16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
118 lines
3.5 KiB
Plaintext
118 lines
3.5 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
// === javax.servlet ===
|
|
import javax.servlet.http.Cookie;
|
|
import javax.servlet.http.HttpServletResponse;
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
|
public class JavaxServlet {
|
|
void aServiceMethodSettingCookie(HttpServletRequest request, HttpServletResponse response, String acctID) {
|
|
Cookie cookie = new Cookie("userAccountID", acctID); // Sensitive
|
|
response.addCookie(cookie); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
// === javax.ws ===
|
|
import java.util.Date;
|
|
import javax.ws.rs.core.Cookie;
|
|
import javax.ws.rs.core.NewCookie;
|
|
|
|
class JavaxWs {
|
|
void jaxRsCookie(String comment, int maxAge, boolean secure, Date expiry, boolean httpOnly, String name,
|
|
String value, String path, String domain, int version) {
|
|
Cookie cookie= new Cookie("name", "value"); // Sensitive
|
|
|
|
new NewCookie(cookie); // Sensitive
|
|
new NewCookie(cookie, comment, maxAge, secure); // Sensitive
|
|
new NewCookie(cookie, comment, maxAge, expiry, secure, httpOnly); // Sensitive
|
|
new NewCookie(name, value); // Sensitive
|
|
new NewCookie(name, value, path, domain, version, comment, maxAge, secure); // Sensitive
|
|
new NewCookie(name, value, path, domain, version, comment, maxAge, expiry, secure, httpOnly); // Sensitive
|
|
new NewCookie(name, value, path, domain, comment, maxAge, secure); // Sensitive
|
|
new NewCookie(name, value, path, domain, comment, maxAge, secure, httpOnly); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
// === java.net ===
|
|
import java.net.HttpCookie;
|
|
|
|
class JavaNet {
|
|
void httpCookie(HttpCookie hc) {
|
|
HttpCookie cookie = new HttpCookie("name", "value"); // Sensitive
|
|
cookie.setValue("value"); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
// === apache.shiro ===
|
|
import org.apache.shiro.web.servlet.SimpleCookie;
|
|
|
|
class ApacheShiro {
|
|
|
|
void shiroCookie(SimpleCookie cookie) {
|
|
SimpleCookie sc = new SimpleCookie(cookie); // Sensitive
|
|
cookie.setValue("value"); // Sensitive
|
|
}
|
|
}
|
|
----
|
|
|
|
----
|
|
// === Play ===
|
|
import play.mvc.Http.Cookie;
|
|
import play.mvc.Http.CookieBuilder;
|
|
|
|
|
|
class Play {
|
|
void playCookie() {
|
|
CookieBuilder builder = Cookie.builder("name", "value"); // Sensitive
|
|
builder.withName("name")
|
|
.withValue("value") // Sensitive
|
|
.build();
|
|
|
|
}
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://cwe.mitre.org/data/definitions/312[MITRE, CWE-312] - Cleartext Storage of Sensitive Information
|
|
* https://cwe.mitre.org/data/definitions/315[MITRE, CWE-315] - Cleartext Storage of Sensitive Information in a Cookie
|
|
* https://wiki.sei.cmu.edu/confluence/display/java/FIO52-J.+Do+not+store+unencrypted+sensitive+information+on+the+client+side[CERT, FIO52-J.] - Do not store unencrypted sensitive information on the client side
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#COOKIE_USAGE[COOKIE_USAGE]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
=== Highlighting
|
|
|
|
* the ``++value++`` field, ie the second argument of the ``++new Cookie(...)++`` constructor
|
|
or
|
|
|
|
* the parameter of the ``++setValue++`` call on a Cookie object
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|