Use of less trusted source
ID |
scala.endpoint.scala_endpoint_rule_jaxrsendpoint |
Severity |
low |
Resource |
Endpoint |
Language |
Scala |
Description
This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL. - If the service supports writes (e.g., via POST), its vulnerability to CSRF should be investigated.
Rationale
This method is part of a REST Web Service (JSR311). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL. - If the service supports writes (e.g., via POST), its vulnerability to CSRF should be investigated.
The following code illustrates a vulnerable pattern detected by this rule:
def randomFunc(s: String) = s
@Path("/hello0")
// VULNERABLE: Use of less trusted source
def danger0(user: String) = "Hello " + user // BAD
@Path("/hello1")
def danger1(user: String) = {
// VULNERABLE: Use of less trusted source
val tainted = randomFunc(user)
"Hello " + tainted
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.