Collapse of data into unsafe value

scala.strings.scala_strings_rule_normalizeaftervalidation

Severity

low

Resource

Strings

Language

Scala

Description

IDS01-J. Normalize strings before validating them

Rationale

IDS01-J. Normalize strings before validating them

The following code illustrates a vulnerable pattern detected by this rule:

def normalizeDanger(s: CharSequence) = {
  // VULNERABLE: Collapse of data into unsafe value
  val pattern = Pattern.compile("[<>]") // Check for angle brackets
  val matcher = pattern.matcher(s)
  if (matcher.find) throw new IllegalStateException
  Normalizer.normalize(s, Normalizer.Form.NFKC) // normalized after validation

}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-182
OWASP Top 10 2021 - A03 : Injection.