rulesets.GDS.CWE.cwe-0285-improper-authorization.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of pmd-gds Show documentation
Show all versions of pmd-gds Show documentation
Custom ruleset for the open source static analysis tool PMD. The ruleset contains rules intended to identify security violations that map to the 2013 OWASP Top 10
<?xml version="1.0" encoding="UTF-8"?>
<ruleset name="A8 - Failure to Restrict URL Access"
xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
<description>
This file is part of the GDS PMD Secure Coding Ruleset.
This ruleset contains rules that are intended to detect authorization weaknesses.
</description>
<rule class="net.sourceforge.pmd.lang.rule.XPathRule"
name="MissingOrIncorrectAuthorization"
language="java"
message="Missing Or Incorrect Authorization"
externalInfoUrl="https://cwe.mitre.org/data/definitions/285.html">
<description>
This rule is intended to be a proof-of-concept example of how to identify missing or inadequate authorization functions in a class of a specific type.
Specifically, it looks for the the method isUserInRole within classes that extended HttpServlet.
For this rule to be useful, it should be customized with authorization functions and types specific to the application being scanned.
</description>
<priority>3</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//MethodDeclaration[not (.//IfStatement//PrimaryExpression[PrimaryPrefix/Name[contains(@Image,'isUserInRole')]]) and /ImportDeclaration/Name[starts-with(@Image,"javax.servlet.http")] and /TypeDeclaration/ClassOrInterfaceDeclaration/ExtendsList/ClassOrInterfaceType/@Image="HttpServlet"]
]]>
</value>
</property>
</properties>
</rule>
</ruleset> © 2015 - 2025 Weber Informatics LLC | Privacy Policy