Collapse of data into unsafe value

scala.strings.scala_strings_rule_modifyaftervalidation

Severity

low

Resource

Strings

Language

Scala

Description

CERT: IDS11-J. Perform any string modifications before validation

Rationale

CERT: IDS11-J. Perform any string modifications before validation

The following code illustrates a vulnerable pattern detected by this rule:

def modifyDanger(str: String) = {
  var s = Normalizer.normalize(str, Normalizer.Form.NFKC)
  val pattern = Pattern.compile("<script>")
  // VULNERABLE: Collapse of data into unsafe value
  val matcher = pattern.matcher(s)
  if (matcher.find) throw new IllegalArgumentException("Invalid input")
  s = s.replaceAll("[\\p{Cn}]", "") // modified after validation

  s
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-182
OWASP Top 10 2021 - A03 : Injection.