[SONARJAVA-3376] Rule S3752: from Vulnerability to Security Hotspot and small improvements on the detection algorithm - SonarSource

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 6.9
Component/s: Rules
Labels:
None

Description

Based on several discussions like in the community forum, this rule is:

changed to security-hotpot
with a new title/description/message/code examples

Small improvement to the detection behavior, the rule should raise only when:

there is no methods defined for a RequestMapping annotation (already the case)
```
@RequestMapping("/greet")  // Sensitive
```

when safe methods (RequestMethod.GET, HEAD, OPTIONS) are mixed with unsafe methods (RequestMethod.POST, PUT, DELETE) (currently this rule raises just when more than one method is defined):

@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Sensitive 
@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.HEAD}) // Compliant

Attachments

Issue Links

contributes to

MMF-2044 Java analyzer detects broken authentication and access control

Closed

implements

RSPEC-3752 Allowing both safe and unsafe HTTP methods is security-sensitive

Active

Activity

People

Assignee:

Margarita Nedzelska

Reporter:

Eric Therond

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Due:

01/Oct/20

Created:

05/May/20 5:46 PM

Updated:

05/Oct/20 9:55 AM

Resolved:

05/Oct/20 9:55 AM