Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2575

Untrusted data should be escaped before being saved into "HTTP" or "JSP" classes

    XMLWordPrintable

    Details

    • Message:
      Make sure "xxx" does not contain unescaped malicious values.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Targeted languages:
      ABAP, C#, C, C++, Cobol, Java, Objective-C, PHP, Python, Swift, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Implementation details:
    • CWE:
      CWE-79, CWE-352, CWE-80
    • OWASP:
      A7
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindBugs:
      XSS_REQUEST_PARAMETER_TO_JSP_WRITER, XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER, XSS_REQUEST_PARAMETER_TO_SEND_ERROR

      Description

      In cross-site scripting attacks, attackers insert attack scripts into your pages. Because no system is fool-proof, it may not be enough to screen the data that's submitted to an application. You should also escape any previously-stored content sent to the user so that any malicious code that may have escaped your input screening is neutralized.

      This rule checks values retrieved from a database or a parameter and passed to HttpServletRequest.setAttribute(), HttpSession.setAttribute(), HttpServletResponse.sendError, and to the write method of the PrintWriter returned from HttpResponse.getWriter().

      Noncompliant Code Example

      public String getTaintedValue(Connection con, HttpServletRequest request) throws SQLException {
      
        PreparedStatement pstmt = null;
        String query = "select TAINTED_VALUE " +
                       "from TAINTED_VALUES where KEY=?"
        try {
          pstmt = con.prepareStatement(query);
          pstmt.setString(1, request.getParameter("key"));  // PreparedStatements escape their inputs, so this incoming value is okay
          ResultSet rs = pstmt.executeQuery();
          while (rs.next()) {
            request.setAttribute("taintedValue",rs.getString("TAINTED_VALUE"));  // Noncompliant; this value should be escaped before being sent back to the user.
      

      See

        Attachments

          Issue Links

          1.
          Cobol RSPEC-2766 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: