ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2255/java/rule.adoc
Fred Tingaud 51369b610e
Make sure that includes are always surrounded by empty lines (#2270) 
When an include is not surrounded by empty lines, its content is inlined
on the same line as the adjacent content. That can lead to broken tags
and other display issues.
This PR fixes all such includes and introduces a validation step that
forbids introducing the same problem again.
2023-06-22 10:38:01 +02:00

119 lines
3.5 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
// === javax.servlet ===
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequest;
public class JavaxServlet {
void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
Cookie cookie = new Cookie("userAccountID", acctID); // Sensitive
response.addCookie(cookie); // Sensitive
}
}
----
----
// === javax.ws ===
import java.util.Date;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.NewCookie;
class JavaxWs {
void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
String value, String path, String domain, int version) {
Cookie cookie= new Cookie("name", "value"); // Sensitive
new NewCookie(cookie); // Sensitive
new NewCookie(cookie, comment, maxAge, secure); // Sensitive
new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly); // Sensitive
new NewCookie(name, value); // Sensitive
new NewCookie(name, value, path, domain, version, comment, maxAge, secure); // Sensitive
new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly); // Sensitive
new NewCookie(name, value, path, domain, comment, maxAge, secure); // Sensitive
new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly); // Sensitive
}
}
----
----
// === java.net ===
import java.net.HttpCookie;
class JavaNet {
void httpCookie(HttpCookie hc) {
HttpCookie cookie = new HttpCookie("name", "value"); // Sensitive
cookie.setValue("value"); // Sensitive
}
}
----
----
// === apache.shiro ===
import org.apache.shiro.web.servlet.SimpleCookie;
class ApacheShiro {
void shiroCookie(SimpleCookie cookie) {
SimpleCookie sc = new SimpleCookie(cookie); // Sensitive
cookie.setValue("value"); // Sensitive
}
}
----
----
// === Play ===
import play.mvc.Http.Cookie;
import play.mvc.Http.CookieBuilder;
class Play {
void playCookie() {
CookieBuilder builder = Cookie.builder("name", "value"); // Sensitive
builder.withName("name")
.withValue("value") // Sensitive
.build();
}
}
----
== See
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information
* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie
* https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
=== Highlighting
* the ``++value++`` field, ie the second argument of the ``++new Cookie(...)++`` constructor
or
* the parameter of the ``++setValue++`` call on a Cookie object
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink