Philippe Arteau
Philippe Arteau
Fields such as the following should be considered safe. ```java static final String FILE = System.getProperty("file.separator"); ``` ```java private static final String NTP_QUERY = new StringBuilder( " select os.name, p.dateProcessed,...
## Description Cover that InputStream.read(X) will tainted the parameter X - `InputStream.read(byte[])` - `InputStream.read(byte[],%20int,%20int)` https://docs.oracle.com/javase/7/docs/api/java/io/InputStream.html#read(byte[]) ## Code ```java package testcode.xss.servlets; import org.apache.commons.lang.StringEscapeUtils; import org.owasp.esapi.ESAPI; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest;...
External librairies: - [ ] org.apache.commons.digester.Digester - [ ] Woodstock - [ ] dom4j - [ ] XOM - [ ] OpenSAML - [ ] Apache Hadoop Taken from :...
As mentions by Bob Rivers, Java 7 as two apis that also allow the normalization of paths. See: http://stackoverflow.com/a/40427311/89769 - [ ] Make sure the two APIs are actually safe...
Path traversal is one of the detector that can cause a large number of false positive. ```java org.springframework.core.env.Environment env = ...; new File(env.getProperty("serversideconf"), "/test.xml") ``` ```java Properties props = ...;...
Detect subclasses of JavaFileObject which aload the dynamic evaluation of Java code. http://www.beyondlinux.com/2011/07/20/3-steps-to-dynamically-compile-instantiate-and-run-a-java-class/
The PR from @MaxNad (https://github.com/find-sec-bugs/find-sec-bugs/pull/203) gave me the idea to detect risky content type that may cause Content-Sniffing XSS. In a nutshell, for certain content-type browser will guess the actual...
I red from [FileCry - The New Age of XXE ](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE.pdf) that entity resolver returning null are equivalent to having none set.. To investigate..
Apparently, **PKCS1Padding** is vulnerable to padding oracle attack. A simple rule should be made to recommend **RSA OEAP**. ``` Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding"); ``` References: - http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf - http://www.iacr.org/archive/eurocrypt2000/1807/18070374-new.pdf -...
I think two detectors related to Randomness are incorrect. #### MDM_SECURERANDOM ``` The SecureRandom() constructors and SecureRandom.getSeed() method are deprecated. Call SecureRandom.getInstance() and SecureRandom.getInstance().generateSeed() instead. ``` The constructor of SecureRandom...