hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java
Alvaro Muñoz 671ea2f6c6 add test and stubs
2020-10-27 15:47:54 +01:00

19 lines
828 B
Java
Raw Permalink Blame History

import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
public class InsecureBeanValidation implements ConstraintValidator<Override, String> {
@Override
public boolean isValid(String object, ConstraintValidatorContext constraintContext) {
String value = object + " is invalid";
// Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`
constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation();
// Good: Using message parameters
constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation();
return true;
}
}
Reference in New Issue View Git Blame Copy Permalink