Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5725

Disabling resource integrity features is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure not using resource integrity feature is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Linear
    • Linear Argument Description:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-353
    • OWASP:
      A6

      Description

      Fetching external resources, for example from a CDN, without verifying their integrity could impact the security of an application if the CDN gets compromised and resources are replaced by malicious ones. Resources integrity feature will block resources inclusion into an application if the pre-computed digest of the expected resource doesn't match with the digest of the retrieved resource.

      Ask Yourself Whether

      • The resources are fetched from external CDNs.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      • implement resources integrity checks for all static resources (where "static" means that the resource's content doesn't change dynamically based on the browser)
      • use versioned resources instead of using "latest" version of the resources

      See

        Attachments

          Issue Links

          1.
          JavaScript RSPEC-5726 Language-Specification Active Unassigned
          2.
          HTML RSPEC-5761 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                eric.therond Eric Therond
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: