Based on several discussions like in the community forum, this rule is:
- changed to security-hotpot
- with a new title/description/message/code examples
Small improvement to the detection behavior, the rule should raise only when:
- there is no methods defined for a RequestMapping annotation (already the case)
@RequestMapping("/greet") // Sensitive
- when safe methods (RequestMethod.GET, HEAD, OPTIONS) are mixed with unsafe methods (RequestMethod.POST, PUT, DELETE) (currently this rule raises just when more than one method is defined):
@RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.POST}) // Sensitive @RequestMapping(path = "/delete", method = {RequestMethod.GET, RequestMethod.HEAD}) // Compliant
- contributes to
-
MMF-2044 Java analyzer detects broken authentication and access control
-
- Closed
-
- implements
-
RSPEC-3752 Allowing both safe and unsafe HTTP methods is security-sensitive
- Active