Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4512

Setting JavaBean properties is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that setting JavaBean properties is safe here.
    • Highlighting:
      Hide

      First: the potentially corrupted data going to be populated in the JavaBean
      Second: the method populating the JavaBean

      Show
      First: the potentially corrupted data going to be populated in the JavaBean Second: the method populating the JavaBean
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      Java
    • Irrelevant for Languages:
      ABAP, C#, C, C++, Cobol, CSS, Flex, Go, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      15min
    • Analysis Scope:
      Main Sources
    • CERT:
      MSC61-J.
    • CWE:
      CWE-15
    • OWASP:
      A1
    • FindSecBugs:
      BEAN_PROPERTY_INJECTION

      Description

      Setting JavaBean properties is security sensitive. Doing it with untrusted values has led in the past to the following vulnerability:

      JavaBeans can have their properties or nested properties set by population functions. An attacker can leverage this feature to push into the JavaBean malicious data that can compromise the software integrity. A typical attack will try to manipulate the ClassLoader and finally execute malicious code.

      This rule raises an issue when:

      • BeanUtils.populate(...) or BeanUtilsBean.populate(...) from Apache Commons BeanUtils are called
      • BeanUtils.setProperty(...) or BeanUtilsBean.setProperty(...) from Apache Commons BeanUtils are called
      • org.springframework.beans.BeanWrapper.setPropertyValue(...) or org.springframework.beans.BeanWrapper.setPropertyValues(...) from Spring is called

      Ask Yourself Whether

      • the new property values might have been tampered with or provided by an untrusted source.
      • sensitive properties can be modified, for example: class.classLoader

      You are at risk if you answered yes to any of these question.

      Recommended Secure Coding Practices

      Sanitize all values used as JavaBean properties.

      Don't set any sensitive properties. Keep full control over which properties are set. If the property names are provided by an unstrusted source, filter them with a whitelist.

      Noncompliant Code Example

      Company bean = new Company();
      HashMap map = new HashMap();
      Enumeration names = request.getParameterNames();
      while (names.hasMoreElements()) {
          String name = (String) names.nextElement();
          map.put(name, request.getParameterValues(name));
      }
      BeanUtils.populate(bean, map); // Noncompliant; "map" is populated with data coming from user input, here "request.getParameterNames()"
      

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: