org.sonar.plugins.findbugs.rules-scala.xml Maven / Gradle / Ivy
<rules><!-- This file is auto-generated. --> <rule key='PREDICTABLE_RANDOM_SCALA' priority='CRITICAL'> <name>Security - Predictable pseudorandom number generator (Scala)</name> <configKey>PREDICTABLE_RANDOM_SCALA</configKey> <description><p>The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts. For example, when the value is used as:</p> <ul> <li>a CSRF token: a predictable token can lead to a CSRF attack as an attacker will know the value of the token</li> <li>a password reset token (sent by email): a predictable password token can lead to an account takeover, since an attacker will guess the URL of the "change password" form</li> <li>any other secret value</li> </ul> <p> A quick fix could be to replace the use of <code>java.util.Random</code> with something stronger, such as <b>java.security.SecureRandom</b>. </p> <p> <b>Vulnerable Code:</b><br/> <pre>import scala.util.Random def generateSecretToken() { val result = Seq.fill(16)(Random.nextInt) return result.map("%02x" format _).mkString }</pre> </p> <p> <b>Solution:</b> <pre>import java.security.SecureRandom def generateSecretToken() { val rand = new SecureRandom() val value = Array.ofDim[Byte](16) rand.nextBytes(value) return value.map("%02x" format _).mkString }</pre> </p> <!--<p> <b>Solution:</b> <pre>import java.security.SecureRandom import scala.util.Random._ def generateSecretToken() { val secRandom = javaRandomToRandom(new SecureRandom()) val result = Seq.fill(16)(secRandom.nextInt) return result.map("%02x" format _).mkString }</pre> </p>--> <br/> <p> <b>References</b><br/> <a href="https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html">Cracking Random Number Generators - Part 1 (http://jazzy.id.au)</a><br/> <a href="https://www.securecoding.cert.org/confluence/display/java/MSC02-J.+Generate+strong+random+numbers">CERT: MSC02-J. Generate strong random numbers</a><br/> <a href="https://cwe.mitre.org/data/definitions/330.html">CWE-330: Use of Insufficiently Random Values</a><br/> <a href="https://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html">Predicting Struts CSRF Token (Example of real-life vulnerability and exploitation)</a> </p></description> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_PATH_TRAVERSAL_IN' priority='CRITICAL'> <name>Security - Potential Path Traversal using Scala API (file read)</name> <configKey>SCALA_PATH_TRAVERSAL_IN</configKey> <description><p>A file is opened to read its content. The filename comes from an <b>input</b> parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read.</p> <p>This rule identifies <b>potential</b> path traversal vulnerabilities. In many cases, the constructed file path cannot be controlled by the user. If that is the case, the reported instance is a false positive.</p> <br/> <p> <b>Vulnerable Code:</b><br/> <pre>def getWordList(value:String) = Action { if (!Files.exists(Paths.get("public/lists/" + value))) { NotFound("File not found") } else { val result = Source.fromFile("public/lists/" + value).getLines().mkString // Weak point Ok(result) } }</pre> </p> <br/> <p> <b>Solution:</b><br/> <pre>import org.apache.commons.io.FilenameUtils; def getWordList(value:String) = Action { val filename = "public/lists/" + FilenameUtils.getName(value) if (!Files.exists(Paths.get(filename))) { NotFound("File not found") } else { val result = Source.fromFile(filename).getLines().mkString // Fix Ok(result) } }</pre> </p> <br/> <p> <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246952/Path%20Traversal">WASC: Path Traversal</a><br/> <a href="https://www.owasp.org/index.php/Path_Traversal">OWASP: Path Traversal</a><br/> <a href="https://capec.mitre.org/data/definitions/126.html">CAPEC-126: Path Traversal</a><br/> <a href="https://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a> </p></description> <tag>owasp-a4</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_COMMAND_INJECTION' priority='CRITICAL'> <name>Security - Potential Command Injection (Scala)</name> <configKey>SCALA_COMMAND_INJECTION</configKey> <description><p>The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.</p> <br/> <p> <b>Vulnerable Code:</b><br/> <pre>def executeCommand(value:String) = Action { val result = value.! Ok("Result:\n"+result) }</pre> </p> <p> <b>References</b><br/> <a href="https://www.owasp.org/index.php/Command_Injection">OWASP: Command Injection</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> <a href="https://cwe.mitre.org/data/definitions/78.html">CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</a> </p></description> <tag>owasp-a1</tag> <tag>injection</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_SQL_INJECTION_SLICK' priority='CRITICAL'> <name>Security - Potential Scala Slick Injection</name> <configKey>SCALA_SQL_INJECTION_SLICK</configKey> <description><p> The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. </p> <p> <b>Vulnerable Code:</b><br/> <pre>db.run { sql"select * from people where name = '#$value'".as[Person] }</pre> </p> <p> <b>Solution:</b><br/> <pre>db.run { sql"select * from people where name = $value".as[Person] }</pre> </p> <br/> <b>References (SQL injection)</b><br/> <a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-19: SQL Injection</a><br/> <a href="https://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p></description> <tag>owasp-a1</tag> <tag>injection</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_SQL_INJECTION_ANORM' priority='CRITICAL'> <name>Security - Potential Scala Anorm Injection</name> <configKey>SCALA_SQL_INJECTION_ANORM</configKey> <description><p> The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. </p> <p> <b>Vulnerable Code:</b><br/> <pre>val peopleParser = Macro.parser[Person]("id", "name", "age") DB.withConnection { implicit c => val people: List[Person] = SQL("select * from people where name = '" + value + "'").as(peopleParser.*) }</pre> </p> <p> <b>Solution:</b><br/> <pre>val peopleParser = Macro.parser[Person]("id", "name", "age") DB.withConnection { implicit c => val people: List[Person] = SQL"select * from people where name = $value".as(peopleParser.*) }</pre> </p> <br/> <b>References (SQL injection)</b><br/> <a href="http://projects.webappsec.org/w/page/13246963/SQL%20Injection">WASC-19: SQL Injection</a><br/> <a href="https://capec.mitre.org/data/definitions/66.html">CAPEC-66: SQL Injection</a><br/> <a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A1-Injection">OWASP: Top 10 2013-A1-Injection</a><br/> <a href="https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet">OWASP: SQL Injection Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet">OWASP: Query Parameterization Cheat Sheet</a><br/> </p></description> <tag>owasp-a1</tag> <tag>injection</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_SENSITIVE_DATA_EXPOSURE' priority='CRITICAL'> <name>Security - Potential information leakage in Scala Play</name> <configKey>SCALA_SENSITIVE_DATA_EXPOSURE</configKey> <description><p> Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. <sup>[1]</sup> Pages that provide different responses based on the validity of the data can lead to Information Leakage; specifically when data deemed confidential is being revealed as a result of the web application's design. <sup>[2]</sup> </p> <p> Examples of sensitive data includes (but is not limited to): API keys, passwords, product versions or environment configurations. </p> <p> <b>Code at risk:</b><br/> <pre>def doGet(value:String) = Action { val configElement = configuration.underlying.getString(value) Ok("Hello "+ configElement +" !") }</pre> </p> <p> Application configuration elements should not be sent in the response content and users should not be allowed to control which configuration elements will be used by the code. </p> <b>References</b><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure">OWASP: Top 10 2013-A6-Sensitive Data Exposure</a><br/> [1] <a href="https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling">OWASP: Top 10 2007-Information Leakage and Improper Error Handling</a><br/> [2] <a href="http://projects.webappsec.org/w/page/13246936/Information%20Leakage">WASC-13: Information Leakage</a><br/> <a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a><br/> </p></description> <tag>owasp-a6</tag> <tag>cryptography</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_PLAY_SSRF' priority='CRITICAL'> <name>Security - Scala Play Server-Side Request Forgery (SSRF)</name> <configKey>SCALA_PLAY_SSRF</configKey> <description><p> Server-Side Request Forgery occur when a web server executes a request to a user supplied destination parameter that is not validated. Such vulnerabilities could allow an attacker to access internal services or to launch attacks from your web server. </p> <p> <b>Vulnerable Code:</b> <pre>def doGet(value:String) = Action { WS.url(value).get().map { response => Ok(response.body) } }</pre> </p> <p> <b>Solution/Countermeasures:</b><br/> <ul> <li>Don't accept request destinations from users</li> <li>Accept a destination key, and use it to look up the target (legal) destination</li> <li>White list URLs (if possible)</li> <li>Validate that the beginning of the URL is part of a white list</li> </ul> </p> <br/> <p> <b>References</b><br/> <a href="https://cwe.mitre.org/data/definitions/918.html">CWE-918: Server-Side Request Forgery (SSRF)</a><br/> <a href="https://www.bishopfox.com/blog/2015/04/vulnerable-by-design-understanding-server-side-request-forgery/">Understanding Server-Side Request Forgery</a><br/> </p></description> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_XSS_TWIRL' priority='CRITICAL'> <name>Security - Potential XSS in Scala Twirl template engine</name> <configKey>SCALA_XSS_TWIRL</configKey> <description><p> A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references) </p> <p> <b>Vulnerable Code:</b> <pre>@(value: Html) @value</pre> </p> <p> <b>Solution:</b> <pre>@(value: String) @value</pre> </p> <p> The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> <br/> <p> <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p></description> <tag>owasp-a3</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> <rule key='SCALA_XSS_MVC_API' priority='CRITICAL'> <name>Security - Potential XSS in Scala MVC API engine</name> <configKey>SCALA_XSS_MVC_API</configKey> <description><p> A potential XSS was found. It could be used to execute unwanted JavaScript in a client's browser. (See references) </p> <p> <b>Vulnerable Code:</b> <pre>def doGet(value:String) = Action { Ok("Hello " + value + " !").as("text/html") }</pre> </p> <p> <b>Solution:</b> <pre>def doGet(value:String) = Action { Ok("Hello " + Encode.forHtml(value) + " !") }</pre> </p> <p> The best defense against XSS is context sensitive output encoding like the example above. There are typically 4 contexts to consider: HTML, JavaScript, CSS (styles), and URLs. Please follow the XSS protection rules defined in the OWASP XSS Prevention Cheat Sheet, which explains these defenses in significant detail. </p> <br/> <p> <b>References</b><br/> <a href="http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting">WASC-8: Cross Site Scripting</a><br/> <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet">OWASP: XSS Prevention Cheat Sheet</a><br/> <a href="https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29">OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)</a><br/> <a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')</a><br/> <a href="https://code.google.com/p/owasp-java-encoder/">OWASP Java Encoder</a><br/> </p></description> <tag>owasp-a3</tag> <tag>wasc</tag> <tag>cwe</tag> <tag>security</tag> </rule> </rules>
© 2015 - 2025 Weber Informatics LLC | Privacy Policy