Dangerous API

ID

java.dangerous_api

Severity

low

Resource

Other

Language

Java

Tags

CWE:676, NIST.SP.800-53, OWASP-ESAPI

Description

Use of potentially dangerous API.

Rationale

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

Remediation

For Java, the ESAPI Secure Coding Guidelines are followed. The following calls are dangerous and should be replaced with the safer calls provided by ESAPI:

  • BAN001 - System.out.println(), replace by Logger.*

  • BAN002 - Throwable.printStackTrace(), replace by Logger.*

  • BAN003 - Runtime.exec(), replace by Executor.safeExec()

  • BAN004 - Session.getId(), replace by Randomizer.getRandomString (better not to use at all)

  • BAN005 - ServletRequest.getUserPrincipal(), replace by Authenticator.getCurrentUser()

  • BAN006 - ServletRequest.isUserInRole(), replace by AccessController.isAuthorized*()

  • BAN007 - Session.invalidate(), replace by Authenticator.logout()

  • BAN008 - java.util.Randor or Math.random(), replace by Randomizer.*

  • BAN009 - File.createTempFile(), replace by Randomizer.getRandomFilename()

  • BAN010 - ServletResponse.setContentType(), replace by HTTPUtilities.setContentType()

  • BAN011 - ServletResponse.sendRedirect(), replace by HTTPUtilities.safeSendRedirect()

  • BAN012 - RequestDispatcher.forward(), replace by HTTPUtilities.safeSendForward()

  • BAN013 - ServletResponse.addHeader(), ServletResponse.setHeader(), replace by HTTPUtilities.safeSetHeader()/safeAddHeader()

  • BAN014 - ServletResponse.addCookie(), replace by HTTPUtilities.safeAddCookie()

  • BAN015 - ServletRequest.isSecure(), replace by HTTPUtilties.isSecureChannel()

  • BAN016 - Properties., replace by EncryptedProperties.

  • BAN017 - ServletContext.log(), replace by Logger.*

  • BAN018 - java.security.* and javax.crypto., replace by Encryptor.

  • BAN019 - java.net.URLEncoder/Decoder, , replace by Encoder.encodeForURL()/decodeForURL()

  • BAN020 - java.sql.Statement, replace by java.sql.PreparedStatement

  • BAN021 - ServletResponse.encodeURL, replace by HTTPUtilities.safeEncodeURL() (better not to use at all)

  • BAN022 - ServletResponse.encodeRedirectURL, replace by HTTPUtilities.safeEncodeRedirectURL() (better not to use at all)

Configuration

The detector has the following configurable parameters:

  • checkWebContext, that indicates if the detector should only raise an issue when under a Web context.

  • banned, that indicates the APIs that the detector is going to consider as banned.

  • allowed, that indicates the APIs that the detector is going to consider as allowed.

References