Severity | Number of Issues | |
---|---|---|
BLOCKER | 3 | |
CRITICAL | 1 | |
MAJOR | 0 | |
MINOR | 2 |
Rule | Severity | Component | Line | Description | Message |
---|---|---|---|---|---|
squid:S2068 | BLOCKER | modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSourceFactory.java | 66 | Credentials should not be hard-coded | 'PASSWORD' detected in this expression, review this potentially hardcoded credential. |
squid:S2068 | BLOCKER | modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PoolUtilities.java | 25 | Credentials should not be hard-coded | 'PASSWORD' detected in this expression, review this potentially hardcoded credential. |
squid:S2068 | BLOCKER | java/org/apache/tomcat/websocket/Constants.java | 60 | Credentials should not be hard-coded | 'PWD' detected in this expression, review this potentially hardcoded credential. |
squid:S2077 | CRITICAL | modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/PooledConnection.java | 543 | / | Use a variable binding mechanism to construct this query instead of concatenation. |
squid:S1444 | MINOR | java/org/apache/tomcat/jni/Library.java | 109 | "public static" fields should be constant | Make this "public static APR_MINOR_VERSION" field final |
squid:S1148 | MINOR | java/org/apache/el/lang/FunctionMapperImpl.java | 162 | Throwable.printStackTrace(...) should not be called | Use a logger to log this exception. |
Rule | Description |
---|---|
squid:S2658 |
Dynamically loaded classes could contain malicious code executed by a static class initializer. I.E. you wouldn't even have to instantiate or explicitly invoke methods on such classes to be vulnerable to an attack. This rule raises an issue for each use of dynamic class loading. Noncompliant Code ExampleString className = System.getProperty("messageClassName"); Class clazz = Class.forName(className); // Noncompliant See
|
squid:S3369 |
Websphere, Tomcat, and JBoss web servers allow the definition of role-based access to servlets. It may not be granular enough for your purposes, but it's a start, and should be used at least as a base. This rule raises an issue when a web.xml file has no See
|
squid:S2039 |
Failing to explicitly declare the visibility of a member variable could result it in having a visibility you don't expect, and potentially leave it open to unexpected modification by other classes. Noncompliant Code Exampleclass Ball { String color="red"; // Noncompliant } enum A { B; int a; } Compliant Solutionclass Ball { private String color="red"; // Compliant } enum A { B; private int a; } ExceptionsMembers annotated with Guava's class Cone { @VisibleForTesting Logger logger; // Compliant } |
javasecurity:S5135 |
User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Deserialization based on data supplied by the user could result in two types of attacks:
The problem could be mitigated in any of the following ways:
Noncompliant Code Examplepublic class RequestProcessor { protected void processRequest(HttpServletRequest request) { ServletInputStream sis = request.getInputStream(); ObjectInputStream ois = new ObjectInputStream(sis); Object obj = ois.readObject(); // Noncompliant } } Compliant Solutionpublic class SecureObjectInputStream extends ObjectInputStream { // Constructor here @Override protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException { // Only deserialize instances of AllowedClass if (!osc.getName().equals(AllowedClass.class.getName())) { throw new InvalidClassException("Unauthorized deserialization", osc.getName()); } return super.resolveClass(osc); } } public class RequestProcessor { protected void processRequest(HttpServletRequest request) { ServletInputStream sis = request.getInputStream(); SecureObjectInputStream sois = new SecureObjectInputStream(sis); Object obj = sois.readObject(); } } See
|
javasecurity:S5334 |
Applications that execute code dynamically should neutralize any externally-provided values used to construct the code. Failure to do so could allow an attacker to execute arbitrary code. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access. The mitigation strategy should be based on whitelisting of allowed values or casting to safe types. Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String input = req.getParameter("input"); ScriptEngineManager manager = new ScriptEngineManager(); ScriptEngine engine = manager.getEngineByName("JavaScript"); engine.eval(input); // Noncompliant } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String input = req.getParameter("input"); // Match the input against a whitelist if (!whiteList.contains(input)) throw new IOException(); ScriptEngineManager manager = new ScriptEngineManager(); ScriptEngine engine = manager.getEngineByName("JavaScript"); engine.eval(input); } See
|
javasecurity:S3649 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful SQL injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands. Typically, the solution is to rely on prepared statements rather than string concatenation to inject tainted data into SQL queries, which ensures that they will be properly escaped. This rule supports: JDBC, Java EE Entity Manager, Spring Framework, Hibernate, JDO, Android Database, Apache Torque, Rapidoid. Noncompliant Code Examplepublic boolean authenticate(javax.servlet.http.HttpServletRequest request, java.sql.Connection connection) throws SQLException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = '" + user + "' AND pass = '" + pass + "'"; // Unsafe // If the special value "foo' OR 1=1 --" is passed as either the user or pass, authentication is bypassed // Indeed, if it is passed as a user, the query becomes: // SELECT * FROM users WHERE user = 'foo' OR 1=1 --' AND pass = '...' // As '--' is the comment till end of line syntax in SQL, this is equivalent to: // SELECT * FROM users WHERE user = 'foo' OR 1=1 // which is equivalent to: // SELECT * FROM users WHERE 1=1 // which is equivalent to: // SELECT * FROM users java.sql.Statement statement = connection.createStatement(); java.sql.ResultSet resultSet = statement.executeQuery(query); // Noncompliant return resultSet.next(); } Compliant Solutionpublic boolean authenticate(javax.servlet.http.HttpServletRequest request, java.sql.Connection connection) throws SQLException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String query = "SELECT * FROM users WHERE user = ? AND pass = ?"; // Safe even if authenticate() method is still vulnerable to brute-force attack in this specific case java.sql.PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, user); // Will be properly escaped statement.setString(2, pass); java.sql.ResultSet resultSet = statement.executeQuery(); return resultSet.next(); } See
|
roslyn.sonaranalyzer.security.cs:S2078 |
User provided data such as URL parameters should always be considered as untrusted and tainted. Constructing LDAP names or search filters directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the name or filter itself. Successful LDAP injections attacks can read, modify or delete sensitive information from the directory service. Within LDAP names, the special characters Noncompliant Code Examplepublic class LDAPInjection : Controller { public DirectorySearcher ds { get; set; } // GET /LDAPInjection/Authenticate public IActionResult Authenticate(string user, string pass) { ds.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Noncompliant // If the special value "*)(uid=*))(|(uid=*" is passed as user, authentication is bypassed // Indeed, if it is passed as a user, the filter becomes: // (&(uid=*)(uid=*))(|(uid=*)(userPassword=...)) // as uid=* match all users, it is equivalent to: // (|(uid=*)(userPassword=...)) // again, as uid=* match all users, the filter becomes useless return Content(ds.FindOne() != null ? "success" : "fail"); } } Compliant Solutionpublic class LDAPInjection : Controller { public DirectorySearcher ds { get; set; } // GET /LDAPInjection/Authenticate public IActionResult Authenticate(string user, string pass) { // Restrict the username and password to letters only if (!Regex.IsMatch(user, "^[a-zA-Z]+$") || !Regex.IsMatch(pass, "^[a-zA-Z]+$")) { return BadRequest(); } ds.Filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Now safe return Content(ds.FindOne() != null ? "success" : "fail"); } } See
|
roslyn.sonaranalyzer.security.cs:S3649 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL or SQL-like queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands. Typically, the solution is to rely on prepared statements rather than string concatenation to inject tainted data into database queries, which ensures that they will be properly escaped. Noncompliant Code Examplepublic class SqlInjection : Controller { private readonly UsersContext _context; public SqlInjection(UsersContext context) { _context = context; } // GET /SqlInjection/Authenticate public IActionResult Authenticate(string user) { var query = "SELECT * FROM Users WHERE Username = '" + user + "'"; // Unsafe var userExists = _context.Users.FromSql(query).Any(); // Noncompliant // An attacker can bypass authentication by setting user to this special value user = "' or 1=1 or ''='"; return Content(userExists ? "success" : "fail"); } } Compliant Solutionpublic class SqlInjection : Controller { private readonly UsersContext _context; public SqlInjection(UsersContext context) { _context = context; } // GET /SqlInjection/Authenticate public IActionResult Authenticate(string user) { var query = "SELECT * FROM Users WHERE Username = {0}"; // Safe var userExists = _context.Users.FromSql(query, user).Any(); return Content(userExists ? "success" : "fail"); } } See
|
roslyn.sonaranalyzer.security.cs:S2091 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. Noncompliant Code Examplepublic class XPathInjection : Controller { public XmlDocument doc { get; set; } // GET /XPathInjection/Authenticate public IActionResult Authenticate(string user, string pass) { String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; // Unsafe // An attacker can bypass authentication by setting user to this special value user = "' or 1=1 or ''='"; return Content(doc.SelectSingleNode(expression) != null ? "success" : "fail"); // Noncompliant } } Compliant Solutionpublic class XPathInjection : Controller { public XmlDocument doc { get; set; } // GET /XPathInjection/Authenticate public IActionResult Authenticate(string user, string pass) { // Restrict the username and password to letters only if (!Regex.IsMatch(user, "^[a-zA-Z]+$") || !Regex.IsMatch(pass, "^[a-zA-Z]+$")) { return BadRequest(); } String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; // Now safe return Content(doc.SelectSingleNode(expression) != null ? "success" : "fail"); } } See
|
phpsecurity:S2631 |
Evaluating regular expressions against input strings can be an extremely CPU-intensive task. For example, a specially crafted regular expression
such as Evaluating user-provided strings as regular expressions opens the door for Denial Of Service attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users. Noncompliant Code Example$regex = $_GET["regex"]; $input = $_GET["input"]; // Enables attackers to force the web server to evaluate // regex such as "(a+)+" on inputs such as "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" preg_grep ( $regex, $input ); // Noncompliant Compliant Solution$input = $_GET["input"]; preg_grep ( "a+", $input ); // Compliant - use a safe hardcoded regex See
|
phpsecurity:S5135 |
User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Deserialization based on data supplied by the user could result in two types of attacks:
The problem could be mitigated in any of the following ways:
Noncompliant Code Example$data = $_GET["data"]; $object = unserialize($data); // ... Compliant Solution$data = $_GET["data"]; list($hash, $data) = explode('|', $data, 2); $hash_confirm = hash_hmac("sha256", $data, "secret-key"); // Confirm that the data integrity is not compromised if ($hash === $hash_confirm) { $object = unserialize($data); // ... } See
|
phpsecurity:S2078 |
User provided data such as URL parameters should always be considered as untrusted and tainted. Constructing LDAP names or search filters directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the name or filter itself. Successful LDAP injections attacks can read, modify or delete sensitive information from the directory service. Within LDAP names, the special characters Noncompliant Code Example$user = $_GET["user"]; $pass = $_GET["pass"]; $filter = "(&(uid=" . $user . ")(userPassword=" . $pass . "))"; // Unsafe $ds = ... $basedn = "o=My Company, c=US"; $sr = ldap_list($ds, $basedn, $filter); // Noncompliant Compliant Solutionfunction sanitize_ldap_criteria($val) { $val = str_replace(['\\', '*', '(', ')'], ['\5c', '\2a', '\28', '\29'], $val); for ($i = 0; $i<strlen($val); $i++) { $char = substr($val, $i, 1); if (ord($char)<32) { $hex = dechex(ord($char)); if (strlen($hex) == 1) $hex = '0' . $hex; $val = str_replace($char, '\\' . $hex, $val); } } return $val; } $user = sanitize_ldap_criteria( $_GET["user"] ); $pass = sanitize_ldap_criteria( $_GET["pass"] ); $filter = "(&(uid=" . $user . ")(userPassword=" . $pass . "))"; // Safe $ds = ... $basedn = "o=My Company, c=US"; $sr = ldap_list($ds, $basedn, $filter); See
|
phpsecurity:S5335 |
User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Constructing include statements based on data supplied by the user could enable an attacker to control which files are included. If the attacker has the ability to upload files to the system, then arbitrary code could be executed. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access. The mitigation strategy should be based on whitelisting of allowed values or casting to safe types. Noncompliant Code Example$filename = $_GET["filename"]; include $filename . ".php"; Compliant Solution$filename = $_GET["filename"]; if (in_array($filename, $whitelist)) { include $filename . ".php"; } See
|
phpsecurity:S2076 |
Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands or exposes sensitive data. The mitigation strategy should be based on whitelisting of allowed characters or commands. Noncompliant Code Example$binary = $_GET["binary"]; // If the value "/sbin/shutdown" is passed as binary and the web server is running as root, // then the machine running the web server will be shut down and become unavailable for future requests exec( $binary ); // Noncompliant Compliant Solution$binary = $_GET["binary"]; // Restrict to binaries within the current working directory whose name only contains letters $pattern = "[a-zA-Z]++"; if ( preg_match($pattern, $binary) ) { exec( $binary ); // Compliant } See
|
phpsecurity:S5334 |
Applications that execute code dynamically should neutralize any externally-provided values used to construct the code. Failure to do so could allow an attacker to execute arbitrary code. This could enable a wide range of serious attacks like accessing/modifying sensitive information or gain full system access. The mitigation strategy should be based on whitelisting of allowed values or casting to safe types. Noncompliant Code Example$data = $_GET["data"]; eval("echo \$data;"); Compliant Solution$data = $_GET["data"]; if (in_array($data, $whitelist)) { eval("echo \$data;"); } See
|
phpsecurity:S3649 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful SQL injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands. Typically, the solution is to rely on the prepared statements rather than string concatenation, which ensures that user provided data will be properly escaped. This rule supports: Native Database Extensions, PDO, Symfony/Doctrine, Laravel/Eloquent. Noncompliant Code Examplefunction authenticate() { if( isset( $_POST[ 'Connect' ] ) ) { $login = $_POST[ 'login' ]; $pass = $_POST[ 'pass' ]; $query = "SELECT * FROM users WHERE login = '" . $login . "' AND pass = '" . $pass . "'"; // Unsafe // If the special value "foo' OR 1=1 --" is passed as either the user or pass, authentication is bypassed // Indeed, if it is passed as a user, the query becomes: // SELECT * FROM users WHERE user = 'foo' OR 1=1 --' AND pass = '...' // As '--' is the comment till end of line syntax in SQL, this is equivalent to: // SELECT * FROM users WHERE user = 'foo' OR 1=1 // which is equivalent to: // SELECT * FROM users WHERE 1=1 // which is equivalent to: // SELECT * FROM users $con = getDatabaseConnection(); $result = mysqli_query($con, $query); $authenticated = false; if ( $row = mysqli_fetch_row( $result ) ) { $authenticated = true; } mysqli_free_result( $result ); return $authenticated; } } Compliant Solutionfunction authenticate() { if( isset( $_POST[ 'Connect' ] ) ) { $login = $_POST[ 'login' ]; $pass = $_POST[ 'pass' ]; $query = "SELECT * FROM users WHERE login = ? AND pass = ?"; // Safe even if authenticate() method is still vulnerable to brute-force attack in this specific case $stmt = $pdo->prepare($query); $stmt->execute(array($login, $pass)); $authenticated = false; if ( $stmt->rowCount() == 1 ) { $authenticated = true; } return $authenticated; } } See
|
phpsecurity:S2083 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing file
system paths directly from tainted data could enable an attacker to inject specially crafted values, such as A successful attack might give an attacker the ability to read, modify, or delete sensitive information from the file system and sometimes even execute arbitrary operating system commands. This is often referred to as a "path traversal" or "directory traversal" attack. The mitigation strategy should be based on the whitelisting of allowed paths or characters. Noncompliant Code Example$userId = $_GET["userId"]; $fileUUID = $_GET["fileUUID"]; if ( $_SESSION["userId"] == $userId ) { unlink("/storage/" . $userId . "/" . $fileUUID); // Noncompliant } Compliant Solution$userId = (int) $_GET["userId"]; $fileUUID = (int) $_GET["fileUUID"]; if ( $_SESSION["userId"] == $userId ) { unlink("/storage/" . $userId . "/" . $fileUUID); } See
|
phpsecurity:S2091 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. Noncompliant Code Example$user = $_GET["user"]; $pass = $_GET["pass"]; $doc = new DOMDocument(); $doc->load("test.xml"); $xpath = new DOMXPath($doc); $expression = "/users/user[@name='" . $user . "' and @pass='" . $pass . "']"; $xpath->evaluate($expression); // Noncompliant Compliant Solution$user = $_GET["user"]; $pass = $_GET["pass"]; $doc = new DOMDocument(); $doc->load("test.xml"); $xpath = new DOMXPath($doc); $user = str_replace("'", "'", $user); $pass = str_replace("'", "'", $pass); $expression = "/users/user[@name='" . $user . "' and @pass='" . $pass . "']"; $xpath->evaluate($expression); // Compliant See
|
objc:S2486 |
When exceptions occur, it is usually a bad idea to simply ignore them. Instead, it is better to handle them properly, or at least to log them. Noncompliant Code Examplevoid save() { try { saveDocument(); } catch (const std::exception& ex) { } } Compliant Solutionvoid save() { try { saveDocument(); } catch (const std::exception& ex) { log << "Exception while saving the document: " << ex.what(); } } See
|
objc:S1081 |
When using legacy C functions, it's up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overflows. Buffer overflows can cause the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed. This rule reports use of the following insecure functions: In such cases, it's better to use an alternate, secure function which allows you to define the maximum number of characters to be written to the buffer:
(Be aware that Noncompliant Code Examplesprintf(str, "%s", message); // Noncompliant strcpy(str, message); // Noncompliant Compliant Solutionsnprintf(str, sizeof(str), "%s", message); strlcpy(str, message, sizeof(str)); strncpy(str, message, sizeof(str) -1); // Leave room for null str[sizeof(str) - 1] = '\0'; // Make sure the string is null-terminated See
|
php:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. Noncompliant Code Example$uname = "steve"; $password = "blue"; connect($uname, $password); Compliant Solution$uname = getEncryptedUser(); $password = getEncryptedPass(); connect($uname, $password); See
|
php:S2278 |
According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:
For similar reasons, RC2 should also be avoided. Noncompliant Code Example<?php $ciphertext = mcrypt_encrypt(MCRYPT_DES, $key, $plaintext, $mode); // Noncompliant // ... $ciphertext = mcrypt_encrypt(MCRYPT_DES_COMPAT, $key, $plaintext, $mode); // Noncompliant // ... $ciphertext = mcrypt_encrypt(MCRYPT_TRIPLEDES, $key, $plaintext, $mode); // Noncompliant // ... $ciphertext = mcrypt_encrypt(MCRYPT_3DES, $key, $plaintext, $mode); // Noncompliant $cipher = "des-ede3-cfb"; // Noncompliant $ciphertext_raw = openssl_encrypt($plaintext, $cipher, $key, $options=OPENSSL_RAW_DATA, $iv); ?> Compliant Solution<?php $ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $plaintext, MCRYPT_MODE_CBC, $iv); ?> See
|
php:S4433 |
An un-authenticated LDAP connection can lead to transactions without access control. Authentication, and with it, access control, are the last line of defense against LDAP injections and should not be disabled. This rule raises an issue when an anonymous LDAP connection is created. Noncompliant Code Example$ldapconn = ldap_connect("ldap.example.com"); if ($ldapconn) { $ldapbind = ldap_bind($ldapconn); // Noncompliant; anonymous authentication, no user/password provided } Compliant Solution$ldaprdn = 'uname'; $ldappass = 'password'; $ldapconn = ldap_connect("ldap.example.com"); if ($ldapconn) { $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // Compliant } See
|
c:S1081 |
When using legacy C functions, it's up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overflows. Buffer overflows can cause the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed. This rule reports use of the following insecure functions: In such cases, it's better to use an alternate, secure function which allows you to define the maximum number of characters to be written to the buffer:
(Be aware that Noncompliant Code Examplesprintf(str, "%s", message); // Noncompliant strcpy(str, message); // Noncompliant Compliant Solutionsnprintf(str, sizeof(str), "%s", message); strlcpy(str, message, sizeof(str)); strncpy(str, message, sizeof(str) -1); // Leave room for null str[sizeof(str) - 1] = '\0'; // Make sure the string is null-terminated See
|
vbnet:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. Noncompliant Code ExampleDim username As String = "admin" Dim password As String = "Password123" Dim usernamePassword As String = "user=admin&password=Password123" Dim usernamePassword2 As String = "user=admin&" & "password=" & password Compliant SolutionDim username As String = "admin" Dim password As String = GetEncryptedPassword() Dim usernamePassword As String = String.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword()) See
|
flex:S1951 |
The Noncompliant Code Examplevar val:Number = doCalculation(); trace("Calculation result: " + val); // Noncompliant Compliant Solutionvar val:Number = doCalculation(); See
|
flex:S1444 |
There is no good reason to declare a field "public" and "static" without also declaring it "const". Most of the time this is a kludge to share a
state among several objects. But with this approach, any object can do whatever it wants with the shared state, such as setting it to
Noncompliant Code Examplepublic class Greeter { public static var foo:Foo = new Foo(...); ... } Compliant Solutionpublic class Greeter { public static const FOO:Foo = new Foo(...); ... } See
|
flex:S1442 |
Noncompliant Code Exampleif(unexpectedCondition) { Alert.show("Unexpected Condition"); } See
|
cpp:S2486 |
When exceptions occur, it is usually a bad idea to simply ignore them. Instead, it is better to handle them properly, or at least to log them. Noncompliant Code Examplevoid save() { try { saveDocument(); } catch (const std::exception& ex) { } } Compliant Solutionvoid save() { try { saveDocument(); } catch (const std::exception& ex) { log << "Exception while saving the document: " << ex.what(); } } See
|
cpp:S1081 |
When using legacy C functions, it's up to the developer to make sure the size of the buffer to be written to is large enough to avoid buffer overflows. Buffer overflows can cause the program to crash at a minimum. At worst, a carefully crafted overflow can cause malicious code to be executed. This rule reports use of the following insecure functions: In such cases, it's better to use an alternate, secure function which allows you to define the maximum number of characters to be written to the buffer:
(Be aware that Noncompliant Code Examplesprintf(str, "%s", message); // Noncompliant strcpy(str, message); // Noncompliant Compliant Solutionsnprintf(str, sizeof(str), "%s", message); strlcpy(str, message, sizeof(str)); strncpy(str, message, sizeof(str) -1); // Leave room for null str[sizeof(str) - 1] = '\0'; // Make sure the string is null-terminated See
|
csharpsquid:S2228 |
Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you run the risk of inadvertently exposing sensitive information. Noncompliant Code Exampleprivate void DoSomething() { // ... Console.WriteLine("so far, so good..."); // Noncompliant // ... } ExceptionsThe following are ignored by this rule:
See
|
csharpsquid:S2386 |
This rule raises issues for Noncompliant Code Examplepublic class A { public static string[] strings1 = {"first","second"}; // Noncompliant public static List<String> strings3 = new List<String>(); // Noncompliant // ... } Compliant Solutionpublic class A { protected static string[] strings1 = {"first","second"}; protected static List<String> strings3 = new List<String>(); // ... } ExceptionsNo issue is reported:
See
|
csharpsquid:S4564 |
ASP.Net has a feature to validate HTTP requests to prevent potentially dangerous content to perform a cross-site scripting (XSS) attack. There is no reason to disable this mechanism even if other checks to prevent XXS attacks are in place. This rule raises an issue if a method with parameters is marked with Noncompliant Code Examplepublic class FooBarController : Controller { [HttpPost] // Noncompliant [ValidateInput(false)] public ActionResult Purchase(string input) { return Foo(input); } [HttpPost] // Noncompliant public ActionResult PurchaseSomethingElse(string input) { return Foo(input); } } Compliant Solutionpublic class FooBarController : Controller { [HttpPost] [ValidateInput(true)] // Compliant public ActionResult Purchase(string input) { return Foo(input); } } ExceptionsParameterless methods marked with See
|
csharpsquid:S2278 |
According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:
For similar reasons, RC2 should also be avoided. Noncompliant Code Exampleusing (var tripleDES = new TripleDESCryptoServiceProvider()) //Noncompliant { //... } Compliant Solutionusing (var aes = new AesCryptoServiceProvider()) { //... } See
|
csharpsquid:S4211 |
Transparency attributes, This rule raises an issue when a member is marked with a Noncompliant Code Exampleusing System; using System.Security; namespace MyLibrary { [SecurityCritical] public class Foo { [SecuritySafeCritical] // Noncompliant public void Bar() { } } } Compliant Solutionusing System; using System.Security; namespace MyLibrary { [SecurityCritical] public class Foo { public void Bar() { } } } See
|
csharpsquid:S4212 |
Because serialization constructors allocate and initialize objects, security checks that are present on regular constructors must also be present on a serialization constructor. Failure to do so would allow callers that could not otherwise create an instance to use the serialization constructor to do this. This rule raises an issue when a type implements the Noncompliant Code Exampleusing System; using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; using System.Security; using System.Security.Permissions; [assembly: AllowPartiallyTrustedCallersAttribute()] namespace MyLibrary { [Serializable] public class Foo : ISerializable { private int n; [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] public Foo() { n = -1; } protected Foo(SerializationInfo info, StreamingContext context) // Noncompliant { n = (int)info.GetValue("n", typeof(int)); } void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { info.AddValue("n", n); } } } Compliant Solutionusing System; using System.IO; using System.Runtime.Serialization; using System.Runtime.Serialization.Formatters.Binary; using System.Security; using System.Security.Permissions; [assembly: AllowPartiallyTrustedCallersAttribute()] namespace MyLibrary { [Serializable] public class Foo : ISerializable { private int n; [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] public Foo() { n = -1; } [FileIOPermissionAttribute(SecurityAction.Demand, Unrestricted = true)] protected Foo(SerializationInfo info, StreamingContext context) { n = (int)info.GetValue("n", typeof(int)); } void ISerializable.GetObjectData(SerializationInfo info, StreamingContext context) { info.AddValue("n", n); } } } See
|
csharpsquid:S2486 |
When exceptions occur, it is usually a bad idea to simply ignore them. Instead, it is better to handle them properly, or at least to log them. This rule only reports on empty catch clauses that catch generic Noncompliant Code Examplestring text = ""; try { text = File.ReadAllText(fileName); } catch (Exception exc) // Noncompliant { } Compliant Solutionstring text = ""; try { text = File.ReadAllText(fileName); } catch (Exception exc) { logger.Log(exc); } ExceptionsWhen a block contains a comment, it is not considered to be empty. See
|
csharpsquid:S4433 |
An un-authenticated LDAP connection can lead to transactions without access control. Authentication, and with it, access control, are the last line of defense against LDAP injections and should not be disabled. This rule raises an issue when an LDAP connection is created with Noncompliant Code ExampleDirectoryEntry myDirectoryEntry = new DirectoryEntry(adPath); myDirectoryEntry.AuthenticationType = AuthenticationTypes.None; // Noncompliant DirectoryEntry myDirectoryEntry = new DirectoryEntry(adPath, "u", "p", AuthenticationTypes.None); // Noncompliant Compliant SolutionDirectoryEntry myDirectoryEntry = new DirectoryEntry(myADSPath); // Compliant; default DirectoryEntry.AuthenticationType property value is "Secure" since .NET Framework 2.0 DirectoryEntry myDirectoryEntry = new DirectoryEntry(myADSPath, "u", "p", AuthenticationTypes.Secure); See
|
csharpsquid:S4432 |
Encryption algorithms can be used with various modes. Some combinations are not secured:
In both cases, Galois/Counter Mode (GCM) with no padding should be preferred. As the .NET framework doesn't provide this natively, the use of a certified third party lib is recommended. This rule raises an issue when any of the following CipherMode is detected: ECB, CBC, OFB, CFB, CTS. Noncompliant Code ExampleAesManaged aes = new AesManaged { KeySize = 128, BlockSize = 128, Mode = CipherMode.OFB, // Noncompliant Padding = PaddingMode.PKCS7 }; See
|
csharpsquid:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. Noncompliant Code Examplestring username = "admin"; string password = "Password123"; // Noncompliant string usernamePassword = "user=admin&password=Password123"; // Noncompliant string usernamePassword2 = "user=admin&" + "password=" + password; // Noncompliant Compliant Solutionstring username = "admin"; string password = GetEncryptedPassword(); string usernamePassword = string.Format("user={0}&password={1}", GetEncryptedUsername(), GetEncryptedPassword()); See
|
csharpsquid:S3884 |
Specifically, these methods are meant to be called from non-managed code such as a C++ wrapper that then invokes the managed, i.e. C# or VB.NET, code. Noncompliant Code Example[DllImport("ole32.dll")] static extern int CoSetProxyBlanket([MarshalAs(UnmanagedType.IUnknown)]object pProxy, uint dwAuthnSvc, uint dwAuthzSvc, [MarshalAs(UnmanagedType.LPWStr)] string pServerPrincName, uint dwAuthnLevel, uint dwImpLevel, IntPtr pAuthInfo, uint dwCapabilities); public enum RpcAuthnLevel { Default = 0, None = 1, Connect = 2, Call = 3, Pkt = 4, PktIntegrity = 5, PktPrivacy = 6 } public enum RpcImpLevel { Default = 0, Anonymous = 1, Identify = 2, Impersonate = 3, Delegate = 4 } public enum EoAuthnCap { None = 0x00, MutualAuth = 0x01, StaticCloaking = 0x20, DynamicCloaking = 0x40, AnyAuthority = 0x80, MakeFullSIC = 0x100, Default = 0x800, SecureRefs = 0x02, AccessControl = 0x04, AppID = 0x08, Dynamic = 0x10, RequireFullSIC = 0x200, AutoImpersonate = 0x400, NoCustomMarshal = 0x2000, DisableAAA = 0x1000 } [DllImport("ole32.dll")] public static extern int CoInitializeSecurity(IntPtr pVoid, int cAuthSvc, IntPtr asAuthSvc, IntPtr pReserved1, RpcAuthnLevel level, RpcImpLevel impers, IntPtr pAuthList, EoAuthnCap dwCapabilities, IntPtr pReserved3); static void Main(string[] args) { var hres1 = CoSetProxyBlanket(null, 0, 0, null, 0, 0, IntPtr.Zero, 0); // Noncompliant var hres2 = CoInitializeSecurity(IntPtr.Zero, -1, IntPtr.Zero, IntPtr.Zero, RpcAuthnLevel.None, RpcImpLevel.Impersonate, IntPtr.Zero, EoAuthnCap.None, IntPtr.Zero); // Noncompliant } See
|
javascript:DebuggerStatement |
The debugger statement can be placed anywhere in procedures to suspend execution. Using the debugger statement is similar to setting a breakpoint in the code. By definition such statement must absolutely be removed from the source code to prevent any unexpected behavior or added vulnerability to attacks in production. Noncompliant Code Examplefor (i = 1; i<5; i++) { // Print i to the Output window. Debug.write("loop index is " + i); // Wait for user to resume. debugger; } Compliant Solutionfor (i = 1; i<5; i++) { // Print i to the Output window. Debug.write("loop index is " + i); } See
|
javascript:S2819 |
HTML5 adds the ability to send messages to documents served from other domains. According to the specification: Authors should not use the wildcard keyword ( To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time
Noncompliant Code Examplevar myWindow = document.getElementById('myIFrame').contentWindow; myWindow.postMessage(message, "*"); // Noncompliant; how do you know what you loaded in 'myIFrame' is still there? See
|
javascript:S2817 |
The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some browsers. (It is not supported in Firefox or IE.) Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database. Noncompliant Code Examplevar db = window.openDatabase("myDb", "1.0", "Personal secrets stored here", 2*1024*1024); // Noncompliant See
|
javascript:S3271 |
Session storage and local storage are HTML 5 features which allow developers to easily store megabytes of data client-side, as opposed to the 4Kb cookies can accommodate. While useful to speed applications up on the client side, it can be dangerous to store sensitive information this way because the data is not encrypted by default and any script on the page may access it. This rule raises an issue when the Noncompliant Code ExamplelocalStorage.setItem("login", login); // Noncompliant sessionStorage.setItem("sessionId", sessionId); // Noncompliant See
|
javascript:S2611 |
Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this rule raises an issue for each non-relative URL. Noncompliant Code Examplefunction include(url) { var s = document.createElement("script"); s.setAttribute("type", "text/javascript"); s.setAttribute("src", url); document.body.appendChild(s); } include("http://hackers.com/steal.js") // Noncompliant See
|
javascript:S1442 |
Noncompliant Code Exampleif(unexpectedCondition) { alert("Unexpected Condition"); } See
|
abap:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... Noncompliant Code ExampleDATA: password(10) VALUE 'secret123', pwd(10) VALUE 'secret123'. See
|
abap:S1493 |
There are two main reasons to ban dynamic clauses in The first relates to maintainability. One of the nice features of ABAP Design Time is the connection to the data dictionary; you get syntax errors if you try to address table fields that are not present anymore or that have typos. With dynamic SQL, the ability to statically check the code for this type of error is lost. The other more critical reason relates to security. By definition, dynamic clauses make an application susceptible to SQL injection attacks. Noncompliant Code ExampleSELECT (select_clause) FROM (from_clause) CLIENT SPECIFIED INTO <fs> WHERE (where_clause) GROUP BY (groupby_clause) HAVING (having_clause) ORDER BY (orderby_clause). See
|
abap:S5117 |
Every Noncompliant Code ExampleAUTHORITY-CHECK OBJECT 'S_MYOBJ' "Noncompliant ID 'ID1' FIELD myvalue. Compliant SolutionAUTHORITY-CHECK OBJECT 'S_MYOBJ' "Compliant ID 'ID1' FIELD myvalue. IF sy-subrc <> 0. MESSAGE 'NOT AUTHORIZED' TYPE 'E'. ENDIF. ExceptionsNo issue will be raised in the following cases:
AUTHORITY-CHECK OBJECT 'S_MYOBJ' "Compliant ID 'ID1' FIELD myvalue. WRITE 'Test' " WRITE is accepted before checking SY-SUBRC IF SY-SUBRC <> 0. EXIT. ENDIF. AUTHORITY-CHECK OBJECT 'S_MYOBJ' "Compliant ID 'ID1' FIELD myvalue. Tmp = SY-SUBRC " Assigning SY-SUBRC value to a variable. We assume that it will be checked later. IF Tmp <> 0. EXIT. ENDIF. |
abap:S5115 |
Checking logged users' permissions by comparing their name to a hardcoded string can create security vulnerabilities. It prevents system
administrators from changing users' permissions when needed (example: when their account has been compromised). Thus system fields
This rule raises an issue when either of the system fields Noncompliant Code ExampleIF SY-UNAME = 'ALICE'. " Noncompliant ENDIF. CASE SY-UNAME. WHEN 'A'. " Noncompliant ENDCASE. Compliant SolutionAUTHORITY-CHECK OBJECT 'S_CARRID' ID 'CARRID' FIELD mycarrid. IF sy-subrc <> 0. MESSAGE 'Not authorized' TYPE 'E'. ENDIF. |
abap:S1486 |
A Noncompliant Code ExampleIF wv_parallel EQ 'X'. BREAK-POINT. WAIT UNTIL g_nb_return EQ wv_nb_call. ENDIF. Compliant SolutionIF wv_parallel EQ 'X'. WAIT UNTIL g_nb_return EQ wv_nb_call. ENDIF. See
|
squid:S2115 |
Failure to password-protect a database is so careless or naive as to be almost negligent. Databases should always be password protected, but the use of a database connection with an empty password is a clear indication of a database that is not protected. This rule flags database connections with empty passwords. Noncompliant Code ExampleConnection conn = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true", "AppLogin", ""); Connection conn2 = DriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password="); Compliant SolutionDriverManager.getConnection("jdbc:derby:memory:myDB;create=true?user=user&password=password"); DriverManager.getConnection("jdbc:mysql://address=(host=myhost1)(port=1111)(key1=value1)(user=sandy)(password=secret),address=(host=myhost2)(port=2222)(key2=value2)(user=sandy)(password=secret)/db"); DriverManager.getConnection("jdbc:mysql://sandy:secret@[myhost1:1111,myhost2:2222]/db"); String url = "jdbc:postgresql://localhost/test"; Properties props = new Properties(); props.setProperty("user", "fred"); props.setProperty("password", "secret"); DriverManager.getConnection(url, props); See
|
squid:S1148 |
Loggers should be used instead to print
This rule raises an issue when Noncompliant Code Exampletry { /* ... */ } catch(Exception e) { e.printStackTrace(); // Noncompliant } Compliant Solutiontry { /* ... */ } catch(Exception e) { LOGGER.log("context", e); } See
|
squid:S3329 |
In encryption, when Cipher Block Chaining (CBC) is used, the Initialization Vector (IV) must be random and unpredictable. Otherwise, the encrypted value is vulnerable to crypto-analysis attacks such as the "Chosen-Plaintext Attack". An IV value should be associated to one, and only one encryption cycle, because the IV's purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts. To that end, IV's should be:
This rule raises an issue when the IV is:
Noncompliant Code Examplepublic class MyCbcClass { public String applyCBC(String strKey, String plainText) { byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8"); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant because IV hard coded and cannot vary with each ciphering round byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) // IV is typically published + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } } Compliant Solutionpublic class MyCbcClass { SecureRandom random = new SecureRandom(); public String applyCBC(String strKey, String plainText) { byte[] bytesIV = new byte[16]; random.nextBytes(bytesIV); /* KEY + IV setting */ IvParameterSpec iv = new IvParameterSpec(bytesIV); SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES"); /* Ciphering */ Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8")); return DatatypeConverter.printBase64Binary(bytesIV) + ";" + DatatypeConverter.printBase64Binary(encryptedBytes); } } See
|
squid:S4684 |
On one side, Spring MVC automatically bind request parameters to beans declared as arguments of methods annotated with
On the other end, persistent objects ( These two facts combined together can lead to malicious attack: if a persistent object is used as an argument of a method annotated with
For this reason, using In addition to Noncompliant Code Exampleimport javax.persistence.Entity; @Entity public class Wish { Long productId; Long quantity; Client client; } @Entity public class Client { String clientId; String name; String password; } import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class WishListController { @PostMapping(path = "/saveForLater") public String saveForLater(Wish wish) { session.save(wish); } @RequestMapping(path = "/saveForLater", method = RequestMethod.POST) public String saveForLater(Wish wish) { session.save(wish); } } Compliant Solutionpublic class WishDTO { Long productId; Long quantity; Long clientId; } import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; @Controller public class PurchaseOrderController { @PostMapping(path = "/saveForLater") public String saveForLater(WishDTO wish) { Wish persistentWish = new Wish(); // do the mapping between "wish" and "persistentWish" [...] session.save(persistentWish); } @RequestMapping(path = "/saveForLater", method = RequestMethod.POST) public String saveForLater(WishDTO wish) { Wish persistentWish = new Wish(); // do the mapping between "wish" and "persistentWish" [...] session.save(persistentWish); } } See
|
squid:S3355 |
Every filter defined in Noncompliant Code Example<filter> <filter-name>DefinedNotUsed</filter-name> <filter-class>com.myco.servlet.ValidationFilter</filter-class> </filter> Compliant Solution<filter> <filter-name>ValidationFilter</filter-name> <filter-class>com.myco.servlet.ValidationFilter</filter-class> </filter> <filter-mapping> <filter-name>ValidationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> See
|
squid:S2278 |
According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:
For similar reasons, RC2 should also be avoided. Noncompliant Code ExampleCipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding"); Compliant SolutionCipher c = Cipher.getInstance("AES/GCM/NoPadding"); See
|
squid:S2277 |
Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an
issue as soon as a literal value starts with Noncompliant Code ExampleCipher rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding"); Compliant SolutionCipher rsa = javax.crypto.Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING"); See
|
squid:S4424 |
Empty implementations of the This rule raises an issue when an implementation of Noncompliant Code Exampleclass TrustAllManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { // Noncompliant, nothing means trust any client } @Override public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { // Noncompliant, this method never throws exception, it means trust any client LOG.log(Level.SEVERE, ERROR_MESSAGE); } @Override public X509Certificate[] getAcceptedIssuers() { return null; } } See
|
squid:S4423 |
This rule raises an issue when an The recommended value is "TLS" or "DTLS" as it will always use the latest version of the protocol. However an issue will be raised if the bytecode was compiled with JDK7 or an even older version of JDK because they are not alias for TLSv1.2 and DTLSv1.2 but for weaker protocols. Note that calling Noncompliant Code Examplecontext = SSLContext.getInstance("SSL"); // Noncompliant Compliant Solutioncontext = SSLContext.getInstance("TLSv1.2"); See
|
squid:S4426 |
When generating cryptographic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks.
For the This rule raises an issue when a Blowfish key generator or RSA key-pair generator is initialized with too small a length parameter. Noncompliant Code ExampleKeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); keyGen.init(64); // Noncompliant KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); keyPairGen.initialize(512); // Noncompliant Compliant SolutionKeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); keyGen.init(128); KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); keyPairGen.initialize(2048); See
|
squid:S3330 |
The When implementing Cross Site Request Forgery (XSRF) protection, a JavaScript-readable session cookie, generally named XSRF-TOKEN, should be created
on the first HTTP GET request. For such a cookie, the Setting the attribute can be done either programmatically, or globally via configuration files. Noncompliant Code ExampleCookie cookie = new Cookie("myCookieName", value); // Noncompliant; by default cookie.isHttpOnly() is returning false Compliant SolutionCookie cookie = new Cookie("myCookieName", value); cookie.setHttpOnly(true); // Compliant See
|
squid:S4435 |
An XML External Entity or XSLT External Entity (XXE) vulnerability can occur when a This rule raises an issue when a Noncompliant Code ExampleTransformer transformer = TransformerFactory.newInstance().newTransformer(); transformer.transform(input, result); Compliant SolutionTransformerFactory factory = TransformerFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); Transformer transformer = factory.newTransformer(); transformer.transform(input, result); or TransformerFactory factory = TransformerFactory.newInstance(); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = factory.newTransformer(); transformer.transform(input, result); See
|
squid:S2258 |
By contract, the Noncompliant Code ExampleNullCipher nc = new NullCipher(); See
|
squid:S4434 |
JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution. This rule raises an issue when an LDAP search query is executed with Noncompliant Code ExampleDirContext ctx = new InitialDirContext(); // ... ctx.search(query, filter, new SearchControls(scope, countLimit, timeLimit, attributes, true, // Noncompliant; allows deserialization deref)); Compliant SolutionDirContext ctx = new InitialDirContext(); // ... ctx.search(query, filter, new SearchControls(scope, countLimit, timeLimit, attributes, false, deref)); See
|
squid:S2254 |
According to the Oracle Java API, the
The session ID it returns is either transmitted in a cookie or a URL parameter so by definition, nothing prevents the end-user from manually updating the value of this session ID in the HTTP request. Here is an example of a updated HTTP header: GET /pageSomeWhere HTTP/1.1 Host: webSite.com User-Agent: Mozilla/5.0 Cookie: JSESSIONID=Hacked_Session_Value'''"> Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. Noncompliant Code Exampleif(isActiveSession(request.getRequestedSessionId()) ){ ... } See
|
squid:S4433 |
An un-authenticated LDAP connection can lead to transactions without access control. Authentication, and with it, access control, are the last line of defense against LDAP injections and should not be disabled. This rule raises an issue when an LDAP connection is created with Noncompliant Code Example// Set up the environment for creating the initial context Hashtable<String, Object> env = new Hashtable<String, Object>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial"); // Use anonymous authentication env.put(Context.SECURITY_AUTHENTICATION, "none"); // Noncompliant // Create the initial context DirContext ctx = new InitialDirContext(env); Compliant Solution// Set up the environment for creating the initial context Hashtable<String, Object> env = new Hashtable<String, Object>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial"); // Use simple authentication env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial"); env.put(Context.SECURITY_CREDENTIALS, getLDAPPassword()); // Create the initial context DirContext ctx = new InitialDirContext(env); See
|
squid:S4432 |
The Advanced Encryption Standard (AES) encryption algorithm can be used with various modes. Some combinations are not secured:
In both cases, Galois/Counter Mode (GCM) with no padding should be preferred. This rule raises an issue when a Noncompliant Code ExampleCipher c1 = Cipher.getInstance("AES/ECB/NoPadding"); // Noncompliant Cipher c2 = Cipher.getInstance("AES/CBC/PKCS5Padding"); // Noncompliant Compliant SolutionCipher c = Cipher.getInstance("AES/GCM/NoPadding"); See
|
squid:S2755 |
Allowing external entities in untrusted documents to be processed could lay your systems bare to attackers. Imagine if these entities were parsed: <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> <!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt" >]><foo>&xxe;</foo> If you must parse untrusted XML, the best way to protect yourself is to use a local, static DTD during parsing and ignore any DTD's included in included in the document. This rule raises an issue when any of the following are used without first disabling external entity processing:
To disable external entity processing for To disable external entity processing for To disable external entity processing for Noncompliant Code Example/* Load XML stream and display content */ String maliciousSample = "xxe.xml"; XMLInputFactory factory = XMLInputFactory.newInstance(); try (FileInputStream fis = new FileInputStream(malicousSample)) { // Load XML stream XMLStreamReader xmlStreamReader = factory.createXMLStreamReader(fis); // Noncompliant; reader is vulnerable //... Compliant Solution/* Load XML stream and display content */ String maliciousSample = "xxe.xml"; XMLInputFactory factory = XMLInputFactory.newInstance(); // disable external entities factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); try (FileInputStream fis = new FileInputStream(malicousSample)) { // Load XML stream XMLStreamReader xmlStreamReader = factory.createXMLStreamReader(fis); See
|
squid:S2976 |
Using This rule raises an issue when the following steps are taken in immediate sequence:
Note that this rule is automatically disabled when the project's Noncompliant Code ExampleFile tempDir; tempDir = File.createTempFile("", "."); tempDir.delete(); tempDir.mkdir(); // Noncompliant Compliant SolutionPath tempPath = Files.createTempDirectory(""); File tempDir = tempPath.toFile(); See
|
squid:S3510 |
To prevent URL spoofing, Noncompliant Code ExampleSSLContext sslcontext = SSLContext.getInstance( "TLS" ); sslcontext.init(null, new TrustManager[]{new X509TrustManager() { public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}, new java.security.SecureRandom()); Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String requestedHost, SSLSession remoteServerSession) { return true; // Noncompliant } }).build(); Compliant SolutionSSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" ); sslcontext.init(null, new TrustManager[]{new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {} @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}, new java.security.SecureRandom()); Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String requestedHost, SSLSession remoteServerSession) { return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant } }).build(); See
|
squid:S3752 |
A For that reason, you should always explicitly list the single HTTP method with which you expect your Noncompliant Code Example@RequestMapping("/greet") // Noncompliant public String greet(String greetee) { Compliant Solution@RequestMapping("/greet", method = GET) public String greet(String greetee) { See
|
squid:S4601 |
URL patterns configured on a This rule raises an issue when: - A pattern is preceded by another that ends with - A pattern without wildcard characters is preceded by another that matches. E.g.: Noncompliant Code Exampleprotected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant .antMatchers("/admin/**").hasRole("ADMIN") .antMatchers("/admin/login").permitAll() // Noncompliant; the pattern "/admin/login" should occurs before "/admin/**" .antMatchers("/**", "/home").permitAll() .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") // Noncompliant; the pattern "/db/**" should occurs before "/**" .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); } Compliant Solutionprotected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/resources/**", "/signup", "/about").permitAll() // Compliant .antMatchers("/admin/login").permitAll() .antMatchers("/admin/**").hasRole("ADMIN") // Compliant .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") .antMatchers("/**", "/home").permitAll() // Compliant; "/**" is the last one .and().formLogin().loginPage("/login").permitAll().and().logout().permitAll(); } See
|
squid:S3751 |
A method with a So marking a sensitive method In addition to Noncompliant Code Example@RequestMapping("/greet", method = GET) private String greet(String greetee) { // Noncompliant Compliant Solution@RequestMapping("/greet", method = GET) public String greet(String greetee) { See
|
squid:S2647 |
Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used. Noncompliant Code Example// Using HttpPost from Apache HttpClient String encoding = Base64Encoder.encode ("login:passwd"); org.apache.http.client.methods.HttpPost httppost = new HttpPost(url); httppost.setHeader("Authorization", "Basic " + encoding); // Noncompliant or // Using HttpURLConnection String encoding = Base64.getEncoder().encodeToString(("login:passwd").getBytes(‌"UTF‌​-8"​)); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("POST"); conn.setDoOutput(true); conn.setRequestProperty("Authorization", "Basic " + encoding); // Noncompliant See
|
squid:S2653 |
There is no reason to have a This rule raises an issue when a Noncompliant Code Examplepublic class MyServlet extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { if (userIsAuthorized(req)) { updatePrices(req); } } public static void main(String[] args) { // Noncompliant updatePrices(req); } } See
|
squid:S3749 |
Spring Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2. This rule raises an issue when a singleton
Noncompliant Code Example@Controller public class HelloWorld { private String name = null; @RequestMapping("/greet", method = GET) public String greet(String greetee) { if (greetee != null) { this.name = greetee; } return "Hello " + this.name; // if greetee is null, you see the previous user's data } } See
|
squid:S1989 |
Even though the signatures for methods in a servlet include This rule checks all exceptions in methods named "do*" are explicitly handled in servlet classes. Noncompliant Code Examplepublic void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String ip = request.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); // Noncompliant; getByName(String) throws UnknownHostException //... } Compliant Solutionpublic void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { try { String ip = request.getRemoteAddr(); InetAddress addr = InetAddress.getByName(ip); //... } catch (UnknownHostException uhex) { //... } } See
|
squid:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... Noncompliant Code ExampleConnection conn = null; try { conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=steve&password=blue"); // Noncompliant String uname = "steve"; String password = "blue"; conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=" + uname + "&password=" + password); // Noncompliant java.net.PasswordAuthentication pa = new java.net.PasswordAuthentication("userName", "1234".toCharArray()); // Noncompliant Compliant SolutionConnection conn = null; try { String uname = getEncryptedUser(); String password = getEncryptedPass(); conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=" + uname + "&password=" + password); See
|
squid:S5344 |
Storing users' passwords in clear-text in a database is definitely not safe as hackers may have read access to all user accounts stored in the database. It's common then to hash passwords and only store these hashes in the database. When running the authentication process, the hash of the password provided by the user is compared to the hash stored in the database. If both matches, the access is granted. This looks like a perfect solution but some algorithms such as MD5 and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. For this reason, when
Consider using safer alternatives, such as Noncompliant Code Example@Autowired public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception { auth.jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("SELECT * FROM users WHERE username = ?") .passwordEncoder(new StandardPasswordEncoder()); // Noncompliant // OR auth.jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("SELECT * FROM users WHERE username = ?"); // Noncompliant; default uses plain-text // OR auth.userDetailsService(...); // Noncompliant; default uses plain-text // OR auth.userDetailsService(...).passwordEncoder(new StandardPasswordEncoder()); // Noncompliant } Compliant Solution@Autowired public void configureGlobal(AuthenticationManagerBuilder auth, DataSource dataSource) throws Exception { auth.jdbcAuthentication() .dataSource(dataSource) .usersByUsernameQuery("Select * from users where username=?") .passwordEncoder(new BCryptPasswordEncoder()); // or auth.userDetailsService(null).passwordEncoder(new BCryptPasswordEncoder()); } See
|
squid:S4499 |
This rule raises an issue when: - a JavaMail's - a Apache Common Emails's Noncompliant Code ExampleEmail email = new SimpleEmail(); email.setSmtpPort(465); email.setAuthenticator(new DefaultAuthenticator(username, password)); email.setSSLOnConnect(true); // Noncompliant; setSSLCheckServerIdentity(true) should also be called before sending the email email.send(); Properties props = new Properties(); props.put("mail.smtp.host", "smtp.gmail.com"); props.put("mail.smtp.socketFactory.port", "465"); props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); // Noncompliant; Session is created without having "mail.smtp.ssl.checkserveridentity" set to true props.put("mail.smtp.auth", "true"); props.put("mail.smtp.port", "465"); Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() { protected PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication("username@gmail.com", "password"); } }); Compliant SolutionEmail email = new SimpleEmail(); email.setSmtpPort(465); email.setAuthenticator(new DefaultAuthenticator(username, password)); email.setSSLOnConnect(true); email.setSSLCheckServerIdentity(true); // Compliant email.send(); Properties props = new Properties(); props.put("mail.smtp.host", "smtp.gmail.com"); props.put("mail.smtp.socketFactory.port", "465"); props.put("mail.smtp.socketFactory.class", "javax.net.ssl.SSLSocketFactory"); props.put("mail.smtp.auth", "true"); props.put("mail.smtp.port", "465"); props.put("mail.smtp.ssl.checkserveridentity", true); // Compliant Session session = Session.getDefaultInstance(props, new javax.mail.Authenticator() { protected PasswordAuthentication getPasswordAuthentication() { return new PasswordAuthentication("username@gmail.com", "password"); } }); See
|
squid:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. The following APIs are tracked for use of obsolete crypto algorithms: * * * * * * * * * * * * * * * * * Consider using safer alternatives, such as SHA-256, SHA-3 or adaptive one way functions like bcrypt or PBKDF2. Noncompliant Code ExampleMessageDigest md = MessageDigest.getInstance("SHA1"); // Noncompliant Compliant SolutionMessageDigest md = MessageDigest.getInstance("SHA-256"); See
DeprecatedThis rule is deprecated; use S4790 instead. |
squid:S3281 |
Default interceptors, such as application security interceptors, must be listed in the This rule applies to projects that contain JEE Beans (any one of Noncompliant Code Example// file: ejb-interceptors.xml <assembly-descriptor> <interceptor-binding> <!-- should be declared in ejb-jar.xml --> <ejb-name>*</ejb-name> <interceptor-class>com.myco.ImportantInterceptor</interceptor-class><!-- Noncompliant; will NOT be treated as default --> </interceptor-binding> </assembly-descriptor> Compliant Solution// file: ejb-jar.xml <assembly-descriptor> <interceptor-binding> <ejb-name>*</ejb-name> <interceptor-class>com.myco.ImportantInterceptor</interceptor-class> </interceptor-binding> </assembly-descriptor> See
|
squid:S4347 |
The This rule raises an issue when
Noncompliant Code ExampleSecureRandom sr = new SecureRandom(); sr.setSeed(123456L); // Noncompliant int v = sr.next(32); sr = new SecureRandom("abcdefghijklmnop".getBytes("us-ascii")); // Noncompliant v = sr.next(32); Compliant SolutionSecureRandom sr = new SecureRandom(); int v = sr.next(32); See
|
squid:S2089 |
The fields in an HTTP request are putty in the hands of an attacker, and you cannot rely on them to tell you the truth about anything. While it may be safe to store such values after they have been neutralized, decisions should never be made based on their contents. This rule flags uses of the referer header field. Noncompliant Code Examplepublic class MyServlet extends HttpServlet { protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String referer = request.getHeader("referer"); // Noncompliant if(isTrustedReferer(referer)){ //.. } //... } } See
|
squid:S899 |
When the return value of a function call contain the operation status code, this value should be tested to make sure the operation completed successfully. This rule raises an issue when the return values of the following are ignored:
Noncompliant Code Examplepublic void doSomething(File file, Lock lock) { file.delete(); // Noncompliant // ... lock.tryLock(); // Noncompliant } Compliant Solutionpublic void doSomething(File file, Lock lock) { if (!lock.tryLock()) { // lock failed; take appropriate action } if (!file.delete()) { // file delete failed; take appropriate action } } See
|
tsql:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... See
|
tsql:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. Consider using safer alternatives, such as SHA-256, or SHA-3. Noncompliant Code ExampleSELECT HASHBYTES('SHA1', MyColumn) FROM dbo.MyTable; Compliant SolutionSELECT HASHBYTES('SHA2_256', MyColumn) FROM dbo.MyTable; See
|
csharpsquid:S4426 |
When generating cryptograpic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm the key should be at least 2048 bits long. This rule raises an issue when a RSA key-pair generator is initialized with too small a length parameter. Noncompliant Code Exampleusing System; using System.Security.Cryptography; namespace MyLibrary { public class MyCryptoClass { static void Main() { RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(1024); // Noncompliant // ... } } } Compliant Solutionusing System; using System.Security.Cryptography; namespace MyLibrary { public class MyCryptoClass { static void Main() { RSACryptoServiceProvider RSA = new RSACryptoServiceProvider(2048); // ... } } } See
|
csharpsquid:S3330 |
The When implementing Cross Site Request Forgery (XSRF) protection, a JavaScript-readable session cookie, generally named XSRF-TOKEN, should be created
on the first HTTP GET request. For such a cookie, the Setting the attribute can be done either programmatically, or globally via configuration files. Noncompliant Code ExampleHttpCookie myCookie = new HttpCookie("UserSettings"); myCookie.HttpOnly = false; // Noncompliant; explicitly set to false ... Response.Cookies.Add(myCookie); HttpCookie myCookie = new HttpCookie("UserSettings"); // Noncompliant; the default value of 'HttpOnly' is used (=false) ... Response.Cookies.Add(myCookie); Compliant SolutionHttpCookie myCookie = new HttpCookie("UserSettings"); myCookie.HttpOnly = true; // Compliant ... Response.Cookies.Add(myCookie); See
|
csharpsquid:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6. This rule tracks usage of the Consider using safer alternatives, such as SHA-256, or SHA-3. Noncompliant Code Examplevar hashProvider1 = new MD5CryptoServiceProvider(); //Noncompliant var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("MD5"); //Noncompliant var hashProvider3 = new SHA1Managed(); //Noncompliant var hashProvider4 = HashAlgorithm.Create("SHA1"); //Noncompliant Compliant Solutionvar hashProvider1 = new SHA256Managed(); var hashProvider2 = (HashAlgorithm)CryptoConfig.CreateFromName("SHA256Managed"); var hashProvider3 = HashAlgorithm.Create("SHA256Managed"); See
DeprecatedThis rule is deprecated; use S4790 instead. |
php:S2115 |
Failure to password-protect a database is so careless or naive as to be almost negligent. Databases should always be password protected, but the use of a database connection with an empty password is a clear indication of a database that is not protected. This rule flags database connections with empty passwords. Noncompliant Code Example<?php $servername = "localhost"; $username = "AppLogin"; $password = ""; // MySQL $conn = new mysqli($servername, $username, $password); // MySQL $conn = mysqli_connect($servername, $username, $password); // PDO way $conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password); // Oracle $conn = oci_connect($username, $password, "//localhost/orcl"); // MS SQL Server $sqlsrvName = "serverName\sqlexpress"; $sqlsrvConnInfo = array( "Database"=>"myDB", "UID"=>$username, "PWD"=>$password); $conn = sqlsrv_connect( $sqlsrvName, $sqlsrvConnInfo); // PosgreSQL $pgConnInfo = "host=localhost port=5432 dbname=test user=" . $username . " password=" . $password; $conn = pg_connect($pgConnInfo); ?> See
|
php:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. Consider using safer alternatives, such as SHA-256, or SHA-3. Noncompliant Code Example$password = ... if (md5($password) === '1f3870be274f6c49b3e31a0c6728957f') { // Noncompliant; md5() hashing algorithm is not secure for password management [...] } if (sha1($password) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') { // Noncompliant; sha1() hashing algorithm is not secure for password management [...] } See
DeprecatedThis rule is deprecated; use S4790 instead. |
php:S2964 |
Noncompliant Code Exampleif (is_bad_ip($requester)) { sleep(5); // Noncompliant } See
|
php:S2053 |
In cryptography, "salt" is extra piece of data which is included in a hashing algorithm. It makes dictionary attacks more difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value such as a password with a dictionary attack. This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as pbkdf2, is used with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as these are often used for other purposes. Recommended Secure Coding Practices
Noncompliant Code Examplefunction createMyAccount() { $email = $_GET['email']; $name = $_GET['name']; $password = $_GET['password']; $hash = hash_pbkdf2('sha256', $password, $email, 100000); // Noncompliant; salt (3rd argument) is predictable because initialized with the provided $email $hash = hash_pbkdf2('sha256', $password, '', 100000); // Noncompliant; salt is empty $hash = hash_pbkdf2('sha256', $password, 'D8VxSmTZt2E2YV454mkqAY5e', 100000); // Noncompliant; salt is hardcoded $hash = crypt($password); // Noncompliant; salt is not provided $hash = crypt($password, ""); // Noncompliant; salt is hardcoded $options = [ 'cost' => 11, 'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM), // Noncompliant ; use salt generated by default ]; echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options); } Compliant Solution$salt = openssl_random_pseudo_bytes(16); $hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20); See
|
php:S2277 |
Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an
issue when Noncompliant Code Examplefunction encrypt($data, $key) { $crypted=''; openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant return $crypted; } Compliant Solutionfunction encrypt($data, $key) { $crypted=''; openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING); return $crypted; } See
|
php:S3336 |
PHP's
For that reason, it's better to practice a little "tough love" with your users and force them to turn on cookies. Since Noncompliant Code Example; php.ini session.use_trans_sid=1 ; Noncompliant See
|
php:S3337 |
This rule raises an issue when Noncompliant Code Example; php.ini enable_dl=1 ; Noncompliant Compliant Solution; php.ini enable_dl=0 See
|
php:S4423 |
Not all SSL protocols are created equal and some legacy ones like "SSL", have been proven to be insecure. This rule raises an issue when an SSL context is created with an insecure protocol (ie: a protocol different from "TLSv1.2" or "DTLSv1.2"). Noncompliant Code Example$ctx = stream_context_create([ 'ssl' => [ 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT // Noncompliant ], ]); Compliant Solution$ctx = stream_context_create([ 'ssl' => [ 'crypto_method' => STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT ], ]); See
|
php:S3334 |
This rule raises an issue when either property is explicitly enabled in php.ini and when Noncompliant Code Example; php.ini Noncompliant; allow_url_fopen not explicitly disabled allow_url_include=1 ; Noncompliant Compliant Solution; php.ini allow_url_fopen=0 allow_url_include=0 See
|
php:S4426 |
When generating cryptographic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm, it should be at least 2048 bits long. This rule raises an issue when an RSA key-pair generator is initialized with too small a length parameter. Noncompliant Code Example$config = array( "digest_alg" => "sha512", "private_key_bits" => 1024, // Noncompliant "private_key_type" => OPENSSL_KEYTYPE_RSA, ); $res = openssl_pkey_new($config); Compliant Solution$config = array( "digest_alg" => "sha512", "private_key_bits" => 4096, // Compliant "private_key_type" => OPENSSL_KEYTYPE_RSA, ); $res = openssl_pkey_new($config); See
|
php:S3335 |
The This rule raises an issue when when Noncompliant Code Example; php.ini cgi.force_redirect=0 ; Noncompliant See
|
php:S3332 |
Cookies without fixed lifetimes or expiration dates are known as non-persistent, or "session" cookies, meaning they last only as long as the browser session, and poof away when the browser closes. Cookies with expiration dates, "persistent" cookies, are stored/persisted until those dates. Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the
This rule raises an issue when See
|
php:S3333 |
The
This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence
step. This rule raises an issue when Noncompliant Code Example; php.ini try 1 ; open_basedir="${USER}/scripts/data" Noncompliant; commented out ; php.ini try 2 open_basedir="/:${USER}/scripts/data" ; Noncompliant; root directory in the list Compliant Solution; php.ini try 1 open_basedir="${USER}/scripts/data" See
|
php:S3330 |
The Setting the attribute can be done either programmatically, or globally via configuration files. This rule raises an issue:
Noncompliant Code Example; php.ini session.cookie_httponly=false ; Noncompliant; explicitly set to false // file.php setcookie($name, $value, $expire, $path, $domain, $secure, false); // Noncompliant; explicitly set to false See
|
php:S3338 |
This rule raises an issue when Noncompliant Code Example; php.ini file_uploads=1 ; Noncompliant Compliant Solution; php.ini file_uploads=0 See
|
php:S4830 |
Disabling SSL/TLS certificates chain of trust verification is similar to trust every one in the chain and so to expose the application to man-in-the-middle (MITM) attacks. Noncompliant Code Examplecurl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, TRUE); // Noncompliant; TRUE is casted to 1 which is not a secure configuration curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); // and/or curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0); Compliant Solutioncurl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2); // Compliant; default value is 2 to "check the existence of a common name and also verify that it matches the hostname provided" according to PHP's documentation // and/or curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE); // Compliant; default value is TRUE curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1); See
|
javasecurity:S2631 |
Evaluating regular expressions against input strings can be an extremely CPU-intensive task. For example, a specially crafted regular expression
such as Evaluating user-provided strings as regular expressions opens the door for Denial Of Service attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users. Noncompliant Code Examplepublic boolean validate(javax.servlet.http.HttpServletRequest request) { String regex = request.getParameter("regex"); String input = request.getParameter("input"); // Enables attackers to force the web server to evaluate // regex such as "(a+)+" on inputs such as "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" input.matches(regex); // Noncompliant } Compliant Solutionpublic boolean validate(javax.servlet.http.HttpServletRequest request) { String input = request.getParameter("input"); input.matches("a+"); // Compliant - use a safe hardcoded regex } See
|
javasecurity:S5146 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications performing HTTP redirects based on tainted data could enable an attacker to redirect users to a malicious site to, for example, steal login credentials. This problem could be mitigated in any of the following ways:
Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String location = req.getParameter("url"); resp.sendRedirect(location); // Noncompliant } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String location = req.getParameter("url"); // Match the incoming URL against a whitelist if (!urlWhiteList.contains(location)) throw new IOException(); resp.sendRedirect(location); } See
|
javasecurity:S2078 |
User provided data such as URL parameters should always be considered as untrusted and tainted. Constructing LDAP names or search filters directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the name or filter itself. Successful LDAP injections attacks can read, modify or delete sensitive information from the directory service. Within LDAP names, the special characters Noncompliant Code Examplepublic boolean authenticate(javax.servlet.http.HttpServletRequest request, DirContext ctx) throws NamingException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"; // Unsafe // If the special value "*)(uid=*))(|(uid=*" is passed as user, authentication is bypassed // Indeed, if it is passed as a user, the filter becomes: // (&(uid=*)(uid=*))(|(uid=*)(userPassword=...)) // as uid=* match all users, it is equivalent to: // (|(uid=*)(userPassword=...)) // again, as uid=* match all users, the filter becomes useless NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new SearchControls()); // Noncompliant return results.hasMore(); } Compliant Solutionpublic boolean authenticate(javax.servlet.http.HttpServletRequest request, DirContext ctx) throws NamingException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String filter = "(&(uid={0})(userPassword={1}))"; // Safe NamingEnumeration<SearchResult> results = ctx.search("ou=system", filter, new String[]{user, pass}, new SearchControls()); return results.hasMore(); } See
|
javasecurity:S5145 |
User provided data, such as URL parameters, POST data payloads or cookies, should always be considered untrusted and tainted. Applications logging tainted data could enable an attacker to inject characters that would break the log file pattern. This could be used to block monitors and SIEM (Security Information and Event Management) systems from detecting other malicious events. This problem could be mitigated by sanitizing the user provided data before logging it. Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String param1 = req.getParameter("param1"); Logger.info("Param1: " + param1 + " " + Logger.getName()); // Noncompliant // ... } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String param1 = req.getParameter("param1"); // Replace pattern-breaking characters param1 = param1.replaceAll("[\n|\r|\t]", "_"); Logger.info("Param1: " + param1 + " " + Logger.getName()); // ... } See
|
javasecurity:S5167 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to inject characters that would be interpreted as a new line in some browsers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Most modern web application frameworks and servers mitigate this type of attack by default, but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String value = req.getParameter("value"); resp.addHeader("X-Header", value); // Noncompliant // ... } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String value = req.getParameter("value"); // Allow only alphanumeric characters if (!value.matches("[a-zA-Z0-9]++")) throw new IOException(); resp.addHeader("X-Header", value); // ... } See
|
javasecurity:S2076 |
Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands or exposes sensitive data. The mitigation strategy should be based on whitelisting of allowed characters or commands. Noncompliant Code Examplepublic void run(javax.servlet.http.HttpServletRequest request) throws IOException { String binary = request.getParameter("binary"); // If the value "/sbin/shutdown" is passed as binary and the web server is running as root, // then the machine running the web server will be shut down and become unavailable for future requests Runtime.getRuntime().exec(binary); // Noncompliant } Compliant Solutionpublic void run(javax.servlet.http.HttpServletRequest request) throws IOException { String binary = request.getParameter("binary"); // Restrict to binaries within the current working directory whose name only contains letters if (!binary.matches("[a-zA-Z]++")) { throw new IllegalArgumentException(); } Runtime.getRuntime().exec(binary); } See
|
javasecurity:S5131 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Endpoints reflecting back tainted data could allow attackers to inject code that would eventually be executed in the user's browser. This could enable a wide range of serious attacks like accessing/modifying sensitive information or impersonating other users. Typically, the solution is one of the following:
When sanitizing or encoding data, it is recommended to only use libraries specifically designed for security purposes. Also, make sure that the library you are using is being actively maintained and is kept up-to-date with the latest discovered vulnerabilities. Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String name = req.getParameter("name"); PrintWriter out = resp.getWriter(); out.write("Hello " + name); // Noncompliant } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String name = req.getParameter("name"); String encodedName = org.owasp.encoder.Encode.forHtml(name); PrintWriter out = resp.getWriter(); out.write("Hello " + encodedName); } See
|
javasecurity:S5144 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. A remote server making requests to URLs based on tainted data could enable attackers to make arbitrary requests to the internal network or to the local file system. The problem could be mitigated in any of the following ways:
Noncompliant Code Exampleprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { URL url = new URL(req.getParameter("url")); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); // Noncompliant // ... } Compliant Solutionprotected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { URL url = new URL(req.getParameter("url")); // The safest way is to match the incoming URL against a whitelist if (!urlWhiteList.contains(url.toString())) throw new IOException(); // If whitelisting is not possible, at least make sure that things like file:// and http://localhost are blocked InetAddress inetAddress = InetAddress.getByName(url.getHost()); if (!url.getProtocol().startsWith("http") || inetAddress.isAnyLocalAddress() || inetAddress.isLoopbackAddress() || inetAddress.isLinkLocalAddress()) throw new IOException(); HttpURLConnection conn = (HttpURLConnection) url.openConnection(); // ... } See
|
javasecurity:S2083 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing file
system paths directly from tainted data could enable an attacker to inject specially crafted values, such as A successful attack might give an attacker the ability to read, modify, or delete sensitive information from the file system and sometimes even execute arbitrary operating system commands. This is often referred to as a "path traversal" or "directory traversal" attack. The mitigation strategy should be based on the whitelisting of allowed paths or characters. Noncompliant Code Examplepublic boolean authenticate(javax.servlet.http.HttpServletRequest request) { String user = request.getParameter("user"); // If the special value "../bin" is passed as user, authentication is bypassed // Indeed, if it passed as a user, the path becomes: // /bin // which exists on most Linux / BSD / Mac OS distributions return Files.exists(Paths.get("/home/", user)); // Noncompliant } Compliant Solutionpublic boolean authenticate(javax.servlet.http.HttpServletRequest request) { String user = request.getParameter("user"); // Restrict the username to letters and digits only if (!user.matches("[a-zA-Z0-9]++")) { return false; } return Files.exists(Paths.get("/home/", user)); } See
|
javasecurity:S2091 |
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. Noncompliant Code Examplepublic boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String expression = "/users/user[@name='" + user + "' and @pass='" + pass + "']"; // Unsafe // An attacker can bypass authentication by setting user to this special value user = "' or 1=1 or ''='"; return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); // Noncompliant } Compliant Solutionpublic boolean authenticate(javax.servlet.http.HttpServletRequest request, javax.xml.xpath.XPath xpath, org.w3c.dom.Document doc) throws XPathExpressionException { String user = request.getParameter("user"); String pass = request.getParameter("pass"); String expression = "/users/user[@name=$user and @pass=$pass]"; xpath.setXPathVariableResolver(v -> { switch (v.getLocalPart()) { case "user": return user; case "pass": return pass; default: throw new IllegalArgumentException(); } }); return (boolean)xpath.evaluate(expression, doc, XPathConstants.BOOLEAN); } See
|
roslyn.sonaranalyzer.security.cs:S2631 |
Evaluating regular expressions against input strings can be an extremely CPU-intensive task. For example, a specially crafted regular expression
such as Evaluating user-provided strings as regular expressions opens the door for Denial Of Service attacks. In the context of a web application, attackers can force the web server to spend all of its resources evaluating regular expressions thereby making the service inaccessible to genuine users. Noncompliant Code Examplepublic class RegexDoS : Controller { // GET /RegexDoS/Validate public IActionResult Validate(string regex, string input) { // Enables attackers to force the web server to evaluate // regex such as "^(a+)+$" on inputs such as "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa!" bool match = Regex.IsMatch(input, regex); // Noncompliant return Content("Valid? " + match); } } Compliant Solutionpublic class RegexDoS : Controller { // GET /RegexDoS/Validate public IActionResult Validate(string regex, string input) { // Option 1: Use a hardcoded regex bool match = Regex.IsMatch(input, "^a+$"); // Option 2: Set a timeout on the regex's evaluation match = new Regex(regex, RegexOptions.None, TimeSpan.FromMilliseconds(100)).IsMatch(input); return Content("Valid? " + match); } } See
|
roslyn.sonaranalyzer.security.cs:S5146 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications performing HTTP redirects based on tainted data could enable an attacker to redirect users to a malicious site to, for example, steal login credentials. This problem could be mitigated in any of the following ways:
Noncompliant Code Examplepublic class OpenRedirect : Controller { public IActionResult Test(string url) { return Redirect(url); // Noncompliant } } Compliant Solutionpublic class OpenRedirect : Controller { private string[] whiteList = { "https://www.sonarsource.com" }; public IActionResult Test(string url) { // Match the incoming URL against a whitelist if (!whiteList.Contains(url)) { return BadRequest(); } return Redirect(url); } } See
|
roslyn.sonaranalyzer.security.cs:S5145 |
User provided data, such as URL parameters, POST data payloads or cookies, should always be considered untrusted and tainted. Applications logging tainted data could enable an attacker to inject characters that would break the log file pattern. This could be used to block monitors and SIEM (Security Information and Event Management) systems from detecting other malicious events. This problem could be mitigated by sanitizing the user provided data before logging it. Noncompliant Code Examplepublic class LogForging : Controller { public IActionResult Test(string id) { logger.Info("ID: {0}", id); // Noncompliant // ... } } Compliant Solutionpublic class LogForging : Controller { public IActionResult Test(string id) { // Replace pattern-breaking characters id = id.Replace('\n', '_').Replace('\r', '_').Replace('\t', '_'); logger.Info("ID: {0}", id); // ... } } See
|
roslyn.sonaranalyzer.security.cs:S5167 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to inject characters that would be interpreted as a new line in some browsers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Most modern web application frameworks and servers mitigate this type of attack by default, but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. Noncompliant Code Examplestring value = Request.QueryString["value"]; Response.AddHeader("X-Header", value); // Noncompliant Compliant Solutionstring value = Request.QueryString["value"]; // Allow only alphanumeric characters if (value == null || !Regex.IsMatch(value, "^[a-zA-Z0-9]+$")) { throw new Exception("Invalid value"); } Response.AddHeader("X-Header", value); See
|
roslyn.sonaranalyzer.security.cs:S2076 |
Applications that execute operating system commands or execute commands that interact with the underlying system should neutralize any externally-provided values used in those commands. Failure to do so could allow an attacker to include input that executes unintended commands or exposes sensitive data. The mitigation strategy should be based on whitelisting of allowed characters or commands. Noncompliant Code Examplepublic class CommandInjection : Controller { // GET /CommandInjection/Run public IActionResult Run(string binary) { // If the value "/sbin/shutdown" is passed as binary and the web server is running as root, // then the machine running the web server will be shut down and become unavailable for future requests Process p = new Process(); p.StartInfo.FileName = binary; // Noncompliant p.StartInfo.RedirectStandardOutput = true; p.Start(); string output = p.StandardOutput.ReadToEnd(); return Content(output); } } Compliant Solutionpublic class CommandInjection : Controller { // GET /CommandInjection/Run public IActionResult Run(string binary) { // Restrict to binaries within the current working directory whose name only contains letters if (binary == null || !Regex.IsMatch(binary, "^[a-zA-Z]+$")) { return BadRequest(); } Process p = new Process(); p.StartInfo.FileName = binary; // Now safe p.StartInfo.RedirectStandardOutput = true; p.Start(); string output = p.StandardOutput.ReadToEnd(); return Content(output); } } See
|
roslyn.sonaranalyzer.security.cs:S5131 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Endpoints reflecting back tainted data could allow attackers to inject code that would eventually be executed in the user's browser. This could enable a wide range of serious attacks like accessing/modifying sensitive information or impersonating other users. Typically, the solution is one of the following:
When sanitizing or encoding data, it is recommended to only use libraries specifically designed for security purposes. Also, make sure that the library you are using is being actively maintained and is kept up-to-date with the latest discovered vulnerabilities. Noncompliant Code Examplestring name = Request.QueryString["name"]; Response.Write("Hello " + name); // Noncompliant Compliant Solutionstring name = Request.QueryString["name"]; name = System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(name, true); Response.Write("Hello " + name); See
|
roslyn.sonaranalyzer.security.cs:S5144 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. A remote server making requests to URLs based on tainted data could enable attackers to make arbitrary requests to the internal network or to the local file system. The problem could be mitigated in any of the following ways:
Noncompliant Code Examplepublic class SSRF : Controller { public IActionResult Test(string url) { HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // Noncompliant // ... } } Compliant Solutionpublic class SSRF : Controller { private string[] whiteList = { "https://www.sonarsource.com" }; public IActionResult Test(string url) { // Match the incoming URL against a whitelist if (!whiteList.Contains(url)) { return BadRequest(); } HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url); // ... } } See
|
roslyn.sonaranalyzer.security.cs:S2083 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing file
system paths directly from tainted data could enable an attacker to inject specially crafted values, such as A successful attack might give an attacker the ability to read, modify, or delete sensitive information from the file system and sometimes even execute arbitrary operating system commands. This is often referred to as a "path traversal" or "directory traversal" attack. The mitigation strategy should be based on the whitelisting of allowed paths or characters. Noncompliant Code Examplepublic class PathTraversal : Controller { // GET /PathTraversal/Authenticate public IActionResult Authenticate(string user) { bool userExists = System.IO.File.Exists("/home/" + user); // Noncompliant // If the special value "../bin" is passed as user, authentication is bypassed // Indeed, if it passed as a user, the path becomes: // /bin // which exists on most Linux / BSD / Mac OS distributions return Content(userExists ? "success" : "fail"); } } Compliant Solutionpublic class PathTraversal : Controller { // GET /PathTraversal/Authenticate public IActionResult Authenticate(string user) { // Restrict the username to letters and digits only if (!Regex.IsMatch(user, "^[a-zA-Z0-9]+$")) { return BadRequest(); } bool userExists = System.IO.File.Exists("/home/" + user); // Now safe return Content(userExists ? "success" : "fail"); } } See
|
phpsecurity:S5146 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications performing HTTP redirects based on tainted data could enable an attacker to redirect users to a malicious site to, for example, steal login credentials. This problem could be mitigated in any of the following ways:
Noncompliant Code Example$url = $this->request->getQuery("url"); return $this->redirect($url); // Noncompliant Compliant Solution$whitelist = array( "https://www.sonarsource.com/" ); $url = $this->request->getQuery("url"); if (in_array($url, $whitelist)) { return $this->redirect($url); } else { throw new ForbiddenException(); } See
|
phpsecurity:S5145 |
User provided data, such as URL parameters, POST data payloads or cookies, should always be considered untrusted and tainted. Applications logging tainted data could enable an attacker to inject characters that would break the log file pattern. This could be used to block monitors and SIEM (Security Information and Event Management) systems from detecting other malicious events. This problem could be mitigated by sanitizing the user provided data before logging it. Noncompliant Code Example$data = $_GET["data"]; error_log($data); // Noncompliant Compliant Solution$data = $_GET["data"]; $badchars = array("\n", "\r", "\t"); $safedata = str_replace($badchars, "", $data); error_log($safedata); See
|
phpsecurity:S5167 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to inject characters that would be interpreted as a new line in some browsers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Most modern web application frameworks and servers mitigate this type of attack by default, but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. Noncompliant Code Example$value = $_GET["value"]; header("X-Header: $value"); // Noncompliant Compliant Solution$value = $_GET["value"]; if (ctype_alnum($value)) { header("X-Header: $value"); // Compliant } else { // Error } See
|
phpsecurity:S5131 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Endpoints reflecting back tainted data could allow attackers to inject code that would eventually be executed in the user's browser. This could enable a wide range of serious attacks like accessing/modifying sensitive information or impersonating other users. Typically, the solution is one of the following:
When sanitizing or encoding data, it is recommended to only use libraries specifically designed for security purposes. Also, make sure that the library you are using is being actively maintained and is kept up-to-date with the latest discovered vulnerabilities. Noncompliant Code Example$name = $_GET["name"]; echo "Welcome $name"; // Noncompliant Compliant Solution$name = $_GET["name"]; $safename = htmlspecialchars($name); echo "Welcome $safename"; See
|
phpsecurity:S5144 |
User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. A remote server making requests to URLs based on tainted data could enable attackers to make arbitrary requests to the internal network or to the local file system. The problem could be mitigated in any of the following ways:
Noncompliant Code Example$url = $_GET["url"]; $resp = file_get_contents($url); // Noncompliant // ... Compliant Solution$whitelist = array( "https://www.sonarsource.com" ); $url = $_GET["url"]; if (in_array($url, $whitelist)) { $resp = file_get_contents($url); // ... } See
|
cpp:S5184 |
The RAII idiom associates the lifetime of a resource with the lifetime of an object: The resource is acquired when the object is created, and released when it is destroyed. If the object that controls the resource lifetime is a temporary, chances are that it will get destroyed while the resource should still be in use, leading to resource corruption. This rules detects temporaries that look like RAII objects. Noncompliant Code Examplevoid f() { scoped_lock{myMutex}; // Non compliant. The mutex will be locked then immediately unlocked protectedCode(); // This code is not protected by the mutex } Compliant Solutionvoid f() { scoped_lock lock{myMutex}; // Compliant protectedCode(); // The mutex is correctly released at this point } See
|
ruby:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... See
|
scala:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... See
|
cobol:S3394 |
The Noncompliant Code Example01 USER-INPUT PIC X(4). GET-USER-INPUT. MOVE 'N' TO WS-NUMERIC. PERFORM UNTIL WS-NUMERIC = 'Y' DISPLAY 'ENTER YOUR 4 DIGIT RECORD NUMBER: ' NO ADVANCING ACCEPT USER-RECORD *> Noncompliant ExceptionsThis rule ignores uses of See
|
cobol:SQL.SelectWithNoWhereClauseCheck |
Although the Noncompliant Code ExampleSELECT * FROM db_persons INTO us_persons Compliant SolutionSELECT * FROM db_persons INTO us_persons WHERE country IS 'US' ExceptionsNot having a WHERE clause is acceptable in read-only cursors as results are generally sorted and it is possible to stop processing in the middle. |
cobol:SQL.DynamicSqlCheck |
It is a bad practice to use Dynamic SQL. It differs from static embedded SQL in that part or all of the actual SQL commands may be stored in a host variable that is built on the fly during execution of the program. In the extreme case, the SQL commands are generated in their entirety by the application program at run time. While dynamic SQL is more flexible than static embedded SQL, it does require additional overhead and is much more difficult to understand and to maintain. Moreover, dynamic SQL may expose the application to SQL injection vulnerabilities. This rule raises an issue when Noncompliant Code ExampleEXEC SQL PREPARE SEL INTO :SQLDA FROM :STMTBUF END-EXEC. See
|
cobol:S1685 |
Debug statements (ones with 'D' or 'd' in the indicator area) should not be executed in production, but the Noncompliant Code ExampleSOURCE-COMPUTER. IBM-370 WITH DEBUGGING MODE. Compliant SolutionSOURCE-COMPUTER. IBM-370. See
|
cobol:S1686 |
Defining a subprogram to be called at runtime is possible but ill-advised. This extremely powerful feature can quite easily be misused, and even when used correctly, it highly increases the overall complexity of the program, and makes it impossible before runtime to know exactly what will be executed. Therefore defining the subprogram to be called at runtime is a feature that should be avoided. Noncompliant Code ExampleMOVE SOMETHING TO MY_SUBPROG. ... CALL MY_SUBPROG. Compliant Solution01 MY_SUBPROG PIC X(10) VALUE "SUB123". .... CALL MY_SUBPROG. |
cobol:COBOL.DisplayStatementUsageCheck |
The Noncompliant Code ExampleDISPLAY "hello world" *> Noncompliant See
|
plsql:MaskedExceptionCheck |
When exceptions occur, it is usually a bad idea to simply ignore them. Instead, it is better to handle them properly, or at least to log them. Noncompliant Code ExampleSET SERVEROUTPUT ON DECLARE d VARCHAR2(1); BEGIN SELECT dummy INTO d FROM DUAL WHERE dummy = 'Y'; -- Will raise NO_DATA_FOUND DBMS_OUTPUT.PUT_LINE('d = ' || d); EXCEPTION WHEN NO_DATA_FOUND THEN -- Noncompliant, did we really want to mask this exception? NULL; END; / Compliant SolutionSET SERVEROUTPUT ON DECLARE d VARCHAR2(1); BEGIN SELECT dummy INTO d FROM DUAL WHERE dummy = 'Y'; -- Will raise NO_DATA_FOUND DBMS_OUTPUT.PUT_LINE('d = ' || d); EXCEPTION WHEN NO_DATA_FOUND THEN DBMS_OUTPUT.PUT_LINE('Error: No data found'); END; / See
|
typescript:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... Noncompliant Code Exampleconst password = "asdasd"; let my_pwd; my_pwd = "qwerewt"; login({ passwd: "zxvxcv"}); const url = "https://example.com?password=hl2OAIXXZ60"; Compliant Solutionconst password = loadCredentials(); See
|
typescript:S1525 |
The debugger statement can be placed anywhere in procedures to suspend execution. Using the debugger statement is similar to setting a breakpoint in the code. By definition such statement must absolutely be removed from the source code to prevent any unexpected behavior or added vulnerability to attacks in production. Noncompliant Code Examplefor (i = 1; i<5; i++) { // Print i to the Output window. Debug.write("loop index is " + i); // Wait for user to resume. debugger; } Compliant Solutionfor (i = 1; i<5; i++) { // Print i to the Output window. Debug.write("loop index is " + i); } See
|
swift:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. It's recommended to customize the configuration of this rule with additional credential words such as "oauthToken", "secret", ... Noncompliant Code Examplevar post:NSString = "username=Steve&password=123456" // Noncompliant var postData:NSData = post.dataUsingEncoding(NSASCIIStringEncoding)! //... var request:NSMutableURLRequest = NSMutableURLRequest(URL: url) request.HTTPBody = postData //... var urlData: NSData? = NSURLConnection.sendSynchronousRequest(request, returningResponse:&response, error:&reponseError) Compliant Solutionvar post:NSString = "username=\(getEncryptedUser())&password=\(getEncryptedPass())" var postData:NSData = post.dataUsingEncoding(NSASCIIStringEncoding)! //... var request:NSMutableURLRequest = NSMutableURLRequest(URL: url) request.HTTPBody = postData //... var urlData: NSData? = NSURLConnection.sendSynchronousRequest(request, returningResponse:&response, error:&reponseError) See
|
swift:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. Consider using safer alternatives, such as SHA-256, or SHA-3. Noncompliant Code Examplevar hash = MD5() // Noncompliant "123".sha1() // Noncompliant Compliant Solution"123".sha512() See
|
objc:S1079 |
The By default, there is no restriction on the length of that word, and the developer is required to pass a sufficiently large buffer for storing it. No matter how large the buffer is, there will always be a longer word. Therefore, programs relying on A field width specifier can be used together with the Note that an additional byte is required to store the null terminator. Noncompliant Code Examplechar buffer[10]; scanf("%s", buffer); // Noncompliant - will overflow when a word longer than 9 characters is entered Compliant Solutionchar buffer[10]; scanf("%9s", buffer); // Compliant - will not overflow See
|
c:S1079 |
The By default, there is no restriction on the length of that word, and the developer is required to pass a sufficiently large buffer for storing it. No matter how large the buffer is, there will always be a longer word. Therefore, programs relying on A field width specifier can be used together with the Note that an additional byte is required to store the null terminator. Noncompliant Code Examplechar buffer[10]; scanf("%s", buffer); // Noncompliant - will overflow when a word longer than 9 characters is entered Compliant Solutionchar buffer[10]; scanf("%9s", buffer); // Compliant - will not overflow See
|
cpp:S1079 |
The By default, there is no restriction on the length of that word, and the developer is required to pass a sufficiently large buffer for storing it. No matter how large the buffer is, there will always be a longer word. Therefore, programs relying on A field width specifier can be used together with the Note that an additional byte is required to store the null terminator. Noncompliant Code Examplechar buffer[10]; scanf("%s", buffer); // Noncompliant - will overflow when a word longer than 9 characters is entered Compliant Solutionchar buffer[10]; scanf("%9s", buffer); // Compliant - will not overflow See
|
apex:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. Noncompliant Code ExampleString password = "xxxx"; // Noncompliant Compliant SolutionString password = retrievePassword(); See
|
plsql:S2070 |
The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160. Consider using safer alternatives, such as SHA-256, or SHA-3. Noncompliant Code ExampleDBMS_CRYPTO.Hash(str, HASH_MD4); DBMS_CRYPTO.Hash(str, HASH_MD5); DBMS_CRYPTO.Hash(str, HASH_SH1); See
|
plsql:SysOwnedFunctions |
Some Oracle packages contain powerful SYS-owned functions that can be used to perform malicious operations. For instance,
Most programs do not need those functions and this rule helps identify them in order to prevent security risks. Noncompliant Code ExampleDECLARE c INTEGER; sqltext VARCHAR2(100) := 'ALTER USER system IDENTIFIED BY hacker'; -- Might be injected by the user BEGIN c := SYS.DBMS_SYS_SQL.OPEN_CURSOR(); -- Noncompliant -- Will change 'system' user's password to 'hacker' SYS.DBMS_SYS_SQL.PARSE_AS_USER(c, sqltext, DBMS_SQL.NATIVE, UID); -- Non-Compliant SYS.DBMS_SYS_SQL.CLOSE_CURSOR(c); -- Noncompliant END; / See
|
plsql:S2278 |
According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:
For similar reasons, RC2 should also be avoided. Noncompliant Code ExamplePLS_INTEGER := DBMS_CRYPTO.ENCRYPT_DES + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5; Compliant SolutionPLS_INTEGER := DBMS_CRYPTO.ENCRYPT_AES256 + DBMS_CRYPTO.CHAIN_CBC + DBMS_CRYPTO.PAD_PKCS5; See
|
kotlin:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. Noncompliant Code Exampleval params = "password=xxxx" // Noncompliant val writer = OutputStreamWriter(getOutputStream()) writer.write(params) writer.flush() ... val password = "xxxx" // Noncompliant ... Compliant Solutionval params = "password=${retrievePassword()}" val writer = OutputStreamWriter(getOutputStream()) writer.write(params) writer.flush() ... val password = retrievePassword() ... See
|
abap:S1492 |
Although the Noncompliant Code ExampleSELECT * FROM db_persons INTO us_persons. Compliant SolutionSELECT * FROM db_persons INTO us_persons WHERE country IS 'US'. Exceptions
SELECT SINGLE * FROM db_persons INTO us_persons. SELECT * FROM db_persons UP TO 1 ROWS INTO us_persons. |
abap:S1674 |
Leaving a Noncompliant Code Exampletry. if ABS( NUMBER ) > 100. write / 'Number is large'. endif. catch CX_SY_ARITHMETIC_ERROR into OREF. endtry. Compliant Solutiontry. if ABS( NUMBER ) > 100. write / 'Number is large'. endif. catch CX_SY_ARITHMETIC_ERROR into OREF. write / OREF->GET_TEXT( ). endtry. ExceptionsWhen a block contains a comment, it is not considered to be empty. See
|
csharpsquid:S1104 |
Public fields in public classes do not respect the encapsulation principle and has three main disadvantages:
By using private fields and public properties (set and get), unauthorized modifications are prevented. Properties also benefit from additional protection (security) features such as Link Demands. Note that due to optimizations on simple properties, public fields provide only very little performance gain. Noncompliant Code Examplepublic class Foo { public int instanceData = 32; // Noncompliant } Compliant Solutionpublic class Foo { private int instanceData = 32; public int InstanceData { get { return instanceData; } set { instanceData = value ; } } } ExceptionsFields marked as Fields inside classes or structs annotated with the See
|
flex:S1465 |
A Noncompliant Code ExamplelocalConnection.allowDomain("*"); Compliant SolutionlocalConnection.allowDomain("www.myDomain.com"); |
flex:S1466 |
The Security.exactSettings value should remain set at the default value of true. Setting this value to false could make the SWF vulnerable to cross-domain attacks. Noncompliant Code ExampleSecurity.exactSettings = false; |
flex:S1468 |
Calling Security.allowDomain("*") lets any domain cross-script into the domain of this SWF and exercise its functionality. Noncompliant Code ExampleSecurity.allowDomain("*"); Compliant SolutionSecurity.allowDomain("www.myDomain.com"); |
go:S1313 |
Hardcoding an IP address into source code is a bad idea for several reasons:
Noncompliant Code Examplevar ( ip = "127.0.0.1" port = 3333 ) SocketClient(ip, port) Compliant Solutionconfig, err := ReadConfig("properties.ini") ip := config["ip"] port := config["ip"] SocketClient(ip, port) See
|
go:S2068 |
Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to end up in the hands of an attacker. This is particularly true for applications that are distributed. Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database. This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list. Noncompliant Code Examplefunc connect() { user := "root" myPassword := "supersecret" // Noncompliant url := "login=" + user + "&passwd=" + myPassword } Compliant Solutionfunc connect() { user := getEncryptedUser() myPassword := getEncryptedPass() // Compliant url := "login=" + user + "&passwd=" + myPassword } See
|
squid:ClassVariableVisibilityCheck |
Public class variable fields do not respect the encapsulation principle and has three main disadvantages:
By using private attributes and accessor methods (set and get), unauthorized modifications are prevented. Noncompliant Code Examplepublic class MyClass { public static final int SOME_CONSTANT = 0; // Compliant - constants are not checked public String firstName; // Noncompliant } Compliant Solutionpublic class MyClass { public static final int SOME_CONSTANT = 0; // Compliant - constants are not checked private String firstName; // Compliant public String getFirstName() { return firstName; } public void setFirstName(String firstName) { this.firstName = firstName; } } ExceptionsBecause they are not modifiable, this rule ignores See
|
squid:S1444 |
There is no good reason to declare a field "public" and "static" without also declaring it "final". Most of the time this is a kludge to share a
state among several objects. But with this approach, any object can do whatever it wants with the shared state, such as setting it to
Noncompliant Code Examplepublic class Greeter { public static Foo foo = new Foo(); ... } Compliant Solutionpublic class Greeter { public static final Foo FOO = new Foo(); ... } See
|
squid:S2384 |
Mutable objects are those whose state can be changed. For instance, an array is mutable, but a String is not. Mutable class members should never be returned to a caller or accepted and stored directly. Doing so leaves you vulnerable to unexpected changes in your class state. Instead use an unmodifiable This rule checks that arrays, collections and Dates are not stored or returned directly. Noncompliant Code Exampleclass A { private String [] strings; public A () { strings = new String[]{"first", "second"}; } public String [] getStrings() { return strings; // Noncompliant } public void setStrings(String [] strings) { this.strings = strings; // Noncompliant } } public class B { private A a = new A(); // At this point a.strings = {"first", "second"}; public void wreakHavoc() { a.getStrings()[0] = "yellow"; // a.strings = {"yellow", "second"}; } } Compliant Solutionclass A { private String [] strings; public A () { strings = new String[]{"first", "second"}; } public String [] getStrings() { return strings.clone(); } public void setStrings(String [] strings) { this.strings = strings.clone(); } } public class B { private A a = new A(); // At this point a.strings = {"first", "second"}; public void wreakHavoc() { a.getStrings()[0] = "yellow"; // a.strings = {"first", "second"}; } } See
|
squid:S2386 |
There is no good reason to have a mutable object as the Similarly, mutable Note that making a mutable field, such as an array, This rule raises issues for Noncompliant Code Examplepublic interface MyInterface { public static String [] strings; // Noncompliant } public class A { public static String [] strings1 = {"first","second"}; // Noncompliant public static String [] strings2 = {"first","second"}; // Noncompliant public static List<String> strings3 = new ArrayList<>(); // Noncompliant // ... } See
|
squid:S3066 |
Noncompliant Code Examplepublic enum Continent { NORTH_AMERICA (23, 24709000), // ... EUROPE (50, 39310000); public int countryCount; // Noncompliant private int landMass; Continent(int countryCount, int landMass) { // ... } public void setLandMass(int landMass) { // Noncompliant this.landMass = landMass; } Compliant Solutionpublic enum Continent { NORTH_AMERICA (23, 24709000), // ... EUROPE (50, 39310000); private int countryCount; private int landMass; Continent(int countryCount, int landMass) { // ... } |
squid:S3374 |
According to the Common Weakness Enumeration, If two validation forms have the same name, the Struts Validator arbitrarily chooses one of the forms to use for input validation and discards the other. This decision might not correspond to the programmer's expectations... In such a case, it is likely that the two forms should be combined. At the very least, one should be removed. Noncompliant Code Example<form-validation> <formset> <form name="BookForm"> ... </form> <form name="BookForm"> ... </form> <!-- Noncompliant --> </formset> </form-validation> Compliant Solution<form-validation> <formset> <form name="BookForm"> ... </form> </formset> </form-validation> See
|
swift:S2278 |
According to the US National Institute of Standards and Technology (NIST), the Data Encryption Standard (DES) is no longer considered secure:
For similar reasons, RC2 should also be avoided. Noncompliant Code Examplelet cryptor = try Cryptor(operation: .encrypt, algorithm: .des, options: [.ecbMode], key: key, iv: []) // Noncompliant let crypt = CkoCrypt2() crypt.CryptAlgorithm = "3des" // Noncompliant Compliant Solutionlet cryptor = try Cryptor(operation: .encrypt, algorithm: .aes, options: [.ecbMode], key: key, iv: []) let crypt = CkoCrypt2() crypt.CryptAlgorithm = "blowfish" See
|
swift:S2950 |
The access level defaults to This rule raises an issue when the access level is not specified on any top-level declaration. Noncompliant Code Exampleclass Foo { // Noncompliant // ... } Compliant Solutionpublic class Foo { // ... } |
typescript:S2228 |
Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you run the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users. Noncompliant Code Exampleconsole.log(password_entered); // Noncompliant See
|
Web:AvoidHtmlCommentCheck |
Using HTML-style comments in a page that will be generated or interpolated server-side before being served to the user increases the risk of exposing data that should be kept private. For instance, a developer comment or line of debugging information that's left in a page could easily (and has) inadvertently expose:
Because every other language has its own native comment format, there is no justification for using HTML-style comments in anything other than a pure HTML or XML file. Noncompliant Code Example<% out.write("<!-- ${username} -->"); // Noncompliant %> <!-- <% out.write(userId) %> --> // Noncompliant <!-- #{userPhone} --> // Noncompliant <!-- ${userAddress} --> // Noncompliant <!-- Replace 'world' with name --> // Noncompliant <h2>Hello world!</h2> Compliant Solution<%-- Replace 'world' with name --%> // Compliant <h2>Hello world!</h2> See
|