org.sonar.plugins.findbugs.rules-jsp.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of sonar-findbugs-plugin Show documentation
Show all versions of sonar-findbugs-plugin Show documentation
SpotBugs is a program that uses static analysis to look for bugs in Java code. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods.
<rules><!-- This file is auto-generated. -->
<rule key='JSP_INCLUDE' priority='CRITICAL'>
<name>Security - Dynamic JSP inclusion</name>
<configKey>JSP_INCLUDE</configKey>
<description><p>The inclusion of JSP file allow the entry of dynamic value. It may allow an attacker to control the JSP page included.
If this is the case, an attacker will try to include a file on disk that he controls. By including arbitrary files, the
attacker gets the ability to execute any code.
</p>
<p>
<b>Vulnerable Code:</b>
<pre>&lt;jsp:include page="${param.secret_param}" /&gt;</pre>
</p>
<p>
<b>Solution:</b>
<pre>&lt;c:if test="${param.secret_param == 'page1'}"&gt;
&lt;jsp:include page="page1.jsp" /&gt;
&lt;/c:if&gt;</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="https://resources.infosecinstitute.com/file-inclusion-attacks/">InfosecInstitute: File Inclusion Attacks</a><br/>
<a href="http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion">WASC-05: Remote File Inclusion</a><br/>
</p></description>
<tag>wasc</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
<rule key='JSP_SPRING_EVAL' priority='CRITICAL'>
<name>Security - Dynamic variable in Spring expression</name>
<configKey>JSP_SPRING_EVAL</configKey>
<description><p>A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.
</p>
<p>
<b>Vulnerable Code:</b>
<pre>&lt;%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %&gt;
&lt;spring:eval expression="${param.lang}" var="lang" /&gt;</pre>
<br>
<pre>&lt;%@ taglib prefix="spring" uri="http://www.springframework.org/tags" %&gt;
&lt;spring:eval expression="'${param.lang}'=='fr'" var="languageIsFrench" /&gt;</pre>
</p>
<p>
<b>Solution:</b>
<pre>&lt;c:set var="lang" value="${param.lang}"/&gt;</pre>
<br/>
<pre>&lt;c:set var="languageIsFrench" value="${param.lang == 'fr'}"/&gt;</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="https://cwe.mitre.org/data/definitions/94.html">CWE-94: Improper Control of Generation of Code ('Code Injection')</a><br/>
<a href="https://cwe.mitre.org/data/definitions/95.html">CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')</a><br/>
</p></description>
<tag>owasp-a1</tag>
<tag>injection</tag>
<tag>cwe</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
<rule key='JSP_JSTL_OUT' priority='MAJOR'>
<name>Security - Escaping of special XML characters is disabled</name>
<configKey>JSP_JSTL_OUT</configKey>
<description><p>A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)
</p>
<p>
<b>Vulnerable Code:</b>
<pre>&lt;%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %&gt;
&lt;c:out value="${param.test_param}" escapeXml="false"/&gt;</pre>
</p>
<p>
<b>Solution:</b>
<pre>&lt;%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %&gt;
&lt;c:out value="${param.test_param}"/&gt;</pre>
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/>
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/>
<a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/>
<a href="https://docs.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/c/out.html">JSTL Javadoc: Out tag</a><br/>
</p></description>
<tag>owasp-a3</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
<rule key='XSS_JSP_PRINT' priority='MAJOR'>
<name>Security - Potential XSS in JSP</name>
<configKey>XSS_JSP_PRINT</configKey>
<description><p>A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references)
</p>
<p>
<b>Vulnerable Code:</b>
<pre><%
String taintedInput = (String) request.getAttribute("input");
%>
[...]
&lt;%= taintedInput %&gt;</pre>
</p>
<p>
<b>Solution:</b>
<pre>
&lt;%
String taintedInput = (String) request.getAttribute("input");
%&gt;
[...]
&lt;%= Encode.forHtml(taintedInput) %&gt;
</pre>
</p>
<p>
The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider:
HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet,
which explains these defenses in significant detail.
</p>
<br/>
<p>
<b>References</b><br/>
<a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/>
<a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/>
<a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/>
<a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/>
<a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/>
</p></description>
<tag>owasp-a3</tag>
<tag>wasc</tag>
<tag>cwe</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
<rule key='JSP_XSLT' priority='CRITICAL'>
<name>Security - A malicious XSLT could be provided to the JSP tag</name>
<configKey>JSP_XSLT</configKey>
<description><p>
"XSLT (Extensible Stylesheet Language Transformations) is a language for transforming XML documents into other XML documents".<sup>[1]</sup><br/>
It is possible to attach malicious behavior to those style sheets. Therefore, if an attacker can control the content or the source of the
style sheet, he might be able to trigger remote code execution.<sup>[2]</sup>
</p>
<p>
<b>Code at risk:</b><br/>
<pre>
&#x3C;x:transform xml=&#x22;${xmlData}&#x22; xslt=&#x22;${xsltControlledByUser}&#x22; /&#x3E;
</pre>
</p>
<p>
<b>Solution:</b><br/>
<p>
The solution would be to make sure the style sheet is loaded from a safe sources and make sure that vulnerabilities such as
Path traversal <sup>[3][4]</sup> are not possible.
</p>
<p>
<b>References</b><br/>
[1] <a href="https://en.wikipedia.org/wiki/XSLT">Wikipedia: XSLT (Extensible Stylesheet Language Transformations)</a><br/>
<a href="https://prezi.com/y_fuybfudgnd/offensive-xslt/">Offensive XSLT</a> by Nicolas Grégoire<br/>
[2] <a href="https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html">From XSLT code execution to Meterpreter shells</a> by Nicolas Grégoire<br/>
<a href="https://xhe.myxwiki.org/xwiki/bin/view/Main/">XSLT Hacking Encyclopedia</a> by Nicolas Grégoire<br/>
<a href="https://www.acunetix.com/blog/articles/the-hidden-dangers-of-xsltprocessor-remote-xsl-injection/">Acunetix.com : The hidden dangers of XSLTProcessor - Remote XSL injection</a><br/>
<a href="https://www.w3.org/TR/xslt">w3.org XSL Transformations (XSLT) Version 1.0</a> : w3c specification<br/>
[3] <a href="http://projects.webappsec.org/w/page/13246952/Path%20Traversal">WASC: Path Traversal</a><br/>
[4] <a href="https://www.owasp.org/index.php/Path_Traversal">OWASP: Path Traversal</a><br/>
</p></description>
<tag>owasp-a1</tag>
<tag>injection</tag>
<tag>owasp-a4</tag>
<tag>wasc</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
<rule key='XSS_REQUEST_PARAMETER_TO_JSP_WRITER' priority='MAJOR'>
<name>Security - JSP reflected cross site scripting vulnerability</name>
<configKey>XSS_REQUEST_PARAMETER_TO_JSP_WRITER</configKey>
<description><p>This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting
vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a>
for more information.</p>
<p>SpotBugs looks only for the most blatant, obvious cases of cross site scripting.
If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting
vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously
consider using a commercial static analysis or pen-testing tool.
</p></description>
<tag>owasp-a3</tag>
<tag>jsp</tag>
<tag>security</tag>
</rule>
</rules> © 2015 - 2025 Weber Informatics LLC | Privacy Policy