Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3318

Untrusted data should not be stored in sessions

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure the user is authenticated before this data is stored in the session.
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Targeted languages:
      C#, C++, Java, Objective-C, PHP, Python, Swift, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-501
    • OWASP:
      A3

      Description

      Data in a web session is considered inside the "trust boundary". That is, it is assumed to be trustworthy. But storing unvetted data from an unauthenticated user violates the trust boundary, and may lead to that data being used inappropriately.

      This rule raises an issue when data from {{Cookie}}s or {{HttpServletRequest}}s is stored in a session.

      Noncompliant Code Example

      login = request.getParameter("login");
      session.setAttribute("login", login);  // Noncompliant
      

      See

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: