39 lines
1.5 KiB
Plaintext
39 lines
1.5 KiB
Plaintext
Executing code dynamically is security sensitive. It has led in the past to the following vulnerabilities:
|
|
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9807[CVE-2017-9807]
|
|
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9802[CVE-2017-9802]
|
|
|
|
Some APIs enable the execution of dynamic code by providing it as strings at runtime. These APIs might be useful in some very specific meta-programming use-cases. However most of the time their use is frowned upon as they also increase the risk of https://www.owasp.org/index.php/Code_Injection[Injected Code]. Such attacks can either run on the server or in the client (exemple: XSS attack) and have a huge impact on an application's security.
|
|
|
|
|
|
This rule raises an issue when the following commands are used with values concatenated from other tables or use input:
|
|
|
|
* ``++GENERATE SUBROUTINE POOL++``
|
|
* ``++GENERATE DYNPRO++``
|
|
* ``++GENERATE REPORT++``
|
|
* ``++INSERT REPORT ... FROM ...++``
|
|
* ``++READ REPORT ... INTO ...++``
|
|
|
|
This rule does not detect code injections. It only highlights the use of APIs which should be used sparingly and very carefully. The goal is to guide security code reviews.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
user_input = request->get_form_field('dangerous_code').
|
|
GENERATE SUBROUTINE POOL user_input NAME dangerous. "Sensitive
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|