Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2085

Values passed to HTTP redirects and header fields should be neutralized

    XMLWordPrintable

    Details

    • Message:
      "xxx" is taken from the request parameters and not sanitized before use.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Targeted languages:
      ABAP, C#, C++, Cobol, Java, JavaScript, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-601
    • OWASP:
      A7
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindBugs:
      HRS_REQUEST_PARAMETER_TO_COOKIE, HRS_REQUEST_PARAMETER_TO_HTTP_HEADER
    • FindSecBugs:
      UNVALIDATED_REDIRECT

      Description

      Web applicaitons that send redirects should neutralize any values taken from a request before using them in redirects. Failing to do so could make it easier for attackers to launch phishing attacks from your site.

      This rule checks that values extracted from a request are not unconditionally used directly in a redirect or other header fields.

      Noncompliant Code Example

      protected void doGet(HttpServletRequest request, HttpServletResponse response) 
            throws ServletException, IOException {
        // ...
        String url = request.getParameter("url");
        response.sendRedirect(url);  // Noncompliant; request value used directly in redirect
      

      Compliant Solution

      protected void doGet(HttpServletRequest request, HttpServletResponse response) 
            throws ServletException, IOException {
        // ...
        String url = request.getParameter("url");
        if (url.matches(OKAY_URL_REGEX)) {
          response.sendRedirect(url);  // Compliant; value used conditionally
        }
      

      or

      protected void doGet(HttpServletRequest request, HttpServletResponse response) 
            throws ServletException, IOException {
        // ...
        String url = request.getParameter("url");
        response.sendRedirect(scrubRedirect(url));  // Compliant; method presumed to sanitize input
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: