Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3749

Members of Spring components should be injected

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Annotate this member with "@Autowired", "@Resource", "@Inject", or "@Value", or remove it.
    • Highlighting:
      Hide

      member declaration

      Show
      member declaration
    • List of parameters:
      Hide

      key: customInjectionAnnotations
      default: ""
      description: comma-separated list of FQDN annotation names to consider as valid

      Show
      key: customInjectionAnnotations default: "" description: comma-separated list of FQDN annotation names to consider as valid
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Covered Languages:
      Java
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • OWASP:
      A3

      Description

      Spring @Controller, @Service, and @Repository classes are singletons by default, meaning only one instance of the class is ever instantiated in the application. Typically such a class might have a few static members, such as a logger, but all non-static members should be managed by Spring. That is, they should have one of these annotations: @Resource, @Inject, @Autowired or @Value.

      Having non-injected members in one of these classes could indicate an attempt to manage state. Because they are singletons, such an attempt is almost guaranteed to eventually expose data from User1's session to User2.

      This rule raises an issue when a singleton @Controller, @Service, or @Repository has non-static members that are not annotated with one of:

      • org.springframework.beans.factory.annotation.Autowired
      • org.springframework.beans.factory.annotation.Value
      • javax.annotation.Inject
      • javax.annotation.Resource

      Noncompliant Code Example

      @Controller
      public class HelloWorld {
       
        private String name = null;
      
        @RequestMapping("/greet", method = GET)
        public String greet(String greetee) {
       
          if (greetee != null) {
            this.name = greetee;
          }
      
          return "Hello " + this.name;  // if greetee is null, you see the previous user's data
        }
      }
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: