Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3376

Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.9
    • Component/s: Rules
    • Labels:
      None

      Description

      Based on several discussions like in the community forum, this rule is:

      • changed to security-hotpot
      • with a new title/description/message/code examples

      Small improvement to the detection behavior, the rule should raise only when:

      • there is no methods defined for a RequestMapping annotation (already the case) 
        @RequestMapping("/greet")  // Sensitive
      • when safe methods (RequestMethod.GET, HEAD, OPTIONS) are mixed with unsafe methods (RequestMethod.POST, PUT, DELETE) (currently this rule raises just when more than one method is defined): 
        @RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Sensitive 
@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.HEAD}) // Compliant

        Attachments

          Issue Links

          implements

          Security Hotspot Detection - RSPEC-3752 Allowing both safe and unsafe HTTP methods is security-sensitive

          • Active

            Activity

              People

              Assignee:
              margarita.nedzelska Margarita Nedzelska
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: