Details

    • Message:
      Make sure that sockets are used safely here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++, Flex, Go, Kotlin, Objective-C, Python, Ruby, Rust, Scala, Swift, TypeScript, VB6
    • Covered Languages:
      C#, Java, JavaScript, PHP, VB.Net
    • Irrelevant for Languages:
      CSS, HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-20, CWE-200, CWE-400
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses, Risky Resource Management

      Description

      Using sockets is security-sensitive. It has led in the past to the following vulnerabilities:

      Sockets are vulnerable in multiple ways:

      • They enable a software to interact with the outside world. As this world is full of attackers it is necessary to check that they cannot receive sensitive information or inject dangerous input.
      • The number of sockets is limited and can be exhausted. Which makes the application unresponsive to users who need additional sockets.

      This rules flags code that creates sockets. It matches only the direct use of sockets, not use through frameworks or high-level APIs such as the use of http connections.

      Ask Yourself Whether

      • sockets are created without any limit every time a user performs an action.
      • input received from sockets is used without being sanitized.
      • sensitive data is sent via sockets without being encrypted.

      You are at risk if you answered yes to any of these questions.

      Recommended Secure Coding Practices

      • In many cases there is no need to open a socket yourself. Use instead libraries and existing protocols.
      • Encrypt all data sent if it is sensitive. Usually it is better to encrypt it even if the data is not sensitive as it might change later.
      • Sanitize any input read from the socket.
      • Limit the number of sockets a given user can create. Close the sockets as soon as possible.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4852 Language-Specification Active Unassigned
          2.
          C# RSPEC-4944 Language-Specification Active Unassigned
          3.
          VB.NET RSPEC-4996 Language-Specification Active Unassigned
          4.
          JavaScript RSPEC-5087 Language-Specification Active Unassigned
          5.
          PHP RSPEC-5093 Language-Specification Active Unassigned
          6.
          Python RSPEC-5231 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: