org.sonar.plugins.findbugs.rules-scala.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of sonar-findbugs-plugin Show documentation
Show all versions of sonar-findbugs-plugin Show documentation
SpotBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods.
<rules><!-- This file is auto-generated. -->
<rule key='PREDICTABLE_RANDOM_SCALA' priority='CRITICAL'>
<name>Security - Predictable pseudorandom number generator (Scala)</name>
<configKey>PREDICTABLE_RANDOM_SCALA</configKey>
<description><p>The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts. For example, when the value is used as:</p>
<ul>
<li>a CSRF token: a predictable token can lead to a CSRF attack as an attacker will know the value of the token</li>
<li>a password reset token (sent by email): a predictable password token can lead to an account takeover, since an attacker will guess the URL of the "change password" form</li>
<li>any other secret value</li>
</ul>
<p>
A quick fix could be to replace the use of <code>java.util.Random</code> with something stronger, such as <b>java.security.SecureRandom</b>.
</p>
<p>
<b>Vulnerable Code:</b><br/>
<pre>import scala.util.Random
def generateSecretToken() {
val result = Seq.fill(16)(Random.nextInt)
return result.map("%02x" format _).mkString
}</pre>
</p>
<p>
<b>Solution:</b>
<pre>import java.security.SecureRandom
def generateSecretToken() {
val rand = new SecureRandom()
val value = Array.ofDim[Byte](16)
rand.nextBytes(value)
return value.map("%02x" format _).mkString
}</pre>
</p>
<!--<p>
<b>Solution:</b>
<pre>import java.security.SecureRandom
import scala.util.Random._
def generateSecretToken() {
val secRandom = javaRandomToRandom(new SecureRandom())
val result = Seq.fill(16)(secRandom.nextInt)
return result.map("%02x" format _).mkString
}</pre>
</p>-->
<br/>
<p>
<b>References</b><br/>
<a href="https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html">Cracking Random Number Generators - Part 1 (http://jazzy.id.au)</a><br/>
<a href="https://www.securecoding.cert.org/confluence/display/java/MSC02-J.+Generate+strong+random+numbers">CERT: MSC02-J. Generate strong random numbers</a><br/>
<a href="https://cwe.mitre.org/data/definitions/330.html">CWE-330: Use of Insufficiently Random Values</a><br/>
<a href="https://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html">Predicting Struts CSRF Token (Example of real-life vulnerability and exploitation)</a>
</p></description>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_PATH_TRAVERSAL_IN' priority='CRITICAL'>
<name>Security - Potential Path Traversal using Scala API (file read)</name>
<configKey>SCALA_PATH_TRAVERSAL_IN</configKey>
<description><p>A file is opened to read its content. The filename comes from an <b>input</b> parameter.
If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.</p>
<p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled
by the user. If that is the case, the reported instance is a false positive.</p>
<br/>
<p>
<b>Vulnerable Code:</b><br/>
<pre>def getWordList(value:String) = Action {
if (!Files.exists(Paths.get("public/lists/" + value))) {
NotFound("File not found")
} else {
val result = Source.fromFile("public/lists/" + value).getLines().mkString // Weak point
Ok(result)
}
}</pre>
</p>
<br/>
<p>
<b>Solution:</b><br/>
<pre>import org.apache.commons.io.FilenameUtils;
def getWordList(value:String) = Action {
val filename = "public/lists/" + FilenameUtils.getName(value)
if (!Files.exists(Paths.get(filename))) {
NotFound("File not found")
} else {
val result = Source.fromFile(filename).getLines().mkString // Fix
Ok(result)
}
}</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://projects.webappsec.org/w/page/13246952/Path%20Traversal">WASC: Path Traversal</a><br/>
<a href="https://www.owasp.org/index.php/Path_Traversal">OWASP: Path Traversal</a><br/>
<a href="https://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/>
<a href="https://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a>
</p></description>
<tag>owasp-a4</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_COMMAND_INJECTION' priority='CRITICAL'>
<name>Security - Potential Command Injection (Scala)</name>
<configKey>SCALA_COMMAND_INJECTION</configKey>
<description><p>The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.</p>
<br/>
<p>
<b>Vulnerable Code:</b><br/>
<pre>def executeCommand(value:String) = Action {
val result = value.!
Ok("Result:\n"+result)
}</pre>
</p>
<p>
<b>References</b><br/>
<a href="https://www.owasp.org/index.php/Command_Injection">OWASP: Command Injection</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/>
<a href="https://cwe.mitre.org/data/definitions/78.html">CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</a>
</p></description>
<tag>owasp-a1</tag>
<tag>injection</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_SQL_INJECTION_SLICK' priority='CRITICAL'>
<name>Security - Potential Scala Slick Injection</name>
<configKey>SCALA_SQL_INJECTION_SLICK</configKey>
<description><p>
The input values included in SQL queries need to be passed in safely.
Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.
</p>
<p>
<b>Vulnerable Code:</b><br/>
<pre>db.run {
sql"select * from people where name = '#$value'".as[Person]
}</pre>
</p>
<p>
<b>Solution:</b><br/>
<pre>db.run {
sql"select * from people where name = $value".as[Person]
}</pre>
</p>
<br/>
<b>References (SQL injection)</b><br/>
<a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-19: SQL Injection</a><br/>
<a href="https://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/>
<a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/>
<a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/>
</p></description>
<tag>owasp-a1</tag>
<tag>injection</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_SQL_INJECTION_ANORM' priority='CRITICAL'>
<name>Security - Potential Scala Anorm Injection</name>
<configKey>SCALA_SQL_INJECTION_ANORM</configKey>
<description><p>
The input values included in SQL queries need to be passed in safely.
Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.
</p>
<p>
<b>Vulnerable Code:</b><br/>
<pre>val peopleParser = Macro.parser[Person]("id", "name", "age")
DB.withConnection { implicit c =>
val people: List[Person] = SQL("select * from people where name = '" + value + "'").as(peopleParser.*)
}</pre>
</p>
<p>
<b>Solution:</b><br/>
<pre>val peopleParser = Macro.parser[Person]("id", "name", "age")
DB.withConnection { implicit c =>
val people: List[Person] = SQL"select * from people where name = $value".as(peopleParser.*)
}</pre>
</p>
<br/>
<b>References (SQL injection)</b><br/>
<a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-19: SQL Injection</a><br/>
<a href="https://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/>
<a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/>
<a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/>
</p></description>
<tag>owasp-a1</tag>
<tag>injection</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_SENSITIVE_DATA_EXPOSURE' priority='CRITICAL'>
<name>Security - Potential information leakage in Scala Play</name>
<configKey>SCALA_SENSITIVE_DATA_EXPOSURE</configKey>
<description><p>
Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a
variety of application problems. <sup>[1]</sup> Pages that provide different responses based on the validity of the data can
lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application's
design. <sup>[2]</sup>
</p>
<p>
Examples of sensitive data includes (but is not limited to): API keys, passwords, product versions or environment configurations.
</p>
<p>
<b>Code at risk:</b><br/>
<pre>def doGet(value:String) = Action {
val configElement = configuration.underlying.getString(value)
Ok("Hello "+ configElement +" !")
}</pre>
</p>
<p>
Application configuration elements should not be sent in the response content and users should not be allowed to control which
configuration elements will be used by the code.
</p>
<b>References</b><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/>
[1] <a href="https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling">OWASP: Top 10 2007-Information Leakage and Improper Error Handling</a><br/>
[2] <a href="http://projects.webappsec.org/w/page/13246936/Information%20Leakage">WASC-13: Information Leakage</a><br/>
<a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a><br/>
</p></description>
<tag>owasp-a6</tag>
<tag>cryptography</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_PLAY_SSRF' priority='CRITICAL'>
<name>Security - Scala Play Server-Side Request Forgery (SSRF)</name>
<configKey>SCALA_PLAY_SSRF</configKey>
<description><p>
Server-Side Request Forgery occur when a web server executes a request to a user supplied destination
parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services
or to launch attacks from your web server.
</p>
<p>
<b>Vulnerable Code:</b>
<pre>def doGet(value:String) = Action {
WS.url(value).get().map { response =>
Ok(response.body)
}
}</pre>
</p>
<p>
<b>Solution/Countermeasures:</b><br/>
<ul>
<li>Don't accept request destinations from users</li>
<li>Accept a destination key, and use it to look up the target (legal) destination</li>
<li>White list URLs (if possible)</li>
<li>Validate that the beginning of the URL is part of a white list</li>
</ul>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="https://cwe.mitre.org/data/definitions/918.html">CWE-918: Server-Side Request Forgery (SSRF)</a><br/>
<a href="https://www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/">Understanding Server-Side Request Forgery</a><br/>
</p></description>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_XSS_TWIRL' priority='CRITICAL'>
<name>Security - Potential XSS in Scala Twirl template engine</name>
<configKey>SCALA_XSS_TWIRL</configKey>
<description><p>
A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)
</p>
<p>
<b>Vulnerable Code:</b>
<pre>@(value: Html)
@value</pre>
</p>
<p>
<b>Solution:</b>
<pre>@(value: String)
@value</pre>
</p>
<p>
The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider:
HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet,
which explains these defenses in significant detail.
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/>
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/>
<a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/>
<a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/>
</p></description>
<tag>owasp-a3</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
<rule key='SCALA_XSS_MVC_API' priority='CRITICAL'>
<name>Security - Potential XSS in Scala MVC API engine</name>
<configKey>SCALA_XSS_MVC_API</configKey>
<description><p>
A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)
</p>
<p>
<b>Vulnerable Code:</b>
<pre>def doGet(value:String) = Action {
Ok("Hello " + value + " !").as("text/html")
}</pre>
</p>
<p>
<b>Solution:</b>
<pre>def doGet(value:String) = Action {
Ok("Hello " + Encode.forHtml(value) + " !")
}</pre>
</p>
<p>
The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider:
HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet,
which explains these defenses in significant detail.
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/>
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/>
<a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/>
<a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/>
</p></description>
<tag>owasp-a3</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>security</tag>
</rule>
</rules> © 2015 - 2025 Weber Informatics LLC | Privacy Policy