hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

more fixes to make qlhelp linter happy

Browse Source
This commit is contained in:
Alvaro Muñoz
2020-10-27 16:32:13 +01:00
parent 8974f252ac
commit aa981caea5
1 changed files with 7 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.qhelp
View File

@@ -12,17 +12,16 @@ untrusted) bean properties flow into the custom error message.</p>
<recommendation> <recommendation>
<p>There are different approaches to remediate the issue:</p> <p>There are different approaches to remediate the issue:</p>
<ul> - Do not include validated bean properties in the custom error message.
<li>Do not include validated bean properties in the custom error message.</li> - Use parameterized messages instead of string concatenation. E.g:
<li>Use parameterized messages instead of string concatenation. E.g:</li>
``` java ``` java
HibernateConstraintValidatorContext context = constraintValidatorContext.unwrap( HibernateConstraintValidatorContext.class ); HibernateConstraintValidatorContext context = constraintValidatorContext.unwrap( HibernateConstraintValidatorContext.class );
context.addMessageParameter( "foo", "bar" ); context.addMessageParameter( "foo", "bar" );
context.buildConstraintViolationWithTemplate( "My violation message contains a parameter {foo}").addConstraintViolation(); context.buildConstraintViolationWithTemplate( "My violation message contains a parameter {foo}").addConstraintViolation();
``` ```
<li>Sanitize the validated bean properties to make sure that there are no EL expressions. An example of valid sanitization - Sanitize the validated bean properties to make sure that there are no EL expressions.
logic can be found <a href="https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17">here</a>. An example of valid sanitization logic can be found <a href="https://github.com/hibernate/hibernate-validator/blob/master/engine/src/main/java/org/hibernate/validator/internal/engine/messageinterpolation/util/InterpolationHelper.java#L17">here</a>.
- Disable the EL interpolation and only use `ParameterMessageInterpolator`:</li> - Disable the EL interpolation and only use `ParameterMessageInterpolator`:
``` java ``` java
Validator validator = Validation.byDefaultProvider() Validator validator = Validation.byDefaultProvider()
.configure() .configure()
@@ -30,9 +29,8 @@ Validator validator = Validation.byDefaultProvider()
.buildValidatorFactory() .buildValidatorFactory()
.getValidator(); .getValidator();
``` ```
<li>Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default. - Replace Hibernate-Validator with Apache BVal which in its latest version does not interpolate EL expressions by default.
Note that this replacement may not be a simple drop-in replacement.</li> Note that this replacement may not be a simple drop-in replacement.
<ul>
</recommendation> </recommendation>
<example> <example>