hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.qhelp

Browse Source 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
This commit is contained in:
Alvaro Muñoz
2020-10-27 21:10:56 +01:00
committed by GitHub
parent a9ea63b976
commit d221930c81
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.qhelp
View File

@@ -3,7 +3,7 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>Bean validation custom constraint error messages support different types of interpolation,
<p>Custom error messages for constraint validators support different types of interpolation,
including <a href="https://docs.jboss.org/hibernate/validator/5.1/reference/en-US/html/chapter-message-interpolation.html#section-interpolation-with-message-expressions">Java EL expressions</a>.
Controlling part of the message template being passed to <code>ConstraintValidatorContext.buildConstraintViolationWithTemplate()</code>
argument will lead to arbitrary Java code execution. Unfortunately, it is common that validated (and therefore, normally