ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5131/java/how-to-fix-it/servlet.adoc
Loris S e52b9671b2 Education text Fix (#1338)
2023-03-02 18:22:24 +01:00

83 lines
2.4 KiB
Plaintext
Raw Blame History

=== How to fix it in a Servlet
The following code is vulnerable to cross-site scripting because it returns an HTML response that contains user input.
Third-party data, such as user input, is not to be trusted.
If embedded in HTML code, it should be HTML-encoded to prevent the injection of additional code. This can be done with the https://owasp.org/www-project-java-encoder/[OWASP Java Encoder] or similar libraries.
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(data);
}
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
import org.owasp.encoder.Encode;
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(Encode.forHtml(data));
}
----
If you do not intend to send HTML code to clients, the vulnerability can be fixed by specifying the type of data returned in the response with the content-type header.
For example, setting the content-type to `text/plain` with the `setContentType` function allows to safely reflect user input because browsers will not try to parse and execute the response.
==== Noncompliant code example
[source,java,diff-id=2,diff-type=noncompliant]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
writer.print(data);
}
----
==== Compliant solution
[source,java,diff-id=2,diff-type=compliant]
----
public void endpoint(HttpServletRequest request, HttpServletResponse response) throws IOException
{
String data = request.getParameter("input");
PrintWriter writer = response.getWriter();
response.setContentType("text/plain");
writer.print(data);
}
----
=== How does this work?
include::../../common/fix/data_encoding.adoc[]
`org.owasp.encoder.Encode.forHtml` is the recommended method to encode HTML entities.
=== Pitfalls
include::../../common/pitfalls/content-types.adoc[]
include::../../common/pitfalls/validation.adoc[]
=== Going the extra mile
include::../../common/extra-mile/csp.adoc[]
Reference in New Issue View Git Blame Copy Permalink