hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-13 08:51:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
3693185b6b155caa236ed873728e1cf5968275ca
codeql/java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.java
Owen Mansel-Chan 3693185b6b Second pass
2026-06-10 09:14:47 +02:00

19 lines
913 B
Java
Raw Blame History

import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
public class InsecureBeanValidation implements ConstraintValidator<Override, String> {
@Override
public boolean isValid(String object, ConstraintValidatorContext constraintContext) { // $ Source[java/insecure-bean-validation]
String value = object + " is invalid";
// Bad: Bean properties (normally user-controlled) are passed directly to `buildConstraintViolationWithTemplate`
constraintContext.buildConstraintViolationWithTemplate(value).addConstraintViolation().disableDefaultConstraintViolation(); // $ Alert[java/insecure-bean-validation]
// Good: Using message parameters
constraintContext.buildConstraintViolationWithTemplate("literal {message_parameter}").addConstraintViolation().disableDefaultConstraintViolation();
return true;
}
}
Reference in New Issue View Git Blame Copy Permalink