gitlab.find_sec_bugs.JAXRS_ENDPOINT-1

unknown
Download Count*
MIT
License

This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed; Authentication, if enforced, should be tested. Access control, if enforced, should be tested. The inputs should be tracked for potential vulnerabilities. The communication should ideally be over SSL.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: find_sec_bugs.JAXRS_ENDPOINT-1
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-inside: |
              @javax.ws.rs.Path("...")
              $TYPE $FUNC(..., $VAR, ...) {
                ...
              }
          - pattern: $VAR
    pattern-sanitizers:
      - patterns:
          - pattern-inside: |
              $STR.replaceAll("$REPLACE_CHAR", "$REPLACER");
              ...
          - pattern: $STR
          - metavariable-regex:
              metavariable: $REPLACER
              regex: .*^(CRLF).*
          - metavariable-regex:
              metavariable: $REPLACE_CHAR
              regex: (*CRLF)
      - pattern: org.apache.commons.text.StringEscapeUtils.unescapeJava(...);
    pattern-sinks:
      - pattern: return ...;
    message: >
      This method is part of a REST Web Service (JSR311). The security of this
      web service should be

      analyzed; Authentication, if enforced, should be tested. Access control, if enforced, should be

      tested. The inputs should be tracked for potential vulnerabilities. The communication should

      ideally be over SSL.
    languages:
      - java
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-20: Improper Input Validation"
      technology:
        - java
      primary_identifier: find_sec_bugs.JAXRS_ENDPOINT-1
      secondary_identifiers:
        - name: Find Security Bugs-JAXRS_ENDPOINT
          type: find_sec_bugs_type
          value: JAXRS_ENDPOINT
      license: MIT