External Control of System or Configuration Setting
ID |
scala.unsafe.scala_unsafe_rule_externalconfigcontrol |
Severity |
low |
Resource |
Unsafe |
Language |
Scala |
Description
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database.
Rationale
Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database.
The following code illustrates a vulnerable pattern detected by this rule:
def callSetCatalog(c: Connection, req: HttpServletRequest): Unit = {
// VULNERABLE: External Control of System or Configuration Setting
val tainted = req.getParameter("input")
c.setCatalog(tainted)
c.setCatalog("safe") // ok
c.setCatalog("very ".concat("safe").toUpperCase)
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A01 : Broken Access Control.