This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/crypto-01/BenchmarkTest00943")publicclassBenchmarkTest00943extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.CookieuserCookie=newjavax.servlet.http.Cookie("BenchmarkTest00943","someSecret");userCookie.setMaxAge(60*3);// Store cookie for 3 minutesuserCookie.setPath(request.getRequestURI());userCookie.setDomain(newjava.net.URL(request.getRequestURL().toString()).getHost());response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/crypto-01/BenchmarkTest00943.html");rd.include(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.Cookie[]theCookies=request.getCookies();Stringparam="noCookieValueSupplied";if(theCookies!=null){for(javax.servlet.http.CookietheCookie:theCookies){if(theCookie.getName().equals("BenchmarkTest00943")){param=java.net.URLDecoder.decode(theCookie.getValue(),"UTF-8");break;}}}Stringbar=newTest().doSomething(request,param);// Code based on example from:// http://examples.javacodegeeks.com/core-java/crypto/encrypt-decrypt-file-stream-with-des/try{javax.crypto.Cipherc=org.owasp.benchmark.helpers.Utils.getCipher();// encrypt and store the resultsbyte[]input={(byte)'?'};ObjectinputParam=bar;if(inputParaminstanceofString)input=((String)inputParam).getBytes();if(inputParaminstanceofjava.io.InputStream){byte[]strInput=newbyte[1000];inti=((java.io.InputStream)inputParam).read(strInput);if(i==-1){response.getWriter().println("This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");return;}input=java.util.Arrays.copyOf(strInput,i);}byte[]result=c.doFinal(input);java.io.FilefileTarget=newjava.io.File(newjava.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),"passwordFile.txt");java.io.FileWriterfw=newjava.io.FileWriter(fileTarget,true);// the true will append the new datafw.write("secret_value="+org.owasp.esapi.ESAPI.encoder().encodeForBase64(result,true)+"\n");fw.close();response.getWriter().println("Sensitive value: '"+org.owasp.esapi.ESAPI.encoder().encodeForHTML(newString(input))+"' encrypted and stored<br/>");}catch(javax.crypto.IllegalBlockSizeExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}catch(javax.crypto.BadPaddingExceptione){response.getWriter().println("Problem executing crypto - javax.crypto.Cipher.getInstance(java.lang.String,java.security.Provider) Test Case");e.printStackTrace(response.getWriter());thrownewServletException(e);}response.getWriter().println("Crypto Test javax.crypto.Cipher.getInstance(java.lang.String,java.lang.String) executed");}// end doPostprivateclassTest{publicStringdoSomething(HttpServletRequestrequest,Stringparam)throwsServletException,IOException{Stringbar="";if(param!=null){java.util.List<String>valuesList=newjava.util.ArrayList<String>();valuesList.add("safe");valuesList.add(param);valuesList.add("moresafe");valuesList.remove(0);// remove the 1st safe valuebar=valuesList.get(0);// get the param value}returnbar;}}// end innerclass Test}// end DataflowThruInnerClass
classNotCompliant{publicvoidsetCookie(Stringfield,Stringvalue){Cookiecookie=newCookie(field,value);cookie.setMaxAge(60*3);// Store cookie for 3 minutesresponse.addCookie(cookie);response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/weakrand-00/BenchmarkTest00078.html");rd.include(request,response)}}
Compliant Code Examples
classCompliant{publicvoidsetCookie(Stringfield,Stringvalue){Cookiecookie=newCookie(field,value);myMethod();cookie.setHttpOnly(true);response.addCookie(cookie);Cookiecookie2=this.getCookieFromCache();// no violation detected here, since it wasn't created here}}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- java-security # Rules to enforce Java security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.
