From 71c8ffe0919de02d0b81878310a7c9037fb983d0 Mon Sep 17 00:00:00 2001 From: "github-classroom[bot]" <66690702+github-classroom[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 17:45:17 +0000 Subject: [PATCH 1/4] Setting up GitHub Classroom Feedback From cb8f3b50735d5429da0b43b72667e3db446815d1 Mon Sep 17 00:00:00 2001 From: "github-classroom[bot]" <66690702+github-classroom[bot]@users.noreply.github.com> Date: Thu, 9 Apr 2026 17:45:20 +0000 Subject: [PATCH 2/4] add deadline --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 18eee9a..21b4d8d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![Review Assignment Due Date](https://classroom.github.com/assets/deadline-readme-button-22041afd0340ce965d47ae6ef1cefeee28c7c493a6346c4f15d667ab976d596c.svg)](https://classroom.github.com/a/NSTTkgmb) # Лабораторная работа №4 — Анализ и тестирование безопасности веб-приложения ## Цель From 5c934dafbf53de8f0dab3fa006d5f5eca6623024 Mon Sep 17 00:00:00 2001 From: selfofly <123412342@inbox.ru> Date: Mon, 13 Apr 2026 23:11:16 +0300 Subject: [PATCH 3/4] Solved --- .gitignore | 3 + build.gradle | 6 + scripts/run_semgrep_stage4.sh | 36 ++ scripts/stage3_manual_curls.sh | 86 ++++ semgrep-output.txt | 27 ++ semgrep-report.sarif | 1 + .../BrokenAccessControlPentestTest.java | 64 +++ .../pentest/ErrorDisclosurePentestTest.java | 61 +++ .../NotifyUnsafeCallbackPentestTest.java | 70 ++++ .../PathTraversalExportPentestTest.java | 69 ++++ ...\247\320\225\320\242_\320\233\320\2404.md" | 382 ++++++++++++++++++ ...20\222\320\220\320\235\320\230\320\225.md" | 212 ++++++++++ 12 files changed, 1017 insertions(+) create mode 100755 scripts/run_semgrep_stage4.sh create mode 100755 scripts/stage3_manual_curls.sh create mode 100644 semgrep-output.txt create mode 100644 semgrep-report.sarif create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/BrokenAccessControlPentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/NotifyUnsafeCallbackPentestTest.java create mode 100644 src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java create mode 100644 "\320\236\320\242\320\247\320\225\320\242_\320\233\320\2404.md" create mode 100644 "\320\240\320\243\320\247\320\235\320\236\320\225_\320\242\320\225\320\241\320\242\320\230\320\240\320\236\320\222\320\220\320\235\320\230\320\225.md" diff --git a/.gitignore b/.gitignore index 1fac4d5..b638ef5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,8 @@ .gradle build/ + +.venv/ +.semgrep-cache/ !gradle/wrapper/gradle-wrapper.jar !**/src/main/**/build/ !**/src/test/**/build/ diff --git a/build.gradle b/build.gradle index fb0a8f7..a51891a 100644 --- a/build.gradle +++ b/build.gradle @@ -1,5 +1,10 @@ plugins { id 'java' + id 'application' +} + +application { + mainClass = 'ru.itmo.testing.lab4.Main' } group = 'ru.itmo' @@ -11,6 +16,7 @@ repositories { dependencies { implementation 'io.javalin:javalin:6.3.0' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.17.2' implementation 'org.slf4j:slf4j-simple:2.0.13' testImplementation platform('org.junit:junit-bom:6.0.0') diff --git a/scripts/run_semgrep_stage4.sh b/scripts/run_semgrep_stage4.sh new file mode 100755 index 0000000..1327cdf --- /dev/null +++ b/scripts/run_semgrep_stage4.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +set -euo pipefail +ROOT="$(cd "$(dirname "$0")/.." && pwd)" +cd "$ROOT" + +SEM="${ROOT}/.venv/bin/semgrep" +if [[ ! -x "$SEM" ]]; then + python3 -m venv .venv + .venv/bin/pip install -q semgrep +fi + +if [[ ! -d /tmp/semgrep-rules/java ]]; then + rm -rf /tmp/semgrep-rules + git clone --depth 1 https://github.com/semgrep/semgrep-rules.git /tmp/semgrep-rules +fi +OWASP_YAML="${ROOT}/.semgrep-cache/p-owasp-top-ten.yaml" +mkdir -p "${ROOT}/.semgrep-cache" +if [[ ! -s "$OWASP_YAML" ]]; then + curl -sS -L --max-time 180 "https://semgrep.dev/c/p/owasp-top-ten" -o "$OWASP_YAML" +fi + +run_local() { + "$SEM" --metrics off --disable-version-check \ + --config /tmp/semgrep-rules/java \ + --config "$OWASP_YAML" \ + "$@" +} + +echo "=== Текстовый отчёт (stdout + semgrep-output.txt) ===" +run_local src/ 2>&1 | tee semgrep-output.txt + +echo "" +echo "=== SARIF → semgrep-report.sarif ===" +run_local --sarif -o semgrep-report.sarif src/ +echo "Готово." diff --git a/scripts/stage3_manual_curls.sh b/scripts/stage3_manual_curls.sh new file mode 100755 index 0000000..1d83f37 --- /dev/null +++ b/scripts/stage3_manual_curls.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env bash + +set -euo pipefail +B="http://localhost:7000" + +curlq() { + local desc="$1" + shift + echo "########## $desc ##########" + echo "Команда: curl -sS -D - -o - $*" + echo "---" + curl -sS -D - -o - "$@" 2>&1 || echo "(curl exit: $?)" + echo "" + echo "" +} + +# --- Подготовка данных --- +curlq "SETUP register stage3_base / Alice" -X POST "$B/register?userId=stage3_base&userName=Alice" +curlq "SETUP register stage3_xss / script name" -X POST "$B/register?userId=stage3_xss&userName=%3Cscript%3Ealert(1)%3C%2Fscript%3E" +curlq "SETUP register stage3_quote / quote in name" -X POST "$B/register?userId=stage3_quote&userName=O%27Reilly%22%3C%3E" +curlq "SETUP register stage3_sess / for sessions" -X POST "$B/register?userId=stage3_sess&userName=SessUser" +curlq "SETUP recordSession valid" -X POST "$B/recordSession?userId=stage3_sess&loginTime=2025-01-15T10:00:00&logoutTime=2025-01-15T11:30:00" +curlq "SETUP register stage3_month / monthly" -X POST "$B/register?userId=stage3_month&userName=M" +curlq "SETUP recordSession for monthlyActivity" -X POST "$B/recordSession?userId=stage3_month&loginTime=2025-01-10T08:00:00&logoutTime=2025-01-10T09:00:00" +curlq "SETUP register stage3_export" -X POST "$B/register?userId=stage3_export&userName=ExportUser" +curlq "SETUP register stage3_notify" -X POST "$B/register?userId=stage3_notify&userName=N" + +# --- POST /register --- +curlq "POST /register — нет параметров" -X POST "$B/register" +curlq "POST /register — только userId" -X POST "$B/register?userId=onlyId" +curlq "POST /register — пустой userId (граничный случай)" -X POST "$B/register?userId=&userName=empty_id_user" +curlq "POST /register — дубликат userId" -X POST "$B/register?userId=stage3_base&userName=Other" +curlq "POST /register — userId со слэшами и точками" -X POST "$B/register?userId=..%2F..%2Fevil&userName=test" +curlq "POST /register — длинный userName (~800 символов)" -X POST "$B/register?userId=stage3_long&userName=$(python3 -c 'print("A"*800)')" + +# --- POST /recordSession --- +curlq "POST /recordSession — нет параметров" -X POST "$B/recordSession" +curlq "POST /recordSession — битый ISO loginTime" -X POST "$B/recordSession?userId=stage3_sess&loginTime=not-a-date&logoutTime=2025-01-15T12:00:00" +curlq "POST /recordSession — неизвестный userId" -X POST "$B/recordSession?userId=no_such_user&loginTime=2025-01-15T10:00:00&logoutTime=2025-01-15T11:00:00" +curlq "POST /recordSession — logout раньше login (логика сервиса)" -X POST "$B/recordSession?userId=stage3_sess&loginTime=2025-01-20T12:00:00&logoutTime=2025-01-20T10:00:00" + +# --- GET /totalActivity --- +curlq "GET /totalActivity — нет userId" "$B/totalActivity" +curlq "GET /totalActivity — несуществующий user" "$B/totalActivity?userId=ghost_user" +curlq "GET /totalActivity — норма" "$B/totalActivity?userId=stage3_sess" +curlq "GET /totalActivity — userId со спецсимволами в query" "$B/totalActivity?userId=stage3_%3Ctest%3E" + +# --- GET /inactiveUsers --- +curlq "GET /inactiveUsers — нет days" "$B/inactiveUsers" +curlq "GET /inactiveUsers — days не число" "$B/inactiveUsers?days=abc" +curlq "GET /inactiveUsers — days отрицательное" "$B/inactiveUsers?days=-1" +curlq "GET /inactiveUsers — days=0" "$B/inactiveUsers?days=0" + +# --- GET /monthlyActivity --- +curlq "GET /monthlyActivity — нет параметров" "$B/monthlyActivity" +curlq "GET /monthlyActivity — неверный month" "$B/monthlyActivity?userId=stage3_month&month=13-2025" +curlq "GET /monthlyActivity — пользователь без сессий (ожидание ошибки)" "$B/monthlyActivity?userId=stage3_base&month=2025-01" +curlq "GET /monthlyActivity — норма" "$B/monthlyActivity?userId=stage3_month&month=2025-01" + +# --- GET /userProfile --- +curlq "GET /userProfile — нет userId" "$B/userProfile" +curlq "GET /userProfile — 404" "$B/userProfile?userId=nobody_here" +curlq "GET /userProfile — XSS user" "$B/userProfile?userId=stage3_xss" +curlq "GET /userProfile — кавычки в имени" "$B/userProfile?userId=stage3_quote" + +# --- GET /exportReport --- +curlq "GET /exportReport — нет параметров" "$B/exportReport" +curlq "GET /exportReport — несуществующий user" "$B/exportReport?userId=ghost&filename=a.txt" +curlq "GET /exportReport — нормальное имя файла" "$B/exportReport?userId=stage3_export&filename=safe_report.txt" +curlq "GET /exportReport — path traversal (../)" "$B/exportReport?userId=stage3_export&filename=..%2F..%2Ftmp%2Flab4_escape.txt" + +# --- POST /notify --- +curlq "POST /notify — нет параметров" -X POST "$B/notify" +curlq "POST /notify — несуществующий user" -X POST "$B/notify?userId=ghost&callbackUrl=http://127.0.0.1:1/" +curlq "POST /notify — невалидный URL" -X POST "$B/notify?userId=stage3_notify&callbackUrl=not-a-url" +curlq "POST /notify — connection refused (порт закрыт)" -X POST "$B/notify?userId=stage3_notify&callbackUrl=http://127.0.0.1:1/nope" +curlq "POST /notify — file:// схема" -X POST "$B/notify?userId=stage3_notify&callbackUrl=file:///etc/passwd" + +echo "########## RATE — 20x GET /totalActivity подряд (коды) ##########" +for i in $(seq 1 20); do + code=$(curl -s -o /dev/null -w "%{http_code}" "$B/totalActivity?userId=stage3_sess") + echo -n "$code " +done +echo "" + +echo "DONE" diff --git a/semgrep-output.txt b/semgrep-output.txt new file mode 100644 index 0000000..0af8710 --- /dev/null +++ b/semgrep-output.txt @@ -0,0 +1,27 @@ + + +┌─────────────┐ +│ Scan Status │ +└─────────────┘ + Scanning 6 files tracked by git with 133 Code rules: + + Language Rules Files Origin Rules + ───────────────────────────── ─────────────────── + java 112 6 Custom 131 + 1 6 Community 2 + + + +┌──────────────┐ +│ Scan Summary │ +└──────────────┘ +✅ Scan completed successfully. + • Findings: 0 (0 blocking) + • Rules run: 113 + • Targets scanned: 6 + • Parsed lines: ~100.0% + • Scan skipped: + ◦ Files matching .semgrepignore patterns: 1 + • Scan was limited to files tracked by git + • For a detailed list of skipped files and lines, run semgrep with the --verbose flag +Ran 113 rules on 6 files: 0 findings. diff --git a/semgrep-report.sarif b/semgrep-report.sarif new file mode 100644 index 0000000..ac3e49c --- /dev/null +++ b/semgrep-report.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"tmp.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"tmp.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"tmp.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"tmp.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"id":"tmp.generic.nginx.security.header-injection.header-injection","name":"tmp.generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Manifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present."},"help":{"markdown":"Manifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present.\n\nReferences:\n - [https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic)\n - [https://developer.android.com/training/articles/security-config](https://developer.android.com/training/articles/security-config)\n","text":"Manifest uses both `android:usesCleartextTraffic` and Network Security Config. The `usesCleartextTraffic` directive is ignored on Android 7 (API 24) and above if a Network Security Config is present."},"id":"tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-ignored-by-nsc","name":"tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-ignored-by-nsc","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-ignored-by-nsc"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present."},"help":{"markdown":"The Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present.\n\nReferences:\n - [https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic](https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic)\n - [https://developer.android.com/training/articles/security-config](https://developer.android.com/training/articles/security-config)\n","text":"The Android manifest is configured to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. This flag is ignored on Android 7 (API 24) and above if a Network Security Config is present."},"id":"tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-true","name":"tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-true","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.manifest-usesCleartextTraffic-true"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The Network Security Config is set to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"InsecureBaseConfiguration\"` as parameters to your ``)"},"help":{"markdown":"The Network Security Config is set to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"InsecureBaseConfiguration\"` as parameters to your ``)\n\nReferences:\n - [https://developer.android.com/training/articles/security-config](https://developer.android.com/training/articles/security-config)\n - [https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/](https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/)\n","text":"The Network Security Config is set to allow non-encrypted connections. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"InsecureBaseConfiguration\"` as parameters to your ``)"},"id":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-plaintext-traffic","name":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-plaintext-traffic","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.nsc-allows-plaintext-traffic"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Network Security Config is set to accept user-installed CAs. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)"},"help":{"markdown":"The Network Security Config is set to accept user-installed CAs. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)\n\nReferences:\n - [https://developer.android.com/training/articles/security-config](https://developer.android.com/training/articles/security-config)\n - [https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/](https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/)\n","text":"The Network Security Config is set to accept user-installed CAs. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)"},"id":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs","name":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Network Security Config is set to accept user-installed CAs for the domain `$DOMAIN`. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)"},"help":{"markdown":"The Network Security Config is set to accept user-installed CAs for the domain `$DOMAIN`. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)\n\nReferences:\n - [https://developer.android.com/training/articles/security-config](https://developer.android.com/training/articles/security-config)\n - [https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/](https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/)\n","text":"The Network Security Config is set to accept user-installed CAs for the domain `$DOMAIN`. Evaluate if this is necessary for your app, and disable it if appropriate. (To hide this warning, set `xmlns:tools=\"http://schemas.android.com/tools\" tools:ignore=\"AcceptsUserCertificates\"` as parameters to your ``)"},"id":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs-for-domain","name":"tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs-for-domain","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.nsc-allows-user-ca-certs-for-domain"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Your app uses TLS public key pinning without specifying a backup key. If you are forced to change TLS keys or CAs on short notice, not having a backup pin can lead to connectivity issues until you can push out an update. It is considered best practice to add at least one additional pin as a backup."},"help":{"markdown":"Your app uses TLS public key pinning without specifying a backup key. If you are forced to change TLS keys or CAs on short notice, not having a backup pin can lead to connectivity issues until you can push out an update. It is considered best practice to add at least one additional pin as a backup.\n\nReferences:\n - [https://developer.android.com/training/articles/security-config#CertificatePinning](https://developer.android.com/training/articles/security-config#CertificatePinning)\n - [https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/](https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/)\n","text":"Your app uses TLS public key pinning without specifying a backup key. If you are forced to change TLS keys or CAs on short notice, not having a backup pin can lead to connectivity issues until you can push out an update. It is considered best practice to add at least one additional pin as a backup."},"id":"tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-backup","name":"tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-backup","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-backup"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Your app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin."},"help":{"markdown":"Your app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin.\n\nReferences:\n - [https://developer.android.com/training/articles/security-config#CertificatePinning](https://developer.android.com/training/articles/security-config#CertificatePinning)\n - [https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/](https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/)\n","text":"Your app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin."},"id":"tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-expiration","name":"tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-expiration","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.best-practice.nsc-pinning-without-expiration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane."},"help":{"markdown":"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane.\n\nReferences:\n - [https://cwe.mitre.org/data/definitions/926.html](https://cwe.mitre.org/data/definitions/926.html)\n","text":"The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane."},"id":"tmp.semgrep-rules.java.android.security.exported_activity","name":"tmp.semgrep-rules.java.android.security.exported_activity","properties":{"precision":"very-high","tags":["CWE-926: Improper Export of Android Application Components","MEDIUM CONFIDENCE","OWASP-A5:2021 Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.android.security.exported_activity"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"id":"tmp.semgrep-rules.java.aws-lambda.security.tainted-sql-string","name":"tmp.semgrep-rules.java.aws-lambda.security.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.aws-lambda.security.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"id":"tmp.semgrep-rules.java.aws-lambda.security.tainted-sqli","name":"tmp.semgrep-rules.java.aws-lambda.security.tainted-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.aws-lambda.security.tainted-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/","id":"tmp.semgrep-rules.java.java-jwt.security.audit.java-jwt-decode-without-verify","name":"tmp.semgrep-rules.java.java-jwt.security.audit.java-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.java-jwt.security.audit.java-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"id":"tmp.semgrep-rules.java.java-jwt.security.java-jwt-hardcoded-secret","name":"tmp.semgrep-rules.java.java-jwt.security.java-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.java-jwt.security.java-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/","id":"tmp.semgrep-rules.java.java-jwt.security.java-jwt-none-alg","name":"tmp.semgrep-rules.java.java-jwt.security.java-jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.java-jwt.security.java-jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class."},"help":{"markdown":"When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class.\n\nReferences:\n - [https://access.redhat.com/blogs/766093/posts/3162112](https://access.redhat.com/blogs/766093/posts/3162112)\n","text":"When a Restful webservice endpoint isn't configured with a @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution. Instead, add a @Consumes annotation to the function or class."},"id":"tmp.semgrep-rules.java.jax-rs.security.default-resteasy-provider-abuse","name":"tmp.semgrep-rules.java.jax-rs.security.default-resteasy-provider-abuse","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jax-rs.security.default-resteasy-provider-abuse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method."},"help":{"markdown":"When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\nReferences:\n - [https://access.redhat.com/blogs/766093/posts/3162112](https://access.redhat.com/blogs/766093/posts/3162112)\n","text":"When a Restful webservice endpoint is configured to use wildcard mediaType {*/*} as a value for the @Consumes annotation, an attacker could abuse the SerializableProvider by sending a HTTP Request with a Content-Type of application/x-java-serialized-object. The body of that request would be processed by the SerializationProvider and could contain a malicious payload, which may lead to arbitrary code execution when calling the $Y.getObject method."},"id":"tmp.semgrep-rules.java.jax-rs.security.insecure-resteasy-deserialization","name":"tmp.semgrep-rules.java.jax-rs.security.insecure-resteasy-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jax-rs.security.insecure-resteasy-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN","id":"tmp.semgrep-rules.java.jax-rs.security.jax-rs-path-traversal","name":"tmp.semgrep-rules.java.jax-rs.security.jax-rs-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jax-rs.security.jax-rs-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"In $METHOD, $X is used to construct a SQL query via string concatenation."},"help":{"markdown":"In $METHOD, $X is used to construct a SQL query via string concatenation.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"In $METHOD, $X is used to construct a SQL query via string concatenation."},"id":"tmp.semgrep-rules.java.jboss.security.find-sql-string-concatenation","name":"tmp.semgrep-rules.java.jboss.security.find-sql-string-concatenation","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jboss.security.find-sql-string-concatenation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SEAM_LOG_INJECTION","id":"tmp.semgrep-rules.java.jboss.security.seam-log-injection","name":"tmp.semgrep-rules.java.jboss.security.seam-log-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jboss.security.seam-log-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/","id":"tmp.semgrep-rules.java.jjwt.security.jjwt-none-alg","name":"tmp.semgrep-rules.java.jjwt.security.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.jjwt.security.jjwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The value of `$X` is being ignored and will be used in the conditional test"},"help":{"markdown":"The value of `$X` is being ignored and will be used in the conditional test","text":"The value of `$X` is being ignored and will be used in the conditional test"},"id":"tmp.semgrep-rules.java.lang.correctness.assignment-comparison","name":"tmp.semgrep-rules.java.lang.correctness.assignment-comparison","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.correctness.assignment-comparison"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`."},"help":{"markdown":"`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`.","text":"`$X == $X` or `$X != $X` is always true. (Unless the value compared is a float or double). To test if `$X` is not-a-number, use `Double.isNaN($X)`."},"id":"tmp.semgrep-rules.java.lang.correctness.eqeq","name":"tmp.semgrep-rules.java.lang.correctness.eqeq","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.correctness.eqeq"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This if statement will always have the same behavior and is therefore unnecessary."},"help":{"markdown":"This if statement will always have the same behavior and is therefore unnecessary.","text":"This if statement will always have the same behavior and is therefore unnecessary."},"id":"tmp.semgrep-rules.java.lang.correctness.hardcoded-conditional","name":"tmp.semgrep-rules.java.lang.correctness.hardcoded-conditional","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.correctness.hardcoded-conditional"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Strings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead."},"help":{"markdown":"Strings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead.","text":"Strings should not be compared with '=='. This is a reference comparison operator. Use '.equals()' instead."},"id":"tmp.semgrep-rules.java.lang.correctness.no-string-eqeq","name":"tmp.semgrep-rules.java.lang.correctness.no-string-eqeq","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.correctness.no-string-eqeq"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."},"help":{"markdown":"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#LDAP_ANONYMOUS","id":"tmp.semgrep-rules.java.lang.security.audit.anonymous-ldap-bind","name":"tmp.semgrep-rules.java.lang.security.audit.anonymous-ldap-bind","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.anonymous-ldap-bind"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#BAD_HEXA_CONVERSION","id":"tmp.semgrep-rules.java.lang.security.audit.bad-hexa-conversion","name":"tmp.semgrep-rules.java.lang.security.audit.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."},"help":{"markdown":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE","id":"tmp.semgrep-rules.java.lang.security.audit.blowfish-insufficient-key-size","name":"tmp.semgrep-rules.java.lang.security.audit.blowfish-insufficient-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.blowfish-insufficient-key-size"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead."},"help":{"markdown":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE)\n - [https://capec.mitre.org/data/definitions/463.html](https://capec.mitre.org/data/definitions/463.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#cipher-modes)\n - [https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY](https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY)\n","text":"Using CBC with PKCS5Padding is susceptible to padding oracle attacks. A malicious actor could discern the difference between plaintext with valid or invalid padding. Further, CBC mode does not include any integrity checks. Use 'AES/GCM/NoPadding' instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#PADDING_ORACLE","id":"tmp.semgrep-rules.java.lang.security.audit.cbc-padding-oracle","name":"tmp.semgrep-rules.java.lang.security.audit.cbc-padding-oracle","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.cbc-padding-oracle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#COMMAND_INJECTION.","id":"tmp.semgrep-rules.java.lang.security.audit.command-injection-formatted-runtime-call","name":"tmp.semgrep-rules.java.lang.security.audit.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a ProcessBuilder call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"id":"tmp.semgrep-rules.java.lang.security.audit.command-injection-process-builder","name":"tmp.semgrep-rules.java.lang.security.audit.command-injection-process-builder","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.command-injection-process-builder"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#HTTPONLY_COOKIE","id":"tmp.semgrep-rules.java.lang.security.audit.cookie-missing-httponly","name":"tmp.semgrep-rules.java.lang.security.audit.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#INSECURE_COOKIE","id":"tmp.semgrep-rules.java.lang.security.audit.cookie-missing-secure-flag","name":"tmp.semgrep-rules.java.lang.security.audit.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS","id":"tmp.semgrep-rules.java.lang.security.audit.crlf-injection-logs","name":"tmp.semgrep-rules.java.lang.security.audit.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crlf-injection-logs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."},"help":{"markdown":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#DES_USAGE)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#DES_USAGE","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.des-is-deprecated","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.des-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.des-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."},"help":{"markdown":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE)\n - [https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA](https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA)\n","text":"Triple DES (3DES or DESede) is considered deprecated. AES is the recommended cipher. Upgrade to use AES."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#TDES_USAGE","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.desede-is-deprecated","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.desede-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.desede-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."},"help":{"markdown":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#ECB_MODE)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#ECB_MODE","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.ecb-cipher","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.ecb-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.ecb-cipher"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted."},"help":{"markdown":"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\nReferences:\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\n","text":"GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different. Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-detection","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-detection","properties":{"precision":"very-high","tags":["CWE-323: Reusing a Nonce, Key Pair in Encryption","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-detection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"GCM IV/nonce is reused: encryption can be totally useless"},"help":{"markdown":"GCM IV/nonce is reused: encryption can be totally useless\n\nReferences:\n - [Semgrep Rule](https://www.youtube.com/watch?v=r1awgAl90wM)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"GCM IV/nonce is reused: encryption can be totally useless"},"helpUri":"https://www.youtube.com/watch?v=r1awgAl90wM","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-nonce-reuse","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-nonce-reuse","properties":{"precision":"very-high","tags":["CWE-323: Reusing a Nonce, Key Pair in Encryption","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.gcm-nonce-reuse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#NULL_CIPHER","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.no-null-cipher","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.no-null-cipher"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#STATIC_IV)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#STATIC_IV","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.no-static-initialization-vector","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.no-static-initialization-vector","properties":{"precision":"very-high","tags":["CWE-329: Generation of Predictable IV with CBC Mode","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.no-static-initialization-vector"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using RSA without OAEP mode weakens the encryption."},"help":{"markdown":"Using RSA without OAEP mode weakens the encryption.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING)\n - [https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/](https://rdist.root.org/2009/10/06/why-rsa-encryption-padding-is-critical/)\n","text":"Using RSA without OAEP mode weakens the encryption."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#RSA_NO_PADDING","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.rsa-no-padding","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.rsa-no-padding","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.rsa-no-padding"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#DEFAULT_HTTP_CLIENT","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-hostname-verifier","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information."},"help":{"markdown":"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER)\n - [https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https](https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https)\n","text":"Detected empty trust manager implementations. This is dangerous because it accepts any certificate, enabling man-in-the-middle attacks. Consider using a KeyStore and TrustManagerFactory instead. See https://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https for more information."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#WEAK_TRUST_MANAGER","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-trust-manager","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-trust-manager","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.ssl.insecure-trust-manager"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead."},"help":{"markdown":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#UNENCRYPTED_SOCKET","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.unencrypted-socket","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-aes-ecb","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-aes-ecb","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-aes-ecb"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-blowfish","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-blowfish"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-default-aes","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_MD5","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5-digest-utils","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of RC2 was detected. RC2 is vulnerable to related-key attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc2","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc4","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha1","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."},"help":{"markdown":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security.\n\nReferences:\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar3.ipd.pdf)\n - [https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-cryptography)\n","text":"This code uses a 224-bit hash function, which is deprecated or disallowed in some security policies. Consider updating to a stronger hash function such as SHA-384 or higher to ensure compliance and security."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha224","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha224","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-sha224"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE","id":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-weak-rsa-key","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"id":"tmp.semgrep-rules.java.lang.security.audit.crypto.weak-random","name":"tmp.semgrep-rules.java.lang.security.audit.crypto.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.crypto.weak-random"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#GROOVY_SHELL","id":"tmp.semgrep-rules.java.lang.security.audit.dangerous-groovy-shell","name":"tmp.semgrep-rules.java.lang.security.audit.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#EL_INJECTION","id":"tmp.semgrep-rules.java.lang.security.audit.el-injection","name":"tmp.semgrep-rules.java.lang.security.audit.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION","id":"tmp.semgrep-rules.java.lang.security.audit.formatted-sql-string","name":"tmp.semgrep-rules.java.lang.security.audit.formatted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.formatted-sql-string"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#HTTP_RESPONSE_SPLITTING","id":"tmp.semgrep-rules.java.lang.security.audit.http-response-splitting","name":"tmp.semgrep-rules.java.lang.security.audit.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.http-response-splitting"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'."},"help":{"markdown":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#INSECURE_SMTP_SSL","id":"tmp.semgrep-rules.java.lang.security.audit.insecure-smtp-connection","name":"tmp.semgrep-rules.java.lang.security.audit.insecure-smtp-connection","properties":{"precision":"very-high","tags":["CWE-297: Improper Validation of Certificate with Host Mismatch","MEDIUM CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","OWASP-A07:2025 - Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.insecure-smtp-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Semgrep found potential reverse shell behavior"},"help":{"markdown":"Semgrep found potential reverse shell behavior\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Semgrep found potential reverse shell behavior"},"id":"tmp.semgrep-rules.java.lang.security.audit.java-reverse-shell","name":"tmp.semgrep-rules.java.lang.security.audit.java-reverse-shell","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.java-reverse-shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'"},"help":{"markdown":"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Possible JDBC injection detected. Use the parameterized query feature available in queryForObject instead of concatenating or formatting strings: 'jdbc.queryForObject(\"select * from table where name = ?\", Integer.class, parameterName);'"},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_SPRING_JDBC","id":"tmp.semgrep-rules.java.lang.security.audit.jdbc-sql-formatted-string","name":"tmp.semgrep-rules.java.lang.security.audit.jdbc-sql-formatted-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.jdbc-sql-formatted-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution."},"help":{"markdown":"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\n","text":"An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#LDAP_ENTRY_POISONING","id":"tmp.semgrep-rules.java.lang.security.audit.ldap-entry-poisoning","name":"tmp.semgrep-rules.java.lang.security.audit.ldap-entry-poisoning","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.ldap-entry-poisoning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data."},"help":{"markdown":"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-constant data passed into an LDAP query. If this data can be controlled by an external user, this is an LDAP injection. Ensure data passed to an LDAP query is not controllable; or properly sanitize the data."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#LDAP_INJECTION","id":"tmp.semgrep-rules.java.lang.security.audit.ldap-injection","name":"tmp.semgrep-rules.java.lang.security.audit.ldap-injection","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.ldap-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`.\n\nReferences:\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory](https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SecretKeyFactory)\n - [https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.html)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as PBKDF2 or bcrypt. You can use `javax.crypto.SecretKeyFactory` with `SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\")` or, if using Spring, `org.springframework.security.crypto.bcrypt`."},"id":"tmp.semgrep-rules.java.lang.security.audit.md5-used-as-password","name":"tmp.semgrep-rules.java.lang.security.audit.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.md5-used-as-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object."},"help":{"markdown":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION)\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\n","text":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION","id":"tmp.semgrep-rules.java.lang.security.audit.object-deserialization","name":"tmp.semgrep-rules.java.lang.security.audit.object-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.object-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#OGNL_INJECTION","id":"tmp.semgrep-rules.java.lang.security.audit.ognl-injection","name":"tmp.semgrep-rules.java.lang.security.audit.ognl-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.ognl-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#OVERLY_PERMISSIVE_FILE_PERMISSION","id":"tmp.semgrep-rules.java.lang.security.audit.overly-permissive-file-permission","name":"tmp.semgrep-rules.java.lang.security.audit.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks."},"help":{"markdown":"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\nReferences:\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks."},"id":"tmp.semgrep-rules.java.lang.security.audit.permissive-cors","name":"tmp.semgrep-rules.java.lang.security.audit.permissive-cors","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.permissive-cors"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability."},"help":{"markdown":"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SCRIPT_ENGINE_INJECTION","id":"tmp.semgrep-rules.java.lang.security.audit.script-engine-injection","name":"tmp.semgrep-rules.java.lang.security.audit.script-engine-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.script-engine-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION_HIBERNATE","id":"tmp.semgrep-rules.java.lang.security.audit.sqli.hibernate-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.jdbc-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.jdo-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.jdo-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.jdo-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.jpa-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\nReferences:\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.tainted-sql-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.tainted-sql-from-http-request","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.tainted-sql-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.turbine-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.turbine-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.turbine-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.lang.security.audit.sqli.vertx-sqli","name":"tmp.semgrep-rules.java.lang.security.audit.sqli.vertx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.sqli.vertx-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into a 'ProcessBuilder' or 'exec' command. This could lead to command injection if variables passed into the exec commands are not properly sanitized. Instead, avoid using these OS commands with user-supplied input, or, if you must use these commands, use a whitelist of specific values."},"id":"tmp.semgrep-rules.java.lang.security.audit.tainted-cmd-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."},"help":{"markdown":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`."},"id":"tmp.semgrep-rules.java.lang.security.audit.tainted-env-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.tainted-env-from-http-request","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.tainted-env-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"id":"tmp.semgrep-rules.java.lang.security.audit.tainted-ldapi-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls.\n\nReferences:\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Detected input from a HTTPServletRequest going into a session command, like `setAttribute`. User input into such a command could lead to an attacker inputting malicious code into your session parameters, blurring the line between what's trusted and untrusted, and therefore leading to a trust boundary violation. This could lead to programmers trusting unvalidated data. Instead, thoroughly sanitize user input before passing it into such function calls."},"id":"tmp.semgrep-rules.java.lang.security.audit.tainted-session-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.tainted-session-from-http-request","properties":{"precision":"very-high","tags":["CWE-501: Trust Boundary Violation","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.tainted-session-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."},"help":{"markdown":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected input from a HTTPServletRequest going into a XPath evaluate or compile command. This could lead to xpath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Instead, thoroughly sanitize user input or use parameterized xpath queries if you can."},"id":"tmp.semgrep-rules.java.lang.security.audit.tainted-xpath-from-http-request","name":"tmp.semgrep-rules.java.lang.security.audit.tainted-xpath-from-http-request","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.tainted-xpath-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection","id":"tmp.semgrep-rules.java.lang.security.audit.unsafe-reflection","name":"tmp.semgrep-rules.java.lang.security.audit.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.unsafe-reflection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."},"help":{"markdown":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT","id":"tmp.semgrep-rules.java.lang.security.audit.unvalidated-redirect","name":"tmp.semgrep-rules.java.lang.security.audit.unvalidated-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.unvalidated-redirect"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties."},"help":{"markdown":"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#URL_REWRITING","id":"tmp.semgrep-rules.java.lang.security.audit.url-rewriting","name":"tmp.semgrep-rules.java.lang.security.audit.url-rewriting","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.url-rewriting"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"id":"tmp.semgrep-rules.java.lang.security.audit.weak-ssl-context","name":"tmp.semgrep-rules.java.lang.security.audit.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.weak-ssl-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#XML_DECODER)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#XML_DECODER","id":"tmp.semgrep-rules.java.lang.security.audit.xml-decoder","name":"tmp.semgrep-rules.java.lang.security.audit.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xml-decoder"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"id":"tmp.semgrep-rules.java.lang.security.audit.xss.jsf.autoescape-disabled","name":"tmp.semgrep-rules.java.lang.security.audit.xss.jsf.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xss.jsf.autoescape-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files."},"help":{"markdown":"JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files.\n\nReferences:\n - [https://stackoverflow.com/a/3180202](https://stackoverflow.com/a/3180202)\n - [https://stackoverflow.com/a/4948856](https://stackoverflow.com/a/4948856)\n","text":"JSP scriptlet detected. Scriptlets are difficult to use securely and are considered bad practice. See https://stackoverflow.com/a/3180202. Instead, consider migrating to JSF or using the Expression Language '${...}' with the escapeXml function in your JSP files."},"id":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.no-scriptlets","name":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.no-scriptlets","properties":{"precision":"very-high","tags":["CWE-116: Improper Encoding or Escaping of Output","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xss.jsp.no-scriptlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information."},"help":{"markdown":"Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information.\n\nReferences:\n - [https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm](https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm)\n - [https://stackoverflow.com/a/4948856](https://stackoverflow.com/a/4948856)\n - [https://stackoverflow.com/a/3180202](https://stackoverflow.com/a/3180202)\n","text":"Detected an Expression Language segment that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'escapeXml' function from the JSTL taglib. See https://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-escapexml","name":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-escapexml","properties":{"precision":"very-high","tags":["CWE-116: Improper Encoding or Escaping of Output","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-escapexml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information."},"help":{"markdown":"Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information.\n\nReferences:\n - [https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm](https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm)\n - [https://stackoverflow.com/a/4948856](https://stackoverflow.com/a/4948856)\n - [https://stackoverflow.com/a/3180202](https://stackoverflow.com/a/3180202)\n","text":"Detected an Expression Language segment in a tag that does not escape output. This is dangerous because if any data in this expression can be controlled externally, it is a cross-site scripting vulnerability. Instead, use the 'out' tag from the JSTL taglib to escape this expression. See https://www.tutorialspoint.com/jsp/jstl_core_out_tag.htm for more information."},"id":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-jstl-escaping","name":"tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-jstl-escaping","properties":{"precision":"very-high","tags":["CWE-116: Improper Encoding or Escaping of Output","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xss.jsp.use-jstl-escaping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."},"help":{"markdown":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views.\n\nReferences:\n - [https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html](https://www3.ntu.edu.sg/home/ehchua/programming/java/JavaServerFaces.html)\n","text":"Detected a request with potential user-input going into a OutputStream or Writer object. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as JavaServer Faces (JSFs) which automatically escapes HTML views."},"id":"tmp.semgrep-rules.java.lang.security.audit.xss.no-direct-response-writer","name":"tmp.semgrep-rules.java.lang.security.audit.xss.no-direct-response-writer","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xss.no-direct-response-writer"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#XSS_REQUEST_WRAPPER","id":"tmp.semgrep-rules.java.lang.security.audit.xssrequestwrapper-is-insecure","name":"tmp.semgrep-rules.java.lang.security.audit.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-parameter-entities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.documentbuilderfactory-external-parameter-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."},"help":{"markdown":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"id":"tmp.semgrep-rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled","name":"tmp.semgrep-rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"id":"tmp.semgrep-rules.java.lang.security.do-privileged-use","name":"tmp.semgrep-rules.java.lang.security.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2025 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.do-privileged-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN","id":"tmp.semgrep-rules.java.lang.security.httpservlet-path-traversal","name":"tmp.semgrep-rules.java.lang.security.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."},"help":{"markdown":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\nReferences:\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n","text":"JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method."},"id":"tmp.semgrep-rules.java.lang.security.insecure-jms-deserialization","name":"tmp.semgrep-rules.java.lang.security.insecure-jms-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.insecure-jms-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."},"help":{"markdown":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.\n\nReferences:\n - [https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038](https://swapneildash.medium.com/understanding-insecure-implementation-of-jackson-deserialization-7b3d409d2038)\n - [https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062](https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)\n - [https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/](https://adamcaudill.com/2017/10/04/exploiting-jackson-rce-cve-2017-7525/)\n","text":"When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control `$JSON` it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using \"Per-class\" annotations) and avoid using `Object` and other dangerous types for member variable declaration which creating classes for Jackson based deserialization."},"id":"tmp.semgrep-rules.java.lang.security.jackson-unsafe-deserialization","name":"tmp.semgrep-rules.java.lang.security.jackson-unsafe-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A8:2017 Insecure Deserialization","OWASP-A8:2021 Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.jackson-unsafe-deserialization"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A regular expression is being used directly from a String method parameter. This could be a Regular Expression Denial of Service (ReDoS) vulnerability if the parameter is user-controlled and not properly validated. Ensure that a validation is in place to prevent evaluation using a regular expression prone to ReDoS."},"help":{"markdown":"A regular expression is being used directly from a String method parameter. This could be a Regular Expression Denial of Service (ReDoS) vulnerability if the parameter is user-controlled and not properly validated. Ensure that a validation is in place to prevent evaluation using a regular expression prone to ReDoS.\n\nReferences:\n - [https://en.wikipedia.org/wiki/ReDoS](https://en.wikipedia.org/wiki/ReDoS)\n - [https://learn.snyk.io/lesson/redos](https://learn.snyk.io/lesson/redos)\n","text":"A regular expression is being used directly from a String method parameter. This could be a Regular Expression Denial of Service (ReDoS) vulnerability if the parameter is user-controlled and not properly validated. Ensure that a validation is in place to prevent evaluation using a regular expression prone to ReDoS."},"id":"tmp.semgrep-rules.java.lang.security.java-pattern-from-string-parameter","name":"tmp.semgrep-rules.java.lang.security.java-pattern-from-string-parameter","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A03:2021 Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.java-pattern-from-string-parameter"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'."},"help":{"markdown":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#XSS_SERVLET","id":"tmp.semgrep-rules.java.lang.security.servletresponse-writer-xss","name":"tmp.semgrep-rules.java.lang.security.servletresponse-writer-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.servletresponse-writer-xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"id":"tmp.semgrep-rules.java.lang.security.use-snakeyaml-constructor","name":"tmp.semgrep-rules.java.lang.security.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.xmlinputfactory-external-entities-enabled","name":"tmp.semgrep-rules.java.lang.security.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n","text":"XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"id":"tmp.semgrep-rules.java.lang.security.xmlinputfactory-possible-xxe","name":"tmp.semgrep-rules.java.lang.security.xmlinputfactory-possible-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A02:2025 - Security Misconfiguration","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.lang.security.xmlinputfactory-possible-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc."},"help":{"markdown":"Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.mongodb.com/docs/manual/tutorial/query-documents/](https://www.mongodb.com/docs/manual/tutorial/query-documents/)\n - [https://www.mongodb.com/docs/manual/reference/operator/query/where/](https://www.mongodb.com/docs/manual/reference/operator/query/where/)\n","text":"Detected non-constant data passed into a NoSQL query using the 'where' evaluation operator. If this data can be controlled by an external user, this is a NoSQL injection. Ensure data passed to the NoSQL query is not user controllable, or properly sanitize the data. Ideally, avoid using the 'where' operator at all and instead use the helper methods provided by com.mongodb.client.model.Filters with comparative operators such as eq, ne, lt, gt, etc."},"id":"tmp.semgrep-rules.java.mongodb.security.injection.audit.mongodb-nosqli","name":"tmp.semgrep-rules.java.mongodb.security.injection.audit.mongodb-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.mongodb.security.injection.audit.mongodb-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"id":"tmp.semgrep-rules.java.rmi.security.server-dangerous-class-deserialization","name":"tmp.semgrep-rules.java.rmi.security.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.rmi.security.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [https://frohoff.github.io/appseccali-marshalling-pickles/](https://frohoff.github.io/appseccali-marshalling-pickles/)\n - [https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi](https://book.hacktricks.xyz/network-services-pentesting/1099-pentesting-java-rmi)\n - [https://youtu.be/t_aw1mDNhzI](https://youtu.be/t_aw1mDNhzI)\n - [https://github.com/qtc-de/remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)\n - [https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331](https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L303C4-L331)\n","text":"Using an arbitrary object ('$PARAMTYPE $PARAM') with Java RMI is an insecure deserialization vulnerability. This object can be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"id":"tmp.semgrep-rules.java.rmi.security.server-dangerous-object-deserialization","name":"tmp.semgrep-rules.java.rmi.security.server-dangerous-object-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","OWASP-A08:2025 - Software or Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.rmi.security.server-dangerous-object-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."},"help":{"markdown":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\nReferences:\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."},"id":"tmp.semgrep-rules.java.servlets.security.cookie-issecure-false","name":"tmp.semgrep-rules.java.servlets.security.cookie-issecure-false","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.servlets.security.cookie-issecure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."},"help":{"markdown":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\nReferences:\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks."},"id":"tmp.semgrep-rules.java.servlets.security.cookie-setSecure","name":"tmp.semgrep-rules.java.servlets.security.cookie-setSecure","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2025 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.servlets.security.cookie-setSecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The tag \"http-method\" is used to specify on which HTTP methods the java web security constraint apply. The target security constraints could be bypassed if a non listed HTTP method is used. Inverse the logic by using the tag \"http-method-omission\" to define for which HTTP methods the security constraint do not apply. Using this way, only expected allowed HTTP methods will be skipped by the security constraint."},"help":{"markdown":"The tag \"http-method\" is used to specify on which HTTP methods the java web security constraint apply. The target security constraints could be bypassed if a non listed HTTP method is used. Inverse the logic by using the tag \"http-method-omission\" to define for which HTTP methods the security constraint do not apply. Using this way, only expected allowed HTTP methods will be skipped by the security constraint.\n\nReferences:\n - [https://docs.oracle.com/javaee/7/tutorial/security-webtier002.htm](https://docs.oracle.com/javaee/7/tutorial/security-webtier002.htm)\n - [https://jakarta.ee/learn/docs/jakartaee-tutorial/current/security/security-advanced/security-advanced.html#_securing_http_resources](https://jakarta.ee/learn/docs/jakartaee-tutorial/current/security/security-advanced/security-advanced.html#_securing_http_resources)\n","text":"The tag \"http-method\" is used to specify on which HTTP methods the java web security constraint apply. The target security constraints could be bypassed if a non listed HTTP method is used. Inverse the logic by using the tag \"http-method-omission\" to define for which HTTP methods the security constraint do not apply. Using this way, only expected allowed HTTP methods will be skipped by the security constraint."},"id":"tmp.semgrep-rules.java.servlets.security.security-constraint-http-method","name":"tmp.semgrep-rules.java.servlets.security.security-constraint-http-method","properties":{"precision":"very-high","tags":["CWE-863: Incorrect Authorization","LOW CONFIDENCE","OWASP-A01:2021 Broken Access Control","OWASP-A05:2021 Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.servlets.security.security-constraint-http-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SPEL_INJECTION","id":"tmp.semgrep-rules.java.spring.security.audit.spel-injection","name":"tmp.semgrep-rules.java.spring.security.audit.spel-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spel-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured."},"help":{"markdown":"Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured.\n\nReferences:\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuators \"$...ACTUATORS\" are enabled. Depending on the actuators, this can pose a significant security risk. Please double-check if the actuators are needed and properly secured."},"id":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled","name":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured."},"help":{"markdown":"Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured.\n\nReferences:\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator \"$ACTUATOR\" is enabled. Depending on the actuator, this can pose a significant security risk. Please double-check if the actuator is needed and properly secured."},"id":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled-yaml","name":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled-yaml","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-actuator-dangerous-endpoints-enabled-yaml"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"id":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled","name":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk.\n\nReferences:\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a severe security risk."},"id":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled-yaml","name":"tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled-yaml","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-actuator-fully-enabled-yaml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"CSRF protection is disabled for this configuration. This is a security risk."},"help":{"markdown":"CSRF protection is disabled for this configuration. This is a security risk.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"CSRF protection is disabled for this configuration. This is a security risk."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_PROTECTION_DISABLED","id":"tmp.semgrep-rules.java.spring.security.audit.spring-csrf-disabled","name":"tmp.semgrep-rules.java.spring.security.audit.spring-csrf-disabled","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-csrf-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#JSP_SPRING_EVAL","id":"tmp.semgrep-rules.java.spring.security.audit.spring-jsp-eval","name":"tmp.semgrep-rules.java.spring.security.audit.spring-jsp-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-jsp-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a string argument from a public method contract in a raw SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"id":"tmp.semgrep-rules.java.spring.security.audit.spring-sqli","name":"tmp.semgrep-rules.java.spring.security.audit.spring-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."},"help":{"markdown":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Application redirects a user to a destination URL specified by a user supplied parameter that is not validated."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT","id":"tmp.semgrep-rules.java.spring.security.audit.spring-unvalidated-redirect","name":"tmp.semgrep-rules.java.spring.security.audit.spring-unvalidated-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.audit.spring-unvalidated-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"id":"tmp.semgrep-rules.java.spring.security.injection.tainted-file-path","name":"tmp.semgrep-rules.java.spring.security.injection.tainted-file-path","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.injection.tainted-file-path"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"id":"tmp.semgrep-rules.java.spring.security.injection.tainted-html-string","name":"tmp.semgrep-rules.java.spring.security.injection.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.injection.tainted-html-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\nReferences:\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."},"id":"tmp.semgrep-rules.java.spring.security.injection.tainted-sql-string","name":"tmp.semgrep-rules.java.spring.security.injection.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.injection.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"id":"tmp.semgrep-rules.java.spring.security.injection.tainted-system-command","name":"tmp.semgrep-rules.java.spring.security.injection.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","OWASP-A05:2025 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.injection.tainted-system-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\nReferences:\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters."},"id":"tmp.semgrep-rules.java.spring.security.injection.tainted-url-host","name":"tmp.semgrep-rules.java.spring.security.injection.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A01:2025 - Broken Access Control","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.injection.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING","id":"tmp.semgrep-rules.java.spring.security.unrestricted-request-mapping","name":"tmp.semgrep-rules.java.spring.security.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A01:2025 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: tmp.semgrep-rules.java.spring.security.unrestricted-request-mapping"}}],"semanticVersion":"1.159.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/BrokenAccessControlPentestTest.java b/src/test/java/ru/itmo/testing/lab4/pentest/BrokenAccessControlPentestTest.java new file mode 100644 index 0000000..101e587 --- /dev/null +++ b/src/test/java/ru/itmo/testing/lab4/pentest/BrokenAccessControlPentestTest.java @@ -0,0 +1,64 @@ +package ru.itmo.testing.lab4.pentest; + +import io.javalin.Javalin; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import ru.itmo.testing.lab4.controller.UserAnalyticsController; + +import java.net.URI; +import java.net.URLEncoder; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.nio.charset.StandardCharsets; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * Pentest: отсутствие аутентификации и проверки владельца ресурса (IDOR / broken access control, CWE-639). + * Любой клиент с знанием {@code userId} читает профиль и метрики жертвы. + */ +class BrokenAccessControlPentestTest { + + private static final int TEST_PORT = 7781; + private static final String BASE = "http://localhost:" + TEST_PORT; + private static final String SECRET_NAME = "VictimSecretName_42"; + + private static Javalin app; + private static HttpClient http; + + @BeforeAll + static void start() { + app = UserAnalyticsController.createApp(); + app.start(TEST_PORT); + http = HttpClient.newHttpClient(); + } + + @AfterAll + static void stop() { + app.stop(); + } + + @Test + @DisplayName("[SECURITY] без токена: чужой userId открывает профиль (IDOR)") + void userProfileReadableWithoutAuth() throws Exception { + String enc = URLEncoder.encode(SECRET_NAME, StandardCharsets.UTF_8); + send("POST", BASE + "/register?userId=victim_idor&userName=" + enc); + + HttpResponse res = send("GET", BASE + "/userProfile?userId=victim_idor"); + + assertEquals(200, res.statusCode()); + assertTrue(res.body().contains(SECRET_NAME), + "имя жертвы доступно любому, кто угадал/узнал userId — нет авторизации"); + } + + private static HttpResponse send(String method, String uri) throws Exception { + HttpRequest req = HttpRequest.newBuilder() + .uri(URI.create(uri)) + .method(method, HttpRequest.BodyPublishers.noBody()) + .build(); + return http.send(req, HttpResponse.BodyHandlers.ofString()); + } +} diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java b/src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java new file mode 100644 index 0000000..b89b3fd --- /dev/null +++ b/src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java @@ -0,0 +1,61 @@ +package ru.itmo.testing.lab4.pentest; + +import io.javalin.Javalin; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import ru.itmo.testing.lab4.controller.UserAnalyticsController; + +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * Pentest: CWE-209 — генерация сообщений об ошибках с деталями исключений (утечка внутренней структуры валидации). + * После исправления: обобщённое сообщение пользователю, детали только в логах. + */ +class ErrorDisclosurePentestTest { + + private static final int TEST_PORT = 7780; + private static final String BASE = "http://localhost:" + TEST_PORT; + + private static Javalin app; + private static HttpClient http; + + @BeforeAll + static void start() { + app = UserAnalyticsController.createApp(); + app.start(TEST_PORT); + http = HttpClient.newHttpClient(); + } + + @AfterAll + static void stop() { + app.stop(); + } + + @Test + @DisplayName("[SECURITY] recordSession: тело 400 содержит текст исключения парсера даты") + void parseErrorExposesExceptionMessage() throws Exception { + send("POST", BASE + "/register?userId=pt_err&userName=E"); + String q = "/recordSession?userId=pt_err&loginTime=not-a-date&logoutTime=2025-01-01T12:00:00"; + HttpResponse res = send("POST", BASE + q); + + assertEquals(400, res.statusCode()); + assertTrue(res.body().startsWith("Invalid data: "), "префикс раскрывает тип ошибки"); + assertTrue(res.body().contains("could not be parsed"), + "в ответе клиенту — детали java.time (не должны утекать в проде)"); + } + + private static HttpResponse send(String method, String uri) throws Exception { + HttpRequest req = HttpRequest.newBuilder() + .uri(URI.create(uri)) + .method(method, HttpRequest.BodyPublishers.noBody()) + .build(); + return http.send(req, HttpResponse.BodyHandlers.ofString()); + } +} diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/NotifyUnsafeCallbackPentestTest.java b/src/test/java/ru/itmo/testing/lab4/pentest/NotifyUnsafeCallbackPentestTest.java new file mode 100644 index 0000000..dbfd253 --- /dev/null +++ b/src/test/java/ru/itmo/testing/lab4/pentest/NotifyUnsafeCallbackPentestTest.java @@ -0,0 +1,70 @@ +package ru.itmo.testing.lab4.pentest; + +import io.javalin.Javalin; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.Assumptions; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import ru.itmo.testing.lab4.controller.UserAnalyticsController; + +import java.net.URI; +import java.net.URLEncoder; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * Pentest: небезопасная обработка {@code callbackUrl} в {@code POST /notify} (CWE-918, чтение локальных ресурсов). + * После исправления: только http/https к allowlist-хостам, без {@code file:}. + */ +class NotifyUnsafeCallbackPentestTest { + + private static final int TEST_PORT = 7779; + private static final String BASE = "http://localhost:" + TEST_PORT; + + private static Javalin app; + private static HttpClient http; + + @BeforeAll + static void start() { + app = UserAnalyticsController.createApp(); + app.start(TEST_PORT); + http = HttpClient.newHttpClient(); + } + + @AfterAll + static void stop() { + app.stop(); + } + + @Test + @DisplayName("[SECURITY] notify: file:// отдаёт содержимое локального файла в ответе API") + void fileSchemeLeaksLocalFileContent() throws Exception { + Assumptions.assumeTrue(Files.isReadable(Path.of("/etc/passwd")), "нужен Unix с читаемым /etc/passwd"); + + send("POST", BASE + "/register?userId=pt_notify&userName=N"); + + String url = "file:///etc/passwd"; + String q = "/notify?userId=pt_notify&callbackUrl=" + URLEncoder.encode(url, StandardCharsets.UTF_8); + HttpResponse res = send("POST", BASE + q); + + assertEquals(200, res.statusCode()); + assertTrue(res.body().startsWith("Notification sent. Response:"), + "успешный ответ со встроенным телом «ответа» URL"); + assertTrue(res.body().contains("root:"), "в теле API утекло содержимое /etc/passwd"); + } + + private static HttpResponse send(String method, String uri) throws Exception { + HttpRequest req = HttpRequest.newBuilder() + .uri(URI.create(uri)) + .method(method, HttpRequest.BodyPublishers.noBody()) + .build(); + return http.send(req, HttpResponse.BodyHandlers.ofString()); + } +} diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java b/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java new file mode 100644 index 0000000..78033f5 --- /dev/null +++ b/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java @@ -0,0 +1,69 @@ +package ru.itmo.testing.lab4.pentest; + +import io.javalin.Javalin; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.api.Test; +import ru.itmo.testing.lab4.controller.UserAnalyticsController; + +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import java.nio.file.Files; +import java.nio.file.Path; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * Pentest: CWE-22 — path traversal через параметр {@code filename} в {@code GET /exportReport}. + * После исправления: файл должен создаваться только внутри доверенной базовой директории. + */ +class PathTraversalExportPentestTest { + + private static final int TEST_PORT = 7778; + private static final String BASE = "http://localhost:" + TEST_PORT; + private static final Path ESCAPED_FILE = Path.of("/tmp/pentest_export_escape.txt"); + + private static Javalin app; + private static HttpClient http; + + @BeforeAll + static void start() throws Exception { + Files.deleteIfExists(ESCAPED_FILE); + app = UserAnalyticsController.createApp(); + app.start(TEST_PORT); + http = HttpClient.newHttpClient(); + } + + @AfterAll + static void stop() throws Exception { + app.stop(); + Files.deleteIfExists(ESCAPED_FILE); + } + + @Test + @DisplayName("[SECURITY] exportReport: ../ в filename записывает файл вне /tmp/reports/") + void exportWithDotDotEscapesBaseDirectory() throws Exception { + send("POST", BASE + "/register?userId=pt_export&userName=User"); + + String q = "/exportReport?userId=pt_export&filename=..%2F..%2Ftmp%2Fpentest_export_escape.txt"; + HttpResponse res = send("GET", BASE + q); + + assertEquals(200, res.statusCode(), "сервер принимает traversal без ошибки"); + assertTrue(res.body().contains(".."), "ответ содержит «сырой» путь с .."); + assertTrue(Files.exists(ESCAPED_FILE), + "файл создан вне каталога отчётов (нормализация пути уходит в /tmp/)"); + String content = Files.readString(ESCAPED_FILE); + assertTrue(content.contains("Report for user:"), "содержимое — отчёт приложения"); + } + + private static HttpResponse send(String method, String uri) throws Exception { + HttpRequest req = HttpRequest.newBuilder() + .uri(URI.create(uri)) + .method(method, HttpRequest.BodyPublishers.noBody()) + .build(); + return http.send(req, HttpResponse.BodyHandlers.ofString()); + } +} diff --git "a/\320\236\320\242\320\247\320\225\320\242_\320\233\320\2404.md" "b/\320\236\320\242\320\247\320\225\320\242_\320\233\320\2404.md" new file mode 100644 index 0000000..261b2d4 --- /dev/null +++ "b/\320\236\320\242\320\247\320\225\320\242_\320\233\320\2404.md" @@ -0,0 +1,382 @@ +# Отчёт по лабораторной работе №4 + +## Анализ и тестирование безопасности веб-приложения + +## Этап 1 — Asset Inventory (инвентаризация активов) + +### Таблица активов + + +| Актив | Тип | Ценность | Примечание | +| ------------------------------------------- | -------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Данные пользователей (`userId`, `userName`) | Данные | **Высокая** | Идентификаторы и отображаемые имена; при утечке или подмене нарушается конфиденциальность и доверие к профилям. | +| Данные о сессиях (время входа/выхода) | Данные | **Высокая** | Позволяют судить о поведении пользователя, рабочих паттернах; ценны для приватности и соответствия требованиям к персональным данным. | +| Файловая система сервера | Инфраструктура | **Высокая** | Эндпоинт `/exportReport` пишет в `/tmp/reports/`; компрометация путём подбора `filename` угрожает целостности ФС и доступности. | +| Внутренняя сеть / метаданные окружения | Инфраструктура | **Средняя–высокая** | `POST /notify` инициирует исходящий HTTP-запрос по `callbackUrl` (риск SSRF к внутренним сервисам); также через ответы/ошибки возможна утечка сведений об окружении. | + + +### Какие активы критичнее и почему? + +Наиболее критичны **данные пользователей и сессий** и **файловая система сервера**, если приложение обрабатывает реальную активность: + +1. **Персональные и поведенческие данные** напрямую затрагивают конфиденциальность и репутацию; их компрометацию не исправить, в отличие от временной недоступности сервиса. +2. **Файловая система** даёт опору для дальнейших атак (запись произвольных путей, переполнение диска, подготовка к цепочкам с другими уязвимостями). +3. **Доступ к внутренней сети** через контролируемый сервер (`callbackUrl`) может быть не «данными» в классическом смысле, но по последствиям сопоставим с компрометацией инфраструктуры. + +--- + +## Этап 2 — Threat Modeling (STRIDE) + +Общая особенность приложения: **нет механизма аутентификации и авторизации**; `userId` и прочие параметры задаёт клиент. Это усиливает риски подмены и несанкционированного доступа к данным по идентификатору. + +### Сводная таблица STRIDE + + +| Категория | Расшифровка | Применимо? | +| -------------------------- | --------------------- | ---------------------- | +| **S**poofing | Подмена идентификации | **Да** | +| **T**ampering | Модификация данных | **Да** | +| **R**epudiation | Отказ от авторства | **Да** (ограниченно) | +| **I**nformation Disclosure | Утечка данных | **Да** | +| **D**enial of Service | Отказ в обслуживании | **Да** | +| **E**levation of Privilege | Повышение привилегий | **Условно** (см. ниже) | + + +### Детализация по применимым угрозам + +#### Spoofing (подмена) + + +| | Комментарий | +| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | +| **Источник** | Любой клиент сети, достижимый до API; скрипты, другие сервисы без доверия. | +| **Поверхность атаки** | Все эндпоинты с `userId`: `/register`, `/recordSession`, `/totalActivity`, `/monthlyActivity`, `/userProfile`, `/exportReport`, `/notify`. | +| **Потенциальный ущерб** | Выполнение операций от имени чужого пользователя (просмотр профиля и метрик, запись сессий, экспорт отчётов, вызов webhook от имени `userId`). | + + +#### Tampering (модификация) + + +| | Комментарий | +| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Источник** | Тот же анонимный клиент. | +| **Поверхность атаки** | `POST /register` (создание/конфликт записей), `POST /recordSession` (искажение истории активности), `GET /exportReport` (`filename` — путь записи на диск). | +| **Потенциальный ущерб** | Искажение аналитики, перезапись или создание файлов вне ожидаемой директории (при слабой нормализации пути), порча отчётности. | + + +#### Repudiation (отказ от авторства) + + +| | Комментарий | +| ----------------------- | -------------------------------------------------------------------------------------------------------------- | +| **Источник** | Легитимный или злоумышленный клиент. | +| **Поверхность атаки** | Отсутствие журналирования действий с привязкой к субъекту (нет сессий, подписей запросов). | +| **Потенциальный ущерб** | Невозможность доказать, кто инициировал регистрацию, запись сессии или webhook; затруднённый инцидент-респонс. | + + +#### Information Disclosure (утечка) + + +| | Комментарий | +| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Источник** | Клиент, контролирующий параметры запроса и данные в хранилище (в т.ч. через `/register`). | +| **Поверхность атаки** | `GET /userProfile` (HTML со вставкой `userName`/`userId` — риск XSS, см. комментарий CWE-79 в коде), `GET /totalActivity`, `GET /monthlyActivity`, `GET /inactiveUsers`, тела ответов с текстом исключений (`Invalid data: …`, `Notification failed: …`). | +| **Потенциальный ущерб** | Утечка PII и активности пользователей, кража сессий браузера через XSS, раскрытие внутренних деталей через сообщения об ошибках. | + + +#### Denial of Service (отказ в обслуживании) + + +| | Комментарий | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Источник** | Клиент или цепочка через SSRF. | +| **Поверхность атаки** | `POST /notify` (долгие/зависающие URL, объём ответа в память), массовые `POST /recordSession` и `GET /exportReport` (рост in-memory хранилища и диска), `GET /inactiveUsers` с тяжёлыми вычислениями при большом числе пользователей. | +| **Потенциальный ущерб** | Исчерпание потоков/таймаутов, заполнение диска, деградация доступности API для всех. | + + +#### Elevation of Privilege (повышение привилегий) + + +| | Комментарий | +| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Источник** | Клиент, эксплуатирующий сервер как «доверенный» узел. | +| **Поверхность атаки** | В приложении нет ролей «пользователь/администратор»; повышение понимается как **выход за предусмотренную модель доступа**: запись файлов с правами процесса JVM (`/exportReport`), обращение к URL от имени сервера (`/notify`) к ресурсам, недоступным клиенту напрямую. | +| **Потенциальный ущерб** | Доступ к внутренним HTTP-интерфейсам, компрометация данных на стороне сервера через цепочки с записью в ФС или исполнением (если бы оно появилось в коде). | + + +--- + +## Этап 3 — Ручное тестирование + +Полный перечень запросов, точные команды и дословные ответы сервера приведены в файле `[РУЧНОЕ_ТЕСТИРОВАНИЕ.md](РУЧНОЕ_ТЕСТИРОВАНИЕ.md)`. Повторить прогон можно скриптом `[scripts/stage3_manual_curls.sh](scripts/stage3_manual_curls.sh)`. + +### Выводы по эндпоинтам + +#### `POST /register` + +Обязательные параметры проверяются только на `null`: при полном отсутствии `userId`/`userName` возвращается **400** и текст `Missing parameters`. Строки со спецсимволами (`..%2F..%2Fevil`, длинное имя ~800 символов, XSS в `userName`) принимаются (**200**, `User registered: true`). Повторная регистрация с тем же `userId` даёт **200** с `false` — конфликт не считается ошибкой протокола. **Пустой** `userId` в query (`userId=&userName=x`) обрабатывается как обычная регистрация (**200**, `true`) — граничный случай: «отсутствие» не отличается от пустой строки. Ограничений на частоту запросов и размер полей не обнаружено. + +#### `POST /recordSession` + +Пропуск параметров → **400** `Missing parameters`. Некорректный ISO → **400**, тело `Invalid data: …` с **текстом исключения парсера** (утечка деталей валидации). Неизвестный пользователь → **404** `User not found`. Сессия с `logoutTime` **раньше** `loginTime` всё равно сохраняется (**200** `Session recorded`) — бизнес-валидация отсутствует; это приводит к **отрицательной** сумме минут в `/totalActivity`. + +#### `GET /totalActivity` + +Без `userId` → **400** `Missing userId`. Несуществующий `userId` → **200** и `0 minutes` (не 404). После «инвертированной» сессии у `stage3_sess` сумма стала **отрицательной** (`-30 minutes`) — логическая ошибка метрики. Спецсимволы в значении `userId` в URL обрабатываются как часть идентификатора; для несуществующего ключа снова **200** и ноль. + +#### `GET /inactiveUsers` + +Без `days` → **400**. Нечисловой `days` → **400** `Invalid number format for days`. После добавления в проект `**jackson-databind`** вызов `ctx.json(...)` сериализуется нормально: для `days=0` и `days=-1` на «чистом» сервере получен **200**, `Content-Type: application/json`, тело `**[]`** (пустой список — в памяти ещё нет пользователей с непустой историей сессий, подпадающих под критерий `findInactiveUsers`). Ранее без Jackson тот же сценарий давал **500** с JSON-ошибкой Javalin про отсутствие ObjectMapper. + +#### `GET /monthlyActivity` + +Пропуск параметров → **400** `Missing parameters`. Неверный формат месяца → **400**, снова с текстом исключения в теле. Пользователь без сессий → **400** `Invalid data: No sessions found for user`. При наличии сессий за запрошенный месяц после подключения Jackson ответ **200**, `application/json`, объект вида `**{"2025-01-10":60}`** (минуты по дням). Без зависимости Jackson успешный путь ломался с сообщением про ObjectMapper. + +#### `GET /userProfile` + +Нет `userId` → **400**. Неизвестный пользователь → **404**. Для пользователя с XSS в имени ответ **200**, `Content-Type: text/html`, разметка содержит **незакодированный** `` — **подтверждённый** вектор хранимого/отражаемого XSS через данные из `/register`. Кавычки и угловые скобки в имени также попадают в HTML без экранирования. + +#### `GET /exportReport` + +Пропуск параметров → **400**. Несуществующий `userId` → **404**. Легитимный экспорт → **200**, путь под `/tmp/reports/`. Параметр `filename=..%2F..%2Ftmp%2Flab4_escape.txt` → **200**, в ответе путь `/tmp/reports/../../tmp/lab4_escape.txt` — фактическая запись **вне** каталога `reports` (**path traversal** при записи). + +#### `POST /notify` + +Пропуск параметров → **400**. Несуществующий пользователь → **404**. Невалидный URL → **500**, тело `Notification failed: no protocol: …`. Отказ соединения → **500** с сообщением `Connection refused` (детали ошибки в ответе). Запрос с `callbackUrl=file:///etc/passwd` → **200**, в теле ответа **полное содержимое** читаемого файла (усечённый вывод в логе теста ~3 KiB) — **критичная утечка** через произвольную схему URL и отсутствие allowlist. Ограничений по числу вызовов не видно. + +#### Лимиты запросов и объёма данных + +По **20** быстрых подряд запросов к `/totalActivity` все ответы **200** — явного rate limiting нет. Верхняя граница размера query для ~800 символов в `userName` не сработала. + +--- + +## Этап 4 — Статический анализ (Semgrep) + +### Команды (как в задании) и фактический прогон + +По методичке предполагается: + +```bash +semgrep --config "p/java" src/ +semgrep --config "p/owasp-top-ten" src/ +semgrep --config "p/java" --sarif -o semgrep-report.sarif src/ +``` + +Прямой запрос наборов `**p/java**` и `**p/owasp-top-ten**` через registry Semgrep (`semgrep.dev`) в среде прогона давал **таймаут** при загрузке правил. Чтобы завершить анализ без обхода требований по наборам: + +1. Каталог правил **Java** взят из официального репозитория `[semgrep/semgrep-rules](https://github.com/semgrep/semgrep-rules)` (shallow clone в `/tmp/semgrep-rules`), что соответствует **открытой части** типового набора для Java (`p/java` в registry строится на этих правилах). +2. Набор `**p/owasp-top-ten`** сохранён как YAML с endpoint реестра: `https://semgrep.dev/c/p/owasp-top-ten` (локальная копия при повторных запусках кэшируется скриптом в `.semgrep-cache/`, каталог в `.gitignore`). + +**Использованные флаги:** `--metrics off`, `--disable-version-check`, два `--config` (java + owasp-top-ten), для отчёта ISO 5055 — `**--sarif -o semgrep-report.sarif`**. Цель сканирования: `**src/**`. + +### Сводка сканирования + + +| Показатель | Значение | +| ------------------------------- | --------------------------------------------------------------------- | +| Правил выполнено | **113** (112 для Java + 1 multilang из состава конфигов) | +| Файлов проанализировано | **6** (только отслеживаемые git; 1 файл пропущен по `.semgrepignore`) | +| Найдено срабатываний (findings) | **0** | + + +Текстовый вывод сохранён в `[semgrep-output.txt](semgrep-output.txt)`; машиночитаемый отчёт — `[semgrep-report.sarif](semgrep-report.sarif)` (формат **SARIF 2.1.0**, поле `runs[].results` — **пустой массив** при отсутствии findings). + +### Верификация и сопоставление с CWE + + +| Тема (подтверждено вручную, этап 3) | Ожидаемые CWE | Сработало ли Semgrep | Комментарий | +| ----------------------------------------------------------------- | ------------- | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| HTML из `userName` / `userId` в `/userProfile` | CWE-79 | **Нет** | Типовые правила Java ориентированы на **Servlet** (`HttpServletResponse.getWriter`, `getParameter`). У **Javalin** источник данных — `ctx.queryParam` / доменная модель, вывод — `ctx.result(html)`; поток не совпадает с паттернами правил → **пропуск (false negative)**. | +| `filename` + `new File(REPORTS_BASE_DIR + ...)` в `/exportReport` | CWE-22 | **Нет** | Часть правил path traversal завязана на **HttpServletRequest** / Spring. Конкатенация строк для `File` без явной метки «запрос» для анализатора не попадает в taint-правила. | +| `new URL(callbackUrl)` + `openConnection()` в `/notify` | CWE-918 | **Нет** | В каталоге `java` нет выразительного правила для произвольного `java.net.URL` из произвольной строки без Spring/JAX-RS аннотаций. | +| Прочие замечания этапа 3 | — | **Нет** | Ложных срабатываний (**false positive**) не получено. | + + +**Вывод:** Semgrep отработал штатно, но **не выявил** известные по динамическому тестированию проблемы из‑за **несовпадения фреймворка (Javalin)** и **ограничений набора правил**. Это ожидаемо иллюстрирует тезис методички: статический анализ **дополняет**, но **не заменяет** ручную проверку и кастомные правила под стек. + +При **стабильном доступе** к `semgrep.dev` имеет смысл повторить дословно команды из README с `--config p/java` и `--config p/owasp-top-ten` и сравнить список правил и findings. + +--- + +## Этап 5 — Карточки уязвимостей (pentest-отчёт) + +Ниже — оформление **подтверждённых** находок по шаблону из README. Для каждой указан класс с **Security Test Case** в `src/test/java/ru/itmo/testing/lab4/pentest/` (кроме XSS: исходный пример лабораторной работы). + +--- + +#### Finding #1 — Stored XSS в HTML-профиле + + +| Поле | Значение | +| ------------- | ---------------------------------------------------------------------------------------------------------------------- | +| **Компонент** | `GET /userProfile`, `UserAnalyticsController` (сборка HTML), данные из `POST /register` | +| **Тип** | Stored XSS (контекст HTML) | +| **CWE** | [CWE-79](https://cwe.mitre.org/data/definitions/79.html) — Improper Neutralization of Input During Web Page Generation | +| **CVSS v3.1** | **6.1** MEDIUM — `AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` | +| **Статус** | **Confirmed** | + + +**Описание:** +`userName` и `userId` подставляются в строку HTML без экранирования. Зарегистрировав пользователя с вредоносным именем, атакующий добивается исполнения скрипта в браузере жертвы при открытии профиля. + +**Шаги воспроизведения:** + +``` +1. POST /register?userId=evil&userName= +2. GET /userProfile?userId=evil +3. Ожидаемый результат: имя показано как текст, теги неактивны. + Фактический результат: HTTP 200, text/html, в теле сырой . +``` + +**Влияние:** Кража cookie/сессии в контексте сайта, фишинг, выполнение действий от имени пользователя. + +**Рекомендации по исправлению:** Экранировать вывод для HTML (`StringEscapeUtils.escapeHtml4` / аналог), не собирать HTML конкатенацией из пользовательских данных; заголовок `Content-Security-Policy`. + +**Security Test Case:** полный набор сценариев — в `[XssPentestTest.java](src/test/java/ru/itmo/testing/lab4/pentest/XssPentestTest.java)` (`@DisplayName("[EXPLOIT] …")`, граничные `@Order`). + +--- + +#### Finding #2 — Path traversal при записи отчёта + + +| Поле | Значение | +| ------------- | ---------------------------------------------------------------------------------------------------------------------- | +| **Компонент** | `GET /exportReport`, `UserAnalyticsController`, `REPORTS_BASE_DIR + filename` | +| **Тип** | Path traversal → запись файла вне целевого каталога | +| **CWE** | [CWE-22](https://cwe.mitre.org/data/definitions/22.html) — Improper Limitation of a Pathname to a Restricted Directory | +| **CVSS v3.1** | **7.5** HIGH — `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` | +| **Статус** | **Confirmed** | + + +**Описание:** Параметр `filename` склеивается с базовым путём без нормализации и проверки, что итоговый путь остаётся внутри `/tmp/reports/`. Последовательности `../` позволяют записать файл в произвольное место (в пределах прав процесса). + +**Шаги воспроизведения:** + +``` +1. POST /register?userId=pt_export&userName=User +2. GET /exportReport?userId=pt_export&filename=..%2F..%2Ftmp%2Fpentest_export_escape.txt +3. Ожидаемый результат: отказ или запись только под /tmp/reports/. + Фактический результат: 200, файл появляется в /tmp/pentest_export_escape.txt (см. ручной прогон в РУЧНОЕ_ТЕСТИРОВАНИЕ.md). +``` + +**Влияние:** Порча файлов, подготовка к дальнейшим атакам, заполнение диска. + +**Рекомендации по исправлению:** Принимать только безопасное имя файла (`Paths.get(base).resolve(name).normalize()` и проверка `startsWith(base)`), запретить `..`, использовать `FilenameUtils.getName`. + +**Security Test Case:** + +```java +@Test +@DisplayName("[SECURITY] exportReport: ../ в filename записывает файл вне /tmp/reports/") +void exportWithDotDotEscapesBaseDirectory() { /* см. PathTraversalExportPentestTest */ } +``` + +Файл: `[PathTraversalExportPentestTest.java](src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java)`. + +--- + +#### Finding #3 — Небезопасный callback URL (в т.ч. чтение `file://`) + + +| Поле | Значение | +| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Компонент** | `POST /notify`, `new URL(callbackUrl)` + `openConnection()` | +| **Тип** | SSRF / произвольная схема URL; утечка локальных файлов через `file:` | +| **CWE** | [CWE-918](https://cwe.mitre.org/data/definitions/918.html) — Server-Side Request Forgery; [CWE-200](https://cwe.mitre.org/data/definitions/200.html) — Exposure of Sensitive Information to an Unauthorized Actor | +| **CVSS v3.1** | **9.1** CRITICAL — `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N` | +| **Статус** | **Confirmed** (для `file://` на Linux; HTTP к внутренним хостам — та же корневая проблема allowlist) | + + +**Описание:** Сервер выполняет запрос по полностью контролируемому клиентом URL и возвращает тело ответа в API. Схема `file://` приводит к чтению локальных файлов и выдаче содержимого в ответе. + +**Шаги воспроизведения:** + +``` +1. POST /register?userId=pt_notify&userName=N +2. POST /notify?userId=pt_notify&callbackUrl=file:///etc/passwd +3. Ожидаемый результат: отказ или только разрешённые http(s) URL. + Фактический результат: 200, тело ответа содержит начало /etc/passwd (root:…). +``` + +**Влияние:** Утечка секретов с диска, доступ к внутренним HTTP-сервисам из сети приложения. + +**Рекомендации по исправлению:** Allowlist хостов и схем (`https` только), запрет `file`, `jar`, `gopher` и т.д.; не отдавать клиенту сырой ответ внешнего ресурса. + +**Security Test Case:** `[NotifyUnsafeCallbackPentestTest.java](src/test/java/ru/itmo/testing/lab4/pentest/NotifyUnsafeCallbackPentestTest.java)` (`@DisplayName("[SECURITY] notify: file:// …")`, с `Assumptions` для Unix). + +--- + +#### Finding #4 — Утечка информации в сообщениях об ошибках + + +| Поле | Значение | +| ------------- | -------------------------------------------------------------------------------------------------------------------------------------- | +| **Компонент** | `POST /recordSession`, блок `catch (Exception e)` → `Invalid data: " + e.getMessage()`; аналогично другие эндпоинты с `e.getMessage()` | +| **Тип** | Information disclosure через ошибку | +| **CWE** | [CWE-209](https://cwe.mitre.org/data/definitions/209.html) — Generation of Error Message Containing Sensitive Information | +| **CVSS v3.1** | **5.3** MEDIUM — `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` | +| **Статус** | **Confirmed** | + + +**Описание:** В HTTP-ответ клиенту попадает текст исключения Java (например, детали `DateTimeParseException`), что облегчает разведку и не свойственно продакшен-API. + +**Шаги воспроизведения:** + +``` +1. POST /register?userId=pt_err&userName=E +2. POST /recordSession?userId=pt_err&loginTime=not-a-date&logoutTime=2025-01-01T12:00:00 +3. Ожидаемый результат: 400 и нейтральное сообщение («неверный формат даты»). + Фактический результат: 400, тело содержит «could not be parsed at index 0» и фрагмент входной строки. +``` + +**Влияние:** Помощь атакующему в понимании валидации и стека; вторичная утечка фрагментов ввода. + +**Рекомендации по исправлению:** Логировать полный `Throwable` на сервере; клиенту — код/короткое сообщение без цепочки исключений. + +**Security Test Case:** `[ErrorDisclosurePentestTest.java](src/test/java/ru/itmo/testing/lab4/pentest/ErrorDisclosurePentestTest.java)`. + +--- + +#### Finding #5 — Отсутствие аутентификации и авторизации (IDOR) + + +| Поле | Значение | +| ------------- | ------------------------------------------------------------------------------------------------------------- | +| **Компонент** | Все эндпоинты с `userId` без сессии/токена | +| **Тип** | Insecure Direct Object Reference / Broken Access Control | +| **CWE** | [CWE-639](https://cwe.mitre.org/data/definitions/639.html) — Authorization Bypass Through User-Controlled Key | +| **CVSS v3.1** | **7.5** HIGH — `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N` (оценка для чтения чужих PII и метрик) | +| **Статус** | **Confirmed** | + + +**Описание:** Любой анонимный клиент, знающий или перебирающий `userId`, получает профиль, активность, может инициировать запись сессий и webhook от имени пользователя. + +**Шаги воспроизведения:** + +``` +1. POST /register?userId=victim_idor&userName=VictimSecretName_42 +2. GET /userProfile?userId=victim_idor (без заголовков авторизации) +3. Ожидаемый результат: 401/403 без валидного токена владельца. + Фактический результат: 200, HTML с секретным именем. +``` + +**Влияние:** Нарушение конфиденциальности и целостности данных пользователей, подмена активности. + +**Рекомендации по исправлению:** Аутентификация (JWT/OAuth2/session), проверка что субъект токена совпадает с `userId` или имеет явную роль. + +**Security Test Case:** `[BrokenAccessControlPentestTest.java](src/test/java/ru/itmo/testing/lab4/pentest/BrokenAccessControlPentestTest.java)`. + +--- + +### Сводная таблица findings + + +| # | Название | CWE | CVSS | Тест | +| --- | -------------------------------------- | ---------------- | ---- | --------------------------------- | +| 1 | Stored XSS в `/userProfile` | CWE-79 | 6.1 | `XssPentestTest` | +| 2 | Path traversal в `/exportReport` | CWE-22 | 7.5 | `PathTraversalExportPentestTest` | +| 3 | Небезопасный `callbackUrl` / `file://` | CWE-918, CWE-200 | 9.1 | `NotifyUnsafeCallbackPentestTest` | +| 4 | Детали ошибок в ответе API | CWE-209 | 5.3 | `ErrorDisclosurePentestTest` | +| 5 | IDOR / нет авторизации по `userId` | CWE-639 | 7.5 | `BrokenAccessControlPentestTest` | + + diff --git "a/\320\240\320\243\320\247\320\235\320\236\320\225_\320\242\320\225\320\241\320\242\320\230\320\240\320\236\320\222\320\220\320\235\320\230\320\225.md" "b/\320\240\320\243\320\247\320\235\320\236\320\225_\320\242\320\225\320\241\320\242\320\230\320\240\320\236\320\222\320\220\320\235\320\230\320\225.md" new file mode 100644 index 0000000..028aecd --- /dev/null +++ "b/\320\240\320\243\320\247\320\235\320\236\320\225_\320\242\320\225\320\241\320\242\320\230\320\240\320\236\320\222\320\220\320\235\320\230\320\225.md" @@ -0,0 +1,212 @@ +# Этап 3 — ручное тестирование (детальный журнал) + +**Обновление (после добавления `jackson-databind`):** ранее эндпоинты с `ctx.json(...)` (`/inactiveUsers`, успешный `/monthlyActivity`) отвечали **500** с текстом про отсутствие ObjectMapper. В актуальной сборке зависимость подключена; разделы `/inactiveUsers` и `/monthlyActivity` ниже приведены в соответствии с повторной проверкой. + +Ниже для каждого эндпоинта: **план проверок** (по требованиям README: неожиданные значения, спецсимволы, тела ошибок, пути/URL, лимиты) и **фактические результаты** по каждому запросу. + +--- + +## Критерии из задания (контрольный список) + +| Вопрос | Как проверяли | +|--------|----------------| +| Неожиданные значения параметров | пустые/неверные типы, несуществующие `userId`, неверный ISO, неверный `month` | +| Спецсимволы `< > " ' / ..` | XSS в `userName`, `userId` с `%2F`, `filename` с `..%2F`, кавычки в имени | +| Тело ответа при ошибках | 400/404/500 и текст/JSON в теле | +| Параметры-пути к файлам и URL | `filename` в `/exportReport`, `callbackUrl` в `/notify` (http, file) | +| Лимиты частоты и размера | ~800 символов в `userName`; 20 быстрых GET подряд | + +--- + +## `POST /register` + +### План запросов + +1. Нормальная регистрация (подготовка данных). +2. Отсутствие параметров / одного параметра. +3. Дубликат `userId`. +4. Пустой `userId`. +5. `userId` с последовательностями `../` в строке (URL-encoded). +6. Длинный `userName` (~800 символов). + +### Результаты + +| # | Описание | Команда (сокращённо) | HTTP | Тело ответа | +|---|----------|----------------------|------|-------------| +| R0 | Регистрация `stage3_base` | `POST /register?userId=stage3_base&userName=Alice` | 200 | `User registered: true` | +| R0b | Регистрация для XSS | `POST ...userId=stage3_xss&userName=%3Cscript%3Ealert(1)%3C%2Fscript%3E` | 200 | `User registered: true` | +| R0c | Имя с кавычками и скобками | `POST ...userId=stage3_quote&userName=O%27Reilly%22%3C%3E` | 200 | `User registered: true` | +| R1 | Нет параметров | `POST /register` | 400 | `Missing parameters` | +| R2 | Только `userId` | `POST /register?userId=onlyId` | 400 | `Missing parameters` | +| R3 | Дубликат | `POST ...userId=stage3_base&userName=Other` | 200 | `User registered: false` | +| R4 | Пустой `userId` | `POST /register?userId=&userName=empty_id_user` | 200 | `User registered: true` | +| R5 | `userId=..%2F..%2Fevil` | `POST ...userId=..%2F..%2Fevil&userName=test` | 200 | `User registered: true` | +| R6 | Длинный `userName` | `POST ...userId=stage3_long&userName=` + 800×`A` | 200 | `User registered: true` | + +**Заголовки успешных ответов (типично):** `Content-Type: text/plain`. + +--- + +## `POST /recordSession` + +### План запросов + +1. Пропуск параметров. +2. Некорректный ISO. +3. Несуществующий `userId`. +4. `logoutTime` раньше `loginTime` (логика домена). + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| S0 | Валидная сессия (подготовка) | 200 | `Session recorded` | +| S1 | Нет параметров | 400 | `Missing parameters` | +| S2 | `loginTime=not-a-date` | 400 | `Invalid data: Text 'not-a-date' could not be parsed at index 0` | +| S3 | Неизвестный пользователь | 404 | `User not found` | +| S4 | Logout раньше login | 200 | `Session recorded` | + +--- + +## `GET /totalActivity` + +### План запросов + +1. Без `userId`. +2. Несуществующий пользователь. +3. Существующий пользователь с сессиями. +4. `userId` с закодированными `<>` в строке. + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| T1 | Без `userId` | 400 | `Missing userId` | +| T2 | `userId=ghost_user` | 200 | `Total activity: 0 minutes` | +| T3 | `userId=stage3_sess` (после S0+S4) | 200 | `Total activity: -30 minutes` | +| T4 | `userId=stage3_%3Ctest%3E` | 200 | `Total activity: 0 minutes` | + +--- + +## `GET /inactiveUsers` + +### План запросов + +1. Без `days`. +2. Нечисловой `days`. +3. Отрицательный `days`. +4. `days=0`. + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| I1 | Нет `days` | 400 | `Missing days parameter` | +| I2 | `days=abc` | 400 | `Invalid number format for days` | +| I3 | `days=-1` | 200 | `Content-Type: application/json`, тело `[]` (на пустом хранилище сессий) | +| I4 | `days=0` | 200 | `Content-Type: application/json`, тело `[]` | + +**Было до `jackson-databind`:** I3 и I4 давали **500** и JSON Javalin с текстом *«It looks like you don't have an object mapper configured…»* (~727 байт). + +--- + +## `GET /monthlyActivity` + +### План запросов + +1. Пропуск параметров. +2. Неверный формат `month`. +3. Пользователь без сессий. +4. Успешный расчёт при наличии сессий. + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| M1 | Нет параметров | 400 | `Missing parameters` | +| M2 | `month=13-2025` | 400 | `Invalid data: Text '13-2025' could not be parsed at index 0` | +| M3 | `userId=stage3_base` (без сессий) | 400 | `Invalid data: No sessions found for user` | +| M4 | Пользователь с сессией в запрошенном месяце (пример: после `POST /register` и `POST /recordSession` для `userId=jackson_m`, затем `month=2025-01`) | 200 | `Content-Type: application/json`, тело `{"2025-01-10":60}` (значения зависят от записанных сессий) | + +**Было до `jackson-databind`:** при тех же данных вместо JSON возвращалось **400** с телом про отсутствие ObjectMapper. + +--- + +## `GET /userProfile` + +### План запросов + +1. Без `userId`. +2. Несуществующий пользователь. +3. Пользователь с XSS в `userName`. +4. Пользователь с кавычками и `<>` в имени. + +### Результаты + +| # | Описание | HTTP | Content-Type | Тело ответа | +|---|----------|------|--------------|-------------| +| P1 | Нет `userId` | 400 | text/plain | `Missing userId` | +| P2 | Неизвестный `userId` | 404 | text/plain | `User not found` | +| P3 | `userId=stage3_xss` | 200 | text/html | `

Profile:

ID: stage3_xss

Total activity: 0 min

` | +| P4 | `userId=stage3_quote` | 200 | text/html | `

Profile: O'Reilly"<>

ID: stage3_quote

Total activity: 0 min

` | + +--- + +## `GET /exportReport` + +### План запросов + +1. Пропуск параметров. +2. Несуществующий `userId`. +3. Обычное имя файла. +4. `filename` с `../` (path traversal). + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| E1 | Нет параметров | 400 | `Missing parameters` | +| E2 | Неизвестный пользователь | 404 | `User not found` | +| E3 | `filename=safe_report.txt` | 200 | `Report saved to: /tmp/reports/safe_report.txt` | +| E4 | `filename=..%2F..%2Ftmp%2Flab4_escape.txt` | 200 | `Report saved to: /tmp/reports/../../tmp/lab4_escape.txt` | + +Файл по пути E4 фактически создаётся в `/tmp/lab4_escape.txt` (нормализация пути). + +--- + +## `POST /notify` + +### План запросов + +1. Пропуск параметров. +2. Несуществующий `userId`. +3. Невалидный `callbackUrl`. +4. HTTP к закрытому порту. +5. Схема `file://`. + +### Результаты + +| # | Описание | HTTP | Тело ответа | +|---|----------|------|-------------| +| N1 | Нет параметров | 400 | `Missing parameters` | +| N2 | Неизвестный пользователь | 404 | `User not found` | +| N3 | `callbackUrl=not-a-url` | 500 | `Notification failed: no protocol: not-a-url` | +| N4 | `http://127.0.0.1:1/nope` | 500 | `Notification failed: Connection refused` | +| N5 | `file:///etc/passwd` | 200 | `Notification sent. Response: ` + **полное содержимое `/etc/passwd`** (в прогоне ~3112 байт; начало: `root:x:0:0:root:/root:/bin/bash` … до последней строки файла) | + +--- + +## Лимиты частоты и объёма + +| Проверка | Метод | Результат | +|----------|--------|-----------| +| 20× подряд `GET /totalActivity?userId=stage3_sess` | `curl` в цикле | Все ответы **HTTP 200** | +| Длинный `userName` | см. R6 в `/register` | **HTTP 200**, регистрация принята | + +Явного ограничения числа запросов (rate limiting) и отсечения по размеру тела запроса по результатам прогона **не выявлено**. + +--- + +## Подготовительные шаги (порядок данных в скрипте) + +Перед тестами регистрировались пользователи `stage3_base`, `stage3_xss`, `stage3_quote`, `stage3_sess`, `stage3_month`, `stage3_export`, `stage3_notify`; для `stage3_sess` и `stage3_month` добавлялись сессии с валидным ISO-временем (см. скрипт). From 6b5f0b04f37a7c810b73995cbd8e1b6a8d0bfe93 Mon Sep 17 00:00:00 2001 From: selfofly Date: Tue, 14 Apr 2026 15:32:06 +0300 Subject: [PATCH 4/4] fix path traversal test not being self sufficient --- .../testing/lab4/pentest/PathTraversalExportPentestTest.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java b/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java index 78033f5..f562aab 100644 --- a/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java +++ b/src/test/java/ru/itmo/testing/lab4/pentest/PathTraversalExportPentestTest.java @@ -48,6 +48,11 @@ static void stop() throws Exception { void exportWithDotDotEscapesBaseDirectory() throws Exception { send("POST", BASE + "/register?userId=pt_export&userName=User"); + // Подготовка окружения: гарантируем, что базовая директория репортов существует. + // Иначе traversal может падать с 500 из-за отсутствия /tmp/reports (и тест не демонстрирует уязвимость). + HttpResponse warmup = send("GET", BASE + "/exportReport?userId=pt_export&filename=safe_report.txt"); + assertEquals(200, warmup.statusCode(), "warmup экспорт должен создавать /tmp/reports"); + String q = "/exportReport?userId=pt_export&filename=..%2F..%2Ftmp%2Fpentest_export_escape.txt"; HttpResponse res = send("GET", BASE + q);