16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
103 lines
2.8 KiB
Plaintext
103 lines
2.8 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
``++Throwable.printStackTrace(...)++`` prints a Throwable and its stack trace to ``++System.Err++`` (by default) which is not easily parseable and can expose sensitive information:
|
|
|
|
[source,java]
|
|
----
|
|
try {
|
|
/* ... */
|
|
} catch(Exception e) {
|
|
e.printStackTrace(); // Sensitive
|
|
}
|
|
----
|
|
|
|
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++true++`` enables debugging support:
|
|
|
|
[source,java]
|
|
----
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity(debug = true) // Sensitive
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
// ...
|
|
}
|
|
----
|
|
|
|
https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(true)] for Android enables debugging support:
|
|
|
|
[source,java]
|
|
----
|
|
import android.webkit.WebView;
|
|
|
|
WebView.setWebContentsDebuggingEnabled(true); // Sensitive
|
|
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(true); // Sensitive
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Loggers should be used (instead of ``++printStackTrace++``) to print throwables:
|
|
|
|
[source,java]
|
|
----
|
|
try {
|
|
/* ... */
|
|
} catch(Exception e) {
|
|
LOGGER.log("context", e);
|
|
}
|
|
----
|
|
|
|
https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html[EnableWebSecurity] annotation for SpringFramework with ``++debug++`` to ``++false++`` disables debugging support:
|
|
|
|
[source,java]
|
|
----
|
|
import org.springframework.context.annotation.Configuration;
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
|
|
|
@Configuration
|
|
@EnableWebSecurity(debug = false)
|
|
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
|
|
// ...
|
|
}
|
|
----
|
|
|
|
https://developer.android.com/reference/android/webkit/WebView#setWebContentsDebuggingEnabled(boolean)[WebView.setWebContentsDebuggingEnabled(false)] for Android disables debugging support:
|
|
[source,java]
|
|
----
|
|
import android.webkit.WebView;
|
|
|
|
WebView.setWebContentsDebuggingEnabled(false);
|
|
WebView.getFactory().getStatics().setWebContentsDebuggingEnabled(false);
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
=== Highlighting
|
|
|
|
debug = true
|
|
|
|
printStackTrace
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|