Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2084

Messages output from a servlet "catch" block should be invariable

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      This message should not vary by circumstance.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Implementation details:
    • CWE:
      CWE-537
    • OWASP:
      A3

      Description

      Clear and communicative error messages help people understand what went wrong and how to correct the problem. However, care must be taken with Servlet error messages because they could expose sensitive information to an attacker. Even sending the user's own data back to him in an error message could be risky; you never know who might catch a glimpse of the screen.

      This rule checks that the strings used in servlet responses made from catch blocks don't change from call to call. Ideally, such strings would be private static final, but that is not enforced by this rule. Logging messages are ignored by this rule.

      Noncompliant Code Example

      public class MyServlet extends HttpServlet {
        protected void doPost(HttpServletRequest request, HttpServletResponse response) 
              throws ServletException, IOException {
          String login = null;
          String pword
          try {
            login =  login = request.getParameter("login");
            pword = request.getParameter("password");
            // ...
          }
          catch (LoginFailureException ex) {
            LOGGER.log(Level.INFO, "Login failure for " + 
                    login + ", " + pword);  // Compliant, but not a good idea
            request.setAttribute("error", 
                    "Login failed for " + login + // Noncompliant; attacker now knows valid or nearly-valid login
                            " with password " + pword);  // Noncompliant; attacker now knows valid or nearly-valid password
            request.setAttribute("message", ex.getMessage()); // Noncompliant; could contain sensitive data
            getServletContext().getRequestDispatcher("/ErrorPage.jsp")
                    .forward(request, response);
      

      Compliant Solution

      public class MyServlet extends HttpServlet {
        protected void doPost(HttpServletRequest request, HttpServletResponse response) 
              throws ServletException, IOException {
          String login = null;
          String pword
          try {
            login =  login = request.getParameter("login");
            pword = request.getParameter("password");
            // ...
          }
          catch (LoginFailureException ex) {
            LOGGER.log(Level.INFO, "Login failure for " + login);  // Much better
            request.setAttribute("error", "Login failed");
            getServletContext().getRequestDispatcher("/ErrorPage.jsp")
                    .forward(request, response);
      
      

      See

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            ann.campbell.2 Ann Campbell
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: