Use of less trusted source
ID |
scala.endpoint.scala_endpoint_rule_jaxwsendpoint |
Severity |
low |
Resource |
Endpoint |
Language |
Scala |
Description
This method is part of a SOAP Web Service (JSR224). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL.
Rationale
This method is part of a SOAP Web Service (JSR224). The security of this web service should be analyzed. For example: - Authentication, if enforced, should be tested. - Access control, if enforced, should be tested. - The inputs should be tracked for potential vulnerabilities. - The communication should ideally be over SSL.
The following code illustrates a vulnerable pattern detected by this rule:
def randomFunc(s: String) = s
@WebMethod
// VULNERABLE: Use of less trusted source
def danger0(user: String) = "Hello " + user // BAD
@WebMethod
def danger1(user: String) = {
// VULNERABLE: Use of less trusted source
val tainted = randomFunc(user)
"Hello " + tainted
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.