Going the extra mile
== Resources
=== Documentation
* https://spring.io/guides/gs/securing-web/[Spring.io, Securing a Web Application]
include::../common/resources/articles.adoc[]
include::../common/resources/presentations.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink